All supports and slides will be in english.

The speakers will talk in english or in french.

Wednesday Nov 3, 2015

Security: a new hope? (Keynote)

During this conference, we will see what changed over the last 15+ years in the hype of “cybersecurity”. It is said that who has not failed has actually not tried. But did we really try to fight and provide working solutions to security issues? Did we really address the right problems?  We will discuss about lemons and cherries, planes, hardware and try to imagine new ways to deal with security. 

Language: French

 Fred Raynal  (QuarksLab)

Fred Raynal

Fred Raynal, PhD, is the founder and CEO of QUARKSLAB. Previously, he worked 3 years at EADS, including working as a core member of EADS IW, then created the SOGETI ESEC R&D (lab) team he managed for 5 years. He also is founder of the french conference SSTIC and magazine MISC. He is a regular speaker at many conferences (HITB, CanSecWest, Pacsec,, …), Beside "founding", he enjoys both technical hacking, information warfare and finding ways to combine both in order to create different (and hopefully better) ways to do information security., 

Bug Bounty programs: the good, the bad and the ugly 

At Square, we have several bug bounty programs. In this tech talk, we will go over how we organized them. We will discuss good practices to keep researchers engaged and how to ensure engineers prioritize fixing our products as quickly as possible. We will also present responses which lead to frustration from the bug bounty participants point of view.

Language: English

 Noelle Murata (Square, Inc.)

Noelle Murata
(Square, Inc.)

Noelle is a member of the security engineering team at Square. Her responsabilities includes interfacing with third party security researchers (bug bounty) and engineers.

Airport IT Security: pentesting a large European international airport

During this talk I will bring to the audience a very recent experience (October 2015) lasted 3 months, while along with my team we deeply pentested one of the largest Europe's international airports. 

Language: English

 Raoul Chiesa (Security Brokers)

Raoul Chiesa
(Security Brokers)

Raoul "Nobody" Chiesa was born in Torino, Italy.  After being among the first Italian hackers back in the 80's and 90's (1986-1995), Raoul decided to move to professional InfoSec, establishing back in 1997 the very first vendor-neutral Italian security advisory company; he then left it in 2012, establishing "Security Brokers", a visionary joined stock company providing niche, cutting-edge security consulting services and solutions.
Raoul is among the founder members of CLUSIT (Italian Information Security Association, est. 2000) and he is a Board of Directors member at ISECOM, OWASP Italian Chapter, and at the Italian Privacy Observatory (AIP/OPSI); he has been one of the coordinators of the Working Group "Cyber World" at the Center for Defence Higher Studies (CASD) between 2010 and 2013 at the National Security Observatory (OSN) at Italy's MoD. He is a former member of the ENISA Permanent Stakeholders Group (2010-2012 and 2013-2015), a independent "Special Advisor on Cybercrime and Hacker's Profiling" at the UN agency UNICRI, and a Member of the Coordination Group and Scientific Committee of APWG European chapter, the Anti-Phishing Working Group, acting like a "Cultural Attaché" for Italy. Since July 2015 heís a Board Member at AIIC, Italian Experts Association on Critical Infrastructures.
Raoul publishes books and white papers in English and Italian language as main author or contributor, a worldwide known and appreciated Key Note and Speaker, and he's a regular contact for worldwide medias (newspapers, TV and bloggers) when dealing with Information Security issues and IT security incidents.

Social Engineering: The devil is in the details

Information security threats to organisations have changed completely over the last decade, due to the complexity and dynamic nature of infrastructures and attacks. Successful attacks cost society billions a year, impacting vital services and the economy. New attacks cleverly exploit multiple organisational vulnerabilities, involving physical security and human behaviour. Defenders need to make rapid decisions regarding which attacks to block, as both infrastructure and attacker knowledge change rapidly.

The speaker, Ivano Somaini from Compass Security, was a member of the amateur acting group at the Cantonal School of Graubünden at Chur. With his Master in Information Security at ETH Zurich, he found the perfect way to combine those interests: Social Engineering.

You will learn more about the methodologies of a professional Social Engineer as well as the newest attack vectors available. Ivano Somaini will present you several attack scenarios he successfully executed in real companies during his four years of Social Engineering experience. All those scenarios exceeding known approaches such as e-mail phishing by far. He will explain how even the smallest and seemingly least relevant information revealed is enough to break into financial institutions and steal industrial Know-How.

Language: English

 Ivano Somaini (Compass Security Schweiz AG)

Ivano Somaini
(Compass Security Schweiz AG)

Ivano Somaini was already interested in IT Security during his youth and studied the topic further during his IT studies at ETH Zurich with focus on information security. During his studies he deepened his knowledge in topics such as cryptography protocols, network security and e-privacy. His master thesis deals with the theoretical aspects of security. Ivano modelled and verified the cryptographic protocol Kerberos. Beside his studies, he worked as developer for AdNovum Informatik AG and afterwards as IT-Supporter for ETH Zurich. Since March 2011 Ivano Somaini is employed as Security Analyst at Compass Security. In 2013 he formed Compass Security's branch office in Bern and has been leading it ever since.

What is data from a legal perspective?

Data is not defined by law as something clear or unique. There is indeed different data subject to totally different rules. Personal data requires a justification to be processed, electronically stored or transmitted data is protected against copy or damages by the criminal code, health data is usually personal data with stringent rules. In addition, sectorial laws restrict the transmission and disclosure of data, or require certain technical and organizational security measures, like banking law, professional or official secrecy, etc.

With this talk, we want to help people who daily processes data to assess the categories of data they are dealing with and the different responsibilities it might trigger.

Language: French

 Sylvain Métille

Sylvain Métille

Sylvain Métille, Ph.D. in Law, is a Lecturer at University and a Partner at HDC Law firm in Lausanne.
He is a recognized data protection and new technologies lawyer, with more than ten years’ experience at the bar. He regularly assists local and multinationals companies when it comes to personal data, surveillance, IT or computer crime.

Thursday Nov 5, 2015

Lawful interception - Police work challenges in the digital future

The cyberspace entered since the last 10 years in everybody's life. The way Law enforcement authorities should work in order to achieve their investigations is changing quicker than ever. What are the challenges of the police work in our digital future? Are these challenges the ones we could think of?    

Language: French

  Julien Cartier (Police Cantonale Vaudoise)

Julien Cartier
(Police Cantonale Vaudoise)

Julien Cartier, Ph.D., is a forensic scientist, graduated from the University of Lausanne which has the world oldest academic forensic science school created in 1909 by Rudolphe Archibald Reiss. 

Julien Cartier started working in the criminal police of the Police cantonale vaudoise 15 years ago. As a criminal analyst he worked 5 years in the organised crime unit and since 10 years in a dedicated operational support unit, who deals with criminal analysis, IT forensics and interception. 


When providing a native mobile application ruins the security
of your existing Web solution

Providing a native mobile application in addition to an existing web solution, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore. We will see with the exploitation of real world Android application how it is possible to

  • retrieve documents without paying for them
  • decrypt and use them on any device despite the DRM in place

The approach will combine some Java reverse engineering and HTTP monitoring, enabling to understand how basic cryptography is used by the server authentication logic. The various vulnerabilities discovered, at design or code level, will be detailed and serve as examples not to follow. Then it will be explained how to use them altogether to collect and decrypt unauthorized resources via a Python script.

To conclude, practical recommendations will be provided to address those common categories of issues.

Language: French

 Jérémy Matos (Jérémy Matos Securing Apps)

Jérémy Matos
(Jérémy Matos Securing Apps)

Jérémy Matos has been working in building secure software for almost 10 years. With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice. It also enables him to gain the trust of other programmers by speaking the same language and understanding their day-to-day activities, providing an efficient channel to increase their security awareness.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties. Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understanding the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. 
He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.

IRMA : Incident Response and Malware Analysis

Malware has been a pain for years. Thanks to marketing, we thought anti-virus would be enough to deal with them. Now, we all know there is not a unique solution, and that it is illusionary to expect a network without malware. So, a team of analysts in a CERT or a SOC for instance must be able to quickly sort a file: it is safe, it is an already known malware (no need to be analyzed), the file is unknown. In order to fulfil its mission, the analysts team must quickly remove file that does not need any analyze, so that the team can focus on unknown file.

IRMA provides a quick way to do that. It performs different analysis (which we call probes) of a file, through multiple anti-virus engines, sandbox, external information and specialised probes (PEiD or PDF for instance).

We developed IRMA focusing on 2 goals:
1. It must be easy to install.
2. It must be easy for everyone to add new probes.

We will see how IRMA can be used as a sortage system when dealing with permanent malware attacks so that you can focus where it really matters.

Last but not least, if you want to build your own customized instance of IRMA in order to avoid sharing sensitives files with AV editors or Google, this talk is definitely for you.

Language: French

 Fred Raynal (QuarksLab)

Fred Raynal

Fred Raynal, PhD, is the founder and CEO of QUARKSLAB. Previously, he worked 3 years at EADS, including working as a core member of EADS IW, then created the SOGETI ESEC R&D (lab) team he managed for 5 years. He also is founder of the french conference SSTIC and magazine MISC. He is a regular speaker at many conferences (HITB, CanSecWest, Pacsec,, …), Beside "founding", he enjoys both technical hacking, information warfare and finding ways to combine both in order to create different (and hopefully better) ways to do information security., 

WebSSO - The API gateway approach

An insurance company wanted to extend their services online to Partners and Customers. Each population having its own identity data store, ranging from dedicated Identity Providers (IdP) and social networks’IdPs to local directories, they where in a siloed identity environment with no single unified authoritative source. To face the common issues of siloed identity environment, this insurance company retained a federated identity architecture, to provide the populations with SSO.

The first challenge to face in this project was the heterogeneity of the authentication methods. Web applications and services support different authentication methods and these methods can evolve regarding the internal or external access to application. This is where the API gateway approach makes sense. It provides with a loose-coupled approach to authentication with a perimetric layer in charge of the federation with different IdPs, an outbound layer in charge of the authentication to applications and in between a core layer in charge of token translation. Moreover, this solution enables us to handle the second challenge of this project, the Kerberos authentication for external users, using a dedicated service from the API gateway.

Language: French

 Florent Martin (SmartWave)

Florent Martin

Florent Martin, PhD : Experienced IT engineer.

He received main degrees in executive education, a master degree from the Conservatoire National Des Arts et Métiers and a Phd in data mining, in a collaborative context within industry and university of Grenoble. 

I started my carrier in manufacturing industry, working in automation and electronics, before moving to research in data mining, software integration and finally Identity and Acces Management. All of these experiences where focused on the providing services in the manufacturing domain. I developed a deep knowledge in software development ranging from embedded to large business solutions development, integration and support. Through the integration of embedded devices such as acquisition systems, badge readers and terminals with business solutions, I developed a strong knowledge in securing information flows and managing identities. Thus, I moved to the actual manager position in the area of Identity and Access Management.


Protecting infrastructure secrets with Keywhiz

At Square, our number one priority is security. We needed something to protect secrets, especially as their number increased with our adoption of micro service architecture.

Although protecting infrastructure secrets is a common need, we weren’t able to find an adequate secret management system. So, we built Keywhiz.

Keywhiz is a secret management and distribution service that is now open source. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster.

Language: English

 Sarah Harvey (Square, Inc.)

Sarah Harvey
(Square, Inc.)

Sarah is a security engineer at Square. She is responsible for various backend systems (written in Java and other languages), most of which play a critical role processing our customers payments.
In the past, she worked at Facebook on production engineering and Google on Chrome OS systems security.

Detecting and monitoring a targeted threat

In today’s world, companies need to assume that they are compromised. The challenge now is to reduce the time between the breach and the detection. During this talk, Marc Doudiet will come back on a targeted attack (APT) case detected by the Cyber Fusion Center from Kudelski Security and show how to detect, monitor and eradicate such threats.

Language: French

 Marc Doudiet (Kudelski Security)

Marc Doudiet
(Kudelski Security)

Marc is a senior security analyst at Kudelski Security working in the Cyber Fusion Center, a new-generation Security Operations Center (SOC). 

His day to day job involves hunting intruders, reverse engineering binaries and researching methods to detect cyber criminals. 

Nothing makes him happier than adding another sample to his collection of weird binaries and strange exploits.


Breaking white-box cryptography

Although all current scientific white-box approaches of standardized cryptographic primitives are broken, there is still a large number of companies which sell "secure" white-box products. A new approach to assess the security of white-box implementations is presented which requires neither knowledge about the look-up tables used nor any reverse engineering effort. The differential computation analysis (DCA) attack is the software counterpart of the differential power analysis attack as applied by the cryptographic hardware community.

Language: French

 Philippe Teuwen (NXP Semiconductors)

Philippe Teuwen
(NXP Semiconductors)

Philippe Teuwen is Principal Researcher at the Innovation Center Crypto & Security in the Business Unit Security & Connectivity of NXP Semiconductors. He's a regular speaker on NFC security and privacy and loves CTF challenges.