encrypt! organize! resist!: digital safety for politically vulnerable organizations & civil society

by Matt “mateo” Mitchell

Matt will explain his framework for implementing digital safety for groups of human rights defenders, activists, nonprofits, & ngos. on what it takes to change the trajectory of an organization to safeguard their mission & protect them from digital threats. Often these organization are facing sophisticated and persistent adversaries. This presentation focuses on how to roll out to tenants of organizational digital hygiene in challenging environments. security policies, data retention programs, incident response plans, & crisis management drills will be covered.

Bio: Matt “mateo” Mitchell

Matt is a digital safety expert, operational security training and currently the director of digital safety and privacy at tactical technology collective. Matt comes to this work from many years of experience in the risk consulting, analysis and mitigation arena, most recently with GJS Security. He is also the founder of cryptoharlem, a project focused on teaching digital rights & circumvention technology to marginalized folks in new york city’s predominately black & latinx harlem neighborhood.

Real World: Threat Intelligence

by Elle Armageddon

When was the last time you considered the real-world threats users may be facing? The list includes stalkers, intimate partner violence, local-level law enforcement surveillance, spying bosses, and systemic oppression, all of which may pose different risks. In this session, we will discuss the disconnect between what the security community often thinks users need, what users think users need, and what users actually need. We’ll also take a look at some basic steps we can take to improve the day-to-day lives of at risk users, and help make the world a safer place for marginalized people.

Bio: Elle Armageddon

Elle Armageddon is an operational security expert and privacy advocate based in Oakland, California.

Improving Internet Security Through Cooperation: SIE Europe in 2018

by Paul Vixie

The digital ecosystem known as The Internet uniquely requires cooperation as a precondition for success or relevance, even among competitors. While creativity in interpretation of norms and boundaries can lead to short term successes, such creativity is made possibly only by those norms and boundaries. The Internet ultimately requires that competitors cooperate in some ways to succeed. One controversial form of cooperation is the sharing of security related telemetry in real time, for the good of all, and also for the good of whomsoever shares. Dr. Paul Vixie will explain how the Security Information Exchange (S.I.E.) project facilitates such cooperation, and will describe the new SIE Europe nonprofit company he helped start.

Bio: Paul Vixie

Cron, DEC, BIND, DNS, ISC, MAPS, RBL, PAIX, Abovenet, F-Root, RPZ, RRL, Keio Ph.D, Internet Hall of Fame.

Education & communication

by Ange Albertini

Information security is thankfully not limited to what experts know and can do, because they can’t do much on their own, and non-experts will always be the weakest link. An important part of Infosec problems is about dealing with ‘standard’, non-expert people.

So…let’s just tell them that they’re idiots, that they shouldn’t use ‘123456’ as password (and change it every week), install an antivirus, auto-update their system, stop clicking on links, uninstall Flash and Java!

Problems solved! We told them. What else do you expect? Oh, they won’t listen? Stupid ignorants. We did our job, didn’t we? It’s their problem…

Maybe not? This talk is about your relation with the non-technical people we have to deal with - whether we like it or not - in the world of Infosec.

Bio: Ange Albertini

Reverse engineer, author of Corkami


How we trained the dragon^H classified APKs via ANNs

by Roman Graf, Aaron Kaplan

Using machine learning techniques - with a special focus on deep learning to improve Android APK maliciousness classification leads to surprising accurate detection rates - far surpassing standard AV engines.

Bio: Roman Graf

Roman Graf, Ph.D., research engineer at Center for Digital Safety & Security in Austrian Institute of Technology GmbH, works on Cyber Security and Data Analytics topics, contributing to the development of several European research projects like Ecossian, Planets, Assets and SCAPE. He has published widely in the area of cyber security and risk management in digital preservation, being an active member of the Open Preservation Foundation (OPF). Finally, Dr. Graf supported the development of cyber threat intelligence solution CAESAIR serving as one of a key developer and contributed a module to the Open Source Threat Intelligence Platform (MISP)

Bio: Aaron Kaplan

L. Aaron Kaplan

Studied maths and computer sciences in Vienna, Austria.
Since 2008 he works for the Austrian domain registry (“.AT”) where he is part of the national CERT ( He is a member of the board of directors of In a past life he has been working a lot on wireless mesh networks and built a city wide community network in Vienna.

Modern pentest tricks for faster, wider, greater engagements

by Thomas Debize

The pentesting domain is constantly evolving and has quite changed in the last decade in order to provide more and more sophisticated, (bug-free) and complete tools. The ability to process wide data sets coming from multiple tools is becoming a true pentesting core skill. This talk is nothing but the will of a 7-year experience pentester to share its coolest techniques, tools and procedures that he learned over time and that not everyone might be aware of. If you never heard about Jython, sift, PyInstaller, CSVKit, Impacket, Frida, GNU Parallel, or you don’t have a clue of how they can be applied for your pentesting day-to-day job ; come on in, you will for sure (I hope) take at least something practical back with that talk.

Bio: Thomas Debize

Thomas Debize is a French security enthusiast interested in audits, penetration tests, incident responses. He developed a specific interest in data visualization and analysis throughout the time. He spoke at several conferences such as, ZeroNights, BSides LV, HITB and Hackfest to name few. That said, he likes to git push new infosec tools on its free time (

Operating large-scale honeypot sensor networks

by Piotr Kijewski

The talk will cover practical experiences in operating large scale honeypot sensor networks especially in the context of the SISSDEN project and provide a status update of the sensor network as maintained by the project:

Bio: Piotr Kijewski

Piotr is a member of The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr currently also serves on the Board of Directors of the Honeynet Project, a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis

Practical and Affordable Side-Channel Attacks

by Francois Durvaux

How to build an affordable side-channel attack setup: exploitation of electro-magnetic radiations emitted by an implementation of an AES-258 on a 8-bit microcontroller.

Bio: Francois Durvaux

Francois did his PhD in the Crypto Group at UCL in Belgium. His research topic was on the evaluation of side-channel attacks. Two years ago, Francois started to work as a security engineer for Thales Belgium. He continues research activities both during work and on his free time. Francois is interested in all security aspects, and is never bored to learn new things. Beers and video games are great too!

IPC - the broken dream of inherent security

by Thanh Bui, Siddharth (Sid) Rao

This talk presents vulnerabilities related to inter-process communication (IPC) inside the computer. These vulnerabilities allow a non-privileged process to impersonate the IPC communication endpoints and steal sensitive data of other users on the same computer, including passwords and authentication factors.

Bio: Thanh Bui

Thanh Bui is a doctoral candidate in the “Secure systems” group of Aalto University, Finland. His research focuses on analyzing and designing secure network protocols and distributed systems. He is a past Erasmus Mundus fellow and holds double master’s degrees from Aalto University, Finland and KTH Royal Institute of Technology, Sweden.

Bio: Siddharth (Sid) Rao

Siddharth (Sid) Rao is a doctoral candidate in the”Secure systems” group of Aalto University, Finland. He specializes in the security analysis of communication protocols, and his current interest lies in pedagogical study of the ‘lack of authentication’ in different systems. He is a past Erasmus Mundus fellow and holds double master’s degrees from Aalto University, Finland and University of Tartu, Estonia. He has been Ford-Mozilla Open Web Fellow at European Digital Rights (EDRi), where helped to define policies related to data protection, surveillance, copyright, and network neutrality. He has previous spoken at security conferences such as DEF CON, Blackhat and Troopers.

14 Easy Lessons for Thinking About Complex Adversarial Systems

by Eleanor Saitta

This talk will share a set of tools for thinking about complex adversarial systems (and define why that’s a useful frame for all security folks), plus give pointers for where to find more useful ways of thinking.

Bio: Eleanor Saitta

Eleanor Saitta is an independent security architecture and strategy consultant with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She was previously the security architect for, and has worked for a number of commercial consultancies (Bishop Fox, IOACtive, and others) over the past fifteen years. Her work has encompassed everything from core security engineering and architecture work for Fortune 50 software firms to cross-domain security for news organizations and NGOs targeted by nation states. Her focus is on the ways task and experience design, system architecture, development process change, and operational changes can shift the balance of power between adversaries to bring better outcomes to users.

Saitta is a co-founder and developer for Trike, an open source threat modeling methodology and tool which partially automates the art of security analysis and has contributed to the Briar and Mailpile secure messaging projects. She’s on the advisory boards of the Freedom of the Press Foundation, the International Modern Media Institute, and the Calyx Institute, all organizations that look at freedom in the media and security online. Saitta is a regular speaker at industry conferences; past venues include O’Reilly Velocity, KiwiCon, ToorCon, CCC, Hack in The Box, and HOPE, among others. You can find her on twitter as @dymaxion, and at

how to hack a Yacht - swimming IoT

by Stephan Gerling

Modern vessels and yachts are equipped with a lot of specialized equipment communicating over internal control and IT networks, and connected to Internet. Due to my background, I was curious to know how modern vessels navigate and how the ship electronic is working. This is why I asked for an access to a big expensive yacht to assess its security.

The Backbone network of the vessels is nowadays based on NMEA0183 or the newer NMEA2000 , which is electrically similar to CAN Bus. The main IT network is connected to the backbone ship’s control network via the Ethernet-to-NMEA gateways. Cloud based apps give u access directly to the engine of the Yacht. Voila!
We have a swimming IoT device with many attack vectors. In my Talk i will show how to use vulnerabilities in internet Routers for maritime environment, lookup SatCom Boxes and their (In)security and how remote control, cloud services etc. connected to the Yacht IT equipment.

Bio: Stephan Gerling

49 years old electronic specialist, worked at German Army as electronic specialist on Helicopters and where in IFOR SFOR UNSCOM missions. more than 30 years a firefighter 18 years now security evangelist for my employer in the Oil & Gas Industry. everything started with a C64 in 1983 I always want to know, how things works and i void warranty and my background in electronics and IT is my force. Geraffel & I am the cavalry member My Twitter handle is “@ObiWan666”

Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

by Orange Tsai

We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript.

Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we’ve found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we’re able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE.

Understanding the basics of this technique, the audience won’t be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique.

Bio: Orange Tsai

Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. He has spoken at conferences such as Black Hat USA, Black Hat ASIA, DEF CON, HITCON, HITB, CODEBLUE and WooYun. He participates in numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22/25 as team member of HITCON.

Currently, he is focusing on vulnerability research and web application security. Orange enjoys finding vulnerabilities and participating in Bug Bounty Programs. He is enthusiastic about Remote Code Execution (RCE), and uncovered RCEs in several vendors, such as Facebook, Uber, Apple, GitHub, Amazon, Yahoo and Imgur.

Twitter: @orange_8361 Blog:

The Snake keeps reinventing itself

by Jean-Ian Boutin and Matthieu Faou

In this talk, we will survey some new components of the infamous Turla group. Through our multi-year tracking, we selected for discussion components that were never analyzed publicly as well as some emerging TTPs for this group.

Bio: Jean-Ian Boutin and Matthieu Faou

Jean-Ian Boutin is a senior malware researcher in the Security Intelligence program at ESET. In his position, he is responsible for investigating trends in malware and finding effective techniques to counter new threats. He has presented at several security conferences, including RECON, Virus Bulletin, CARO and ZeroNights. Jean-Ian completed his Master’s degree in computer engineering at Concordia University in Montreal in 2009. His main interests include investigation of financially motivated threat actors and state-sponsored espionage groups. He has also participated in several large botnet takedown operations in conjunction with law enforcement and industry partners.

Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has presented at conferences such as Virus Bulletin, Recon Brussels or Botconf.


by Eyal Itkin, Yaniv Balmas

FAX - a technology that changed very little over the past 30 years is still very much live and kicking today. Is it really as secure as we imagine it to be? Can a simple FAX break all traditional security concepts to small pieces and compromise your entire network? Come and check it out - WHAT THE FAX?!

Bio: Eyal Itkin

Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking PTP or I2P, he loves bouldering, swimming, and thinking about the next target for his research.

Bio: Yaniv Balmas

Yaniv Balmas is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently leading the security research group at Check Point Software Technologies where he deals mainly with analyzing malware and vulnerability research. Twitter: @ynvb

Hypervisor-level debugger: benefits and challenges

by Mathieu Tarral

In this talk I will review the benefits of having hypervisor-level debuggers, analyze the previous attempts at building such a tool, and present r2vmi, which aims to be a flexible VMI debugger built on top of libvmi and radare2.

Bio: Mathieu Tarral

Mathieu Tarral is a security researcher at F-Secure, where he explores Virtual Machine Introspection’s possibilites for malware behavioral analysis.

He is the maintainer of Nitro a syscall interception framework based on KVM.

This has led him to create the KVM-VMI organization on Github, to help the common effort of bringing an official VMI API on KVM.

Worms that turn: nematodes and neotodes

by Matt Wixey

Nematodes, or “anti-worms”, exploit the vulnerabilities used by worms, but then attempt to disinfect and patch vulnerable hosts. In this talk, I discuss the history of nematodes; why previous implementations failed; and why it may be worth reconsidering, given the recent rise in unconventional worms using IoT, hardware, firmware, and other mediums. I will also show demos of a traditional nematode and a new IoT nematode I developed, and a nematode I wrote which identifies and reports on specific images found on infected hosts.

Bio: Matt Wixey

Matt leads technical research for the PwC Cyber Security practice in the UK, works on its Ethical Hacking team, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Building with Privacy by Design

by Naomi Freeman

Our inboxes were overflowing with new Terms & Conditions emails this spring: GDPR came into full-force effect in May. How can developers move forward and build with best practice and privacy by design principles?

Bio: Naomi Freeman

Naomi Freeman is an entrepreneur, software engineer, speaker, writer, and serial volunteer organizer. She was an Obama campaign fellow focusing on community engagement, a Woman of Influence nominee for the Canadian Women Entrepreneur Award, and one of eight founders accepted into the prestigious Women’s Startup Lab in California. Naomi holds an MBA from Washington State University and has degrees in both creative writing and philosophy. She currently lives in Norway with her two cats and a Baby Groot bobblehead, all swathed in glitter washi tape.

Neuro-Hacking (The science behind social engineering and an effective security culture)

by Emmanuel Nicaise

Performing social engineering without understanding how the brain works is like using nmap without any knowledge of the TCPI/IP stack. It’s ok for script kiddies, not really for security professionals. After decades of dubious psychoanalytical theories, neuro-cognitive sciences bring us sounds and evidences-based theories explaining how (part of) the brain works and what are his flaws. How do we exploit these flaws, how can we fix them? How does the dark side use this knowledge and how can the light side use it to develop an effective security culture? Bring your brain with you and prepare it to download and install the new API’s spec to the 21st century human being.

Bio: Emmanuel Nicaise

Emmanuel Nicaise is an alien in the world of cyber security. He combines a master in psychological sciences and psychopathology from the University of Brussels with a degree in IT and 25 years of experience in IT and security. After many years working as network security specialist, web developper and IT security officer, he’s trying to build a bridge between Information Security and Psychological sciences for a bit more than a decade now. His quite unique experience and skills gives him a rare point of view on the cyber security microcosm.

pEp - pretty Easy privacy for everyone!

by sva

p≡p motivates a new standard to securely encrypt and verify written communications without reinventing the wheel: p≡p eases secure communications relying on well-established end-to-end cryptographic methods by design. Following standards like OpenPGPG or OTR it integrates into existing systems for written digital communications and automating key management tasks.

Bio: sva

sva is part of the board of the Chaos Computer Club and (co-) founded, mentored and organized various hackspaces and -events, not only CCC/C3-events but also and in India. She is part of the cryptoparty core-team and wants to implement mass encryption with the Swiss p≡p foundation to create privacy by default for everyone. She holds a diploma in social/cultural anthropology, philosophy and computer science from Munich.

The (not so profitable) path towards automated heap exploitation

by Thais aka barbieauglend

The modern world depends and rely on the security (and safety!) of software. To protect privacy, intellectual property, customer data and even national security are goals for most of us. Analysis tools can help us to get new insights that can be used to secure software and hardware by identifying vulnerabilities and issues, before they cause harm downstream. The automatic exploit generation is an old challenge in the industry that is not totally solved - in fact, we are far away from it, as Julien Vanegue stated in May this year. Furthermore, AEG is limited right now to stack-based buffer overflows and format string exploits as the semantic information about user bytes in memory is not available. In this talk I am showing a proof of concept for automated heap exploit generation on an x86 architecture, using symbolic execution and SMT solvers.

Bio: Thais aka barbieauglend

Thaís Moreira Hamasaki is a malware researcher @F-Secure, who focus on static analysis, reverse engineering and logical programming. Thaís started her career within the anti-virus industry working on data and malware analysis, where she developed her knowledge on threat protection systems. She won the “best rookie speaker” award from BSides London for her very first talk about “Using SMT solvers to deobfuscate malware binaries”. Recent research topics include binary deobfuscation, generic unpacking and static analysis automation. She is an active member of the Düsseldorf Hackerspace, where she also leads the groups for Reverse Engineering and x86 Assembly. In her free time, you can find Thaís building tools, cooking or climbing somewhere offline.

Mind the (Air)Gap

by Erez Yalon, Pedro Umbelino

Breaking air-gaps makes researchers become more creative. So we got creative. We will explain the issues of exfiltrating sensitive data from sensitive air-gapped systems and demo exfiltration of such data by abusing vulnerable IoT objects and Android’s vulnerable NFC design.

Bio: Erez Yalon

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, Erez is responsible for maintaining Checkmarx’s vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

Bio: Pedro Umbelino

Pedro is a security researcher and consultant by day and Hackaday contributor by night. He started messing around with computers on a Spectrum, watched the bulletin board systems being dropped for the Internet, but still roams around in IRC. Known by the handle [kripthor], he likes all kind of hacks, hardware and software. If it’s security related even better.

Let me Yara that for you!

by Dan Demeter

I would like to present Kaspersky’s open source tool (Klara) allowing anyone to build their own Yara scanner in the cloud. With this tool, one can create a malware collection and then submit Yara jobs in order to hunt new viruses, all this using a web interface.

I believe people attending your conference will be happy to learn about a new way to run their Yara rules. I will go through the features of Klara as well as presenting some real-world cases of how we use Klara to find new APTs. Tool is available here:

Bio: Dan Demeter

Security Researcher - Global Research And Analysis Team

Dan graduated from Imperial College London and holds a Master of Engineering in Software Engineering. He joined Kaspersky Lab in 2014 where his work focuses on developing threat intelligence systems, processing big data and creating new technologies to fight advanced persistent threats.

When not meddling around with network cables or bricking routers he can be found playing board games and snowboarding the slopes across the world.

Cl4ndestina: privacy by default with a feminist perspective from the Global South

by Steffania Paola and Narrira Lemos (Cl4ndestina)

We are a group of hack-feminists working with technology in the Global South: creating own our servers, theories, futurisms, experiments and learning together. In our talk we will presenting our projects, whys and hows we are building a feminist internet to ending the gender-based violence against women, and also to have fun together!

Bio: Steffania Paola and Narrira Lemos (Cl4ndestina)

Cl4ndestina is a Brazilian feminist server. We currently host Wordpress websites from feminist projects and collectives based in Latin America.

Make ARM Shellcode Great Again

by Saumil Udayan Shah

Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.

In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques. There will be demonstrations of my shellcode on ARM IoT devices featuring different types of ARM architecture.

Bio: Saumil Udayan Shah

SAUMIL UDAYAN SHAH CEO, Net-Square. @therealsaumil

Saumil Shah, is the founder and CEO of Net-Square, providing cutting edge information security services to clients worldwide. Saumil is an internationally recognized conference speaker and instructor for over 18 years. He is also the co-developer of the wildly successful “Exploit Laboratory” courses and authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil holds an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time playing Pacman, flying kites, traveling around the world and taking pictures.

Not So Random

by Guenaelle De Julis - @b4stet4

This short talk is about a real world experience where we manage to reduce the randomness of a token from 384 to 42 bits, which allow us to predict the next valid tokens. We will go through each step, from reversing token, to reducing the key space, and then retrieving the internal state of the generator.

Bio: Guenaelle De Julis - @b4stet4

Guenaelle is a Information Security Consultant, currently working for Docler Holding, and a Researcher. She holds a PhD in Cryptography/Mathematics, in which she studied physical random number generators, reviewed and enhanced standards to evaluate them. Her research interests are in anomaly and fraud detection, data analysis, security by design. She also enjoys coding, teaching and popularizing technical fields.

Simple analysis using pDNS

by Irena Damsky

In this talk, we will have a closer look at passive DNS (pDNS), a powerful tool which allows historical analysis of DNS data. First, we will quickly recap DNS followed by outlining the concept and capabilities of pDNS finishing up with some concrete use cases and how it can be applied e.g. when investigating phishing or lighting up malicious infrastructure.

Bio: Irena Damsky

@DamskyIrena (as you might have seen her on Twitter) is the founder of – CTI Research, Training and Consulting. She is an Israeli security and intelligence researcher with a disturbing affection to cats and unicorns. In the past she was the VP Research for ThreatSTOP, used to work for Check Point, reached a rank of Captain (now in reserve) in the Israeli Defense forces and even managed to earn both an Bsc and Msc in computer science.

Serial-Killer: Security Analysis of Industrial Serial Device Servers

by Florian Adamsky

In this talk, I present the results of a security analysis of industrial serial-to-ethernet converter. I identified multiple flaws in the TCP/IP stack, authentication and configuration system on different serial-to-ethernet converter which can be exploited to run arbitrary code or to make these devices inoperable.

Bio: Florian Adamsky

Florian received his PhD in Information Engineering from the City University London in 2016, and his B. Sc. degree in 2010 from the University of Applied Sciences Technische Hochschule Mittelhessen (THM). In 2016, he joined the Interdisciplinary Centre for Security, Reliability and Trust (SnT) where his research within Secan-Lab focuses on security and network.

Only an Electron Away from Code Execution

by Silvia Väli

This talk will discuss the Electron framework, question its quirks and DEMO you numerous vulnerable desktop applications with the easiest code execution you have ever seen. It will look into behind-the-scenes of how Electron apps are built and what are the mistakes which developers end up making when being too adventurous.

Bio: Silvia Väli

My name is Silvia Väli. I am a security researcher from Estonia, working as a web-application pentester in Clarified Security. I am also a member of the Blackhoodie group, which is a female-only reverse engineering workshop. Electron application security was something I was working on for my master’s degree (2018) and it became into a project I continue to research further on as there is so much yet to be discovered and stories to be told.

Attacks on Critical Infrastructure and Machinery

by Vladimir Kropotov, Dr. Fyodor Yarochkin

This presentation covers a number of case studies of breaches within critical infrastructure information network. You may think that no one in their sane mind would put a nuclear plant control system online? Then you possibly are making a mistake. From telecommunication networks to transport, water and energy infrastructure: the authors will demonstrate how simple mistakes could potentially led to high risks of catastrophic failures.

Bio: Vladimir Kropotov

Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB,, PHDays, ZeroNights, POC, Hitcon, Black Hat EU and many others

Bio: Dr. Fyodor Yarochkin

Fyodor is a threat researcher with FTR/TrendMicro Taiwan and holds a Ph.D. from EE, National Taiwan University. Fyodor is mainly focused on regional threat investigations, Russian and Chinese underground studies as well as automation of threat hunting process. Prior to TrendMicro, Fyodor professional experience includes several years as a threat analyst and over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

Finding the best threat intelligence provider for a specific purpose: trials and tribulations

by Alicia Hickey, Dror-John Roecher

We undertook a large project to evaluate the quality of APT TI/IoC sources and encountered multiple expected and unexpected challenges. We will present our approach, the challenges encountered and the results.

Bio: Alicia Hickey

Alicia is part of the Threat Intelligence team at DCSO where she likes to work her data science magic on data. Only joking, most days her work revolves around trying to find what questions to ask from the data and working out how to access/clean/format/merge the data so that she can get the answers she’s after.

Bio: Dror-John Roecher

Dror stumbled into IT-Security in the late 1990es by building network-centric defenses and penetration testing network infrastructures. After joining ERNW in 2004, where he headed the training department and worked as a consultant, penetration tester and trainer, he moved on to become part of the security consultancy at a large system integrator and managed services provider. There he focused on security strategy consulting and managed to incorporate a little bit of security into standard managed it-services by default. He also built the first ever security analysts team at his employer and established a training program for new analysts. Dror joined DCSO as Head of Threat Intelligence in early 2016. He has spoken at numerous international security and IT conferences including Blackhat Briefings, Troopers, Vmworld and Hack-in-the-Box.

Come to the dark side! We have radical insurance groups & ransomware.

by Eireann Leverett, Ankit Gangwal

Ransomware is a volume crime, and one that is very quantifiable. Cyber insurance likes the quantifiable risks, with a large body of actuarial data, to be confident about sustainably financing solutions. However, those profiteering gluttons always try to turn a profit! How much profit?

To find out, we would need to see what a not-for-profit model of ransomware looked like. So, we tried to imagine one and fill in the values.

Come, see how an economic model can be built from real-world data on ransomware!

Or, if the talk doesn’t interest you, enjoy the Italo Calvino-Storm Trooper Wordcloud.

Bio: Eireann Leverett

Éireann Leverett once deleted himself from a CFP AFTER being accepted.

He paid a small ransom to Ankit Gangwal, to get reinstated.

Now he has invented to CFP insurance, which has a customer base of only him, and he receives the payouts whenever he deletes himself. Thus he increase a randomly chosen GDP by precisely 1 XMR per year.

Don’t you have something better to do than read an old bitshifters biography?

Bio: Ankit Gangwal

Ankit is a Ph.D. student at the University of Padua, Italy. His current research interest includes security and privacy of the blockchain technology and novel network architectures, in particular, Software Defined Network (SDN).

He believes in reproducible research and tends to publicly release the source code as well as the data set of his projects (sometimes, even before the paper is accepted).

NB: Ankit himself has written his biography in the third person.

So you think IoT DDoS botnets are dangerous - Bypassing ISP and Enterprise Anti-DDoS with 90’s technology

by Dennis Rand

Stressers/Booter services is providing “DDoS as A Service” and they are getting more and more powerfull, measured in amount of traffic, but the current resources they use could be improved, and optimized, and perform a much more dangerous and advanced attack patterns that can bypass large Anti-DDoS solutions through pre-analysis and data-mining with big data analysis and OSINT informaiton as source.

The research will show a framework on how attackers can optimize attacks based on a combination of big-data analysis and pre-attack analysis, that will show that terabit attacks are not necessarily needed, and why 90’s technology can be prefered over IoT Worms and other fancy gadgets.

Bio: Dennis Rand

Dennis Rand is a security researcher from Denmark. He specializes in vulnerability research, network analysis, penetration testing and incident response. Dennis has over seventeen years of experience in various security roles including researcher, consultanting, and simply loves breaking stuff.

In his spare time (Of what is left), he loves to observe and capture the world through photography.

Trojans in SS7 - how they bypass all security measures

by Sergey Puzankov

Almost all the recent SS7 security research is connected with abuse when a request that looks like legitimate leads to violation of confidentiality, integrity, or availability. There are a lot of protective tools to mitigate this issue. However, our new research demonstrates that malicious SS7 requests could be hidden behind harmless ones. This looks like Trojan attacks. In this talk, I will explain and demonstrate how a malefactor could exploit SS7 Trojans in order to bypass existing protection tools in SS7 networks.

Bio: Sergey Puzankov

Telecom Security Expert, Positive Technologies. Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators. He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts. As an expert in telecom security, he researches signaling network security and participates in audits for international mobile operators. Sergey is also the general developer of the Telecom Vulnerability Scanner tool and member of the Telecom Attack Discovery development team and co-author of Positive Technologies annual reports on telecom security.

Abusing Bash for Windows

by Antoine Cervoise

This presentation showcases how to use bash on Windows (Cygwin, WSL) for privilege escalation and post-exploitation. Tricks that will be presented here use existing tool features: no vulnerabilities/0days will be exploited. We also assume that you can already execute code on the target.

Bio: Antoine Cervoise

Antoine is an IT security engineer at NTT Security, skilled in infosec incident handling, pentest and audit. He enjoys computer science, electronics and D.I.Y., beers (drinking and making) by night… and he’s fond of cigars!

Risk Assessment Optimisation with MONARC

by Fabien Mathey

In this paper we briefly presented the MONARC method and platform, highlighting its contribution to the community: optimisations and the ability to easily share the information. Each of the presented optimisations and even the sharing part will reduce the amount of resources needed to perform a risk analysis.

During the presentation a short live demo where each of the aforementioned optimisations and sharing will be demonstrated on a dedicated instance of MONARC.

Bio: Fabien Mathey

Fabien Mathey has been part of the CASES team since early 2012 and has contributed to open source projects. He assisted in the development of tools and risk assessments and gives trainings, workshops and presentations. This gives him the ability to combine the knowledge gained from those activities to bring the projects forward.


The Hive / MISP


This workshop will take participants through a journey to familiarise themselves with common activities related to incident response, digital forensics, and cyber threat intelligence using the popular FOSS stack composed of MISP, the Malware Information Sharing Platform, TheHive, a Security Incident Response Platform, and Cortex, a powerful observable analysis and automated response engine.

The workshop organisers will briefly walk participants through the guiding principles of DFIR and CTI and describe the software stack that will be used throughout the workshop. Participants will then have to work on an incident and try to investigate and respond to it by analyzing various artifacts and leveraging cyber threat intelligence.

Participants are expected to bring laptops running either VMware Workstration/Fusion or VirtualBox. Laptops must be powerful enough to run two VMs simultaneously. Limited familiarity with Python is a plus to work on advanced case where automation will be used to speed up the investigation.



Teenage Mutant Binja Turtles

by Benedikt Schmotzle (byte_swap)

Binary Ninja is a reverse engineering framework similar to the famous IDA Pro. Almost everything that can be done in the UI of Binary Ninja can also be done by utilizing a clean Python API. Security researchers, pentesters or reversers can greatly benefit from Binary Ninja scripting on tasks like binary simplification, bug finding or binary patching to just name a few. As the official documentation is missing code examples for a lot of the supplied features I will start this workshop by showing small code examples for the most common tasks one would encounter when using the API. After this I will quickly show some example plugins that were written by the Binary Ninja community demonstrating the use of the API. The attendees can then test their new learned knowledge on a series of challenges or start writing plugins for their own ideas.

Bio: Benedikt Schmotzle (byte_swap)

Has fun with memcpy.

Getting Your Hands Dirty: How to Analyze the Behavior of Malware Traffic and Web Connections

by Veronica Valeros, Sebastian Garcia

Being able to analyze and understand the dynamic behavior of malware is becoming more and more important. Network traffic analysis has become a more and more important, as it allow analysts to understand what really happened in the network level, but also to understand the attackers intentions. This workshop is not focused on the tools, but in gaining experience through the analysis of real malware traffic captures.

Bio: Veronica Valeros

Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina, and co-founder of the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.

Bio: Sebastian Garcia

Sebastian is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hackitivy, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.


Reversing and Vulnerability research of Ethereum Smart Contracts

by Patrick Ventuzelo

This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.

Bio: Patrick Ventuzelo

Patrick Ventuzelo is a French security researcher working for Quoscient GmbH. Previously, he worked for P1 Security, the French Department of Defense (DoD) and Airbus Defense & Space Cybersecurity.

He is mainly focused on Reverse Engineering and Vulnerability Research on various platforms with a strong interest on new research areas such as WebAssembly, Smart Contracts and Blockchain.

Patrick has been speaker/trainer multiple time at various international security conferences such as Toorcon, REcon Montreal, SSTIC, REcon ​Brussels. Recently, he presented his research on “Reverse Engineering of Blockchain Smart Contracts (ETH/NEO/EOS)” and release an open-source security analysis tool called Octopus (​​) for this purpose.

Bypassing Windows Driver Signature Enforcement

by Csaba Fitzl

Microsoft does a great effort to harden the Windows kernel and limit attackers to load their custom drivers (kernel rootkits) with the introduction of Driver Signature Enforcement in Win7x64. In this 4 hour workshop we will learn the limitation of this enforcement and practice how we can bypass it. We will explore 4 different methods (from very easy to difficult) on various versions of Windows, including Windows 10. We will see how and why they work, and which malware used them in the past. First we will see how we can use leaked certificates to overcome DSE as well as how we can turn it OFF by design, and what are its limitations. Then we will use WinDBG to look into the kernel and find the various flags used to control DSE and use the HackSysExtremeVulnerableDriver to do kernel exploitation for setting those to the value we require. We will use a simple dummy driver to demonstrate unsigned driver loading.

Bio: Csaba Fitzl

Csaba graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big Cisco networks. After that he started to work as a blue teamer, focusing on network forensics, malware analysis and kernel exploitation. Recently he joined a red team, where he spends most of his time simulating adversary techniques. He gave talks / workshops on various international IT security conferences, including Hacktivity,,, SecurityFest and BSidesBUD. He currently holds OSWP / OSCP / OSCE / OSEE certifications. He is the author of the ‘kex’ kernel exploitation Python toolkit.

ARM IoT Firmware Emulation

by Saumil Udayan Shah

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.

In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.

The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Bio: Saumil Udayan Shah

SAUMIL UDAYAN SHAH CEO, Net-Square. @therealsaumil

Saumil Shah, is the founder and CEO of Net-Square, providing cutting edge information security services to clients worldwide. Saumil is an internationally recognized conference speaker and instructor for over 18 years. He is also the co-developer of the wildly successful “Exploit Laboratory” courses and authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil holds an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time playing Pacman, flying kites, traveling around the world and taking pictures.

Hacking mobile data and phone calls (limited seats ~25)

by Priya Chalakkal

An introductory workshop to get an overview of security in telecommunication. We will be performing man in the middle attacks on mobile data as well as phone calls. We will cover the basics of building a fake base station (in 2G), playing with SIM cards in retrieving/programming session keys. We will also look into VoLTE (4G) security.

Bio: Priya Chalakkal

Priya works at ERNW GmbH as a security researcher focused on telecommunication security. These days, she spends her time playing with telecommunication devices and SIM cards. Priya likes to do security analysis of mobile applications and IoT devices, analyse packet captures and logs. She is inspired by the mission “Making the world a safer place” and loves to work towards fulfilling that goal.

Android RE workshop

by Axelle Apvrille

In this workshop, you learn / improve your reverse engineering skills on Android applications.

This is what you will learn in this workshop:

  • Use Radare2 over LokiBot banking trojan
  • De-obfuscate the sample with a Radare2 script
  • Same but with a Frida hook
  • Hack Dalvik Executables
  • Use Androguard over Clipper, a cryptocurrency malware of August
  • Bonus. Parse new formats of APKs with HiddenMiner cryptocurrency miner


  • The workshop is made of several labs: you need your laptop!!!
  • Please install Docker before and pull the workshop’s image:

docker pull cryptax/android-re:latest

Do this before the lab will greatly help as this can be as big as 5G…

  • Skills: be at easy with Unix, be able to write short programs in Python, Java and Javascript (only basics are required e.g syntax).

Bio: Axelle Apvrille

Axelle Apvrille is a happy Principal Anti-Virus Malware Researcher at Fortinet, where she hunts down any strange virus on so-called ‘smart’ devices.

Log Hunting with Sigma

by Thomas Patzke

How to create Sigma rules and use them to hunt evil in logs.

Bio: Thomas Patzke

Thomas Patzke has more than 10 years of experience in the area of information security and currently works at thyssenkrupp CERT. His main job is the discovery of vulnerabilities in applications and products, but he also enjoys working on defensive topics, especially in the area of threat hunting. Thomas likes to create and contribute to open source security tools like Sigma, EQUEL, an ELK configuration for Linux systems, a POODLE exploit and various plugins for the Burp Suite (

He does not have a single certification and is quite proud of it.

Python Toolsmithing 101

by Didier Stevens

In this 2 hour workshop, the attendees will learn how to create (security) tools in Python. With more than 30 years experience in the development of tools, 12 years of publication, more than 100 tools and at least a couple of tools widely used by the security community, Didier Stevens will share his knowledge in this workshop and teach attendees how to develop their own tools in Python.

Bio: Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Senior Handler, GREM - GIAC Reverse Engineering Malware, GCIH, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is a Senior Analyst working at NVISO (

Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files.

You can find his open source security tools on his IT security related blog

Practical Docker Security Workshop

by Paul Amar

This half-day practical workshop describes the fundamentals of Docker security best practices. Attendees will learn all the concepts through practical examples. While the tutorial focuses on Docker, bear in mind that the patterns/methodology can help secure any production container system.

Major topics covered will include:

  • Process isolation
  • Container policies (CGroups and Namespaces)
  • Storing secrets (Docker secrets vs Hashicorp Vault)
  • Capabilities management
  • Seccomp profiles
  • Container Security Monitoring
  • And moar!

Bio: Paul Amar

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec eu nibh quis tellus iaculis malesuada sit amet eu mi. (…) More seriously, Paul Amar is working as a Security Analyst for Michelin. He likes breaking things as a hobby and developing open-source tools mostly in Python. (Such as DET, a toolkit to exfiltrate data over multiple channels). He also likes IPA beers and cookies.

Deep dive in the analysis of the dark unindexed corners of Internet


Ft. Sami Mokaddem


Introduction to Bro Network Security Monitor

by Eva Szilagyi, David Szili

TL;DR: This two-hour workshop is about Bro’s capabilities and cover topics such as Bro’s architecture, Bro events, Bro logs, Bro signatures, Bro scripting, Bro + ELK.

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90’s, its main user base was primarily universities, research labs and supercomputing centers. In the past few years, however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions.

At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python.

During this two-hour workshop, we will learn about Bro’s capabilities and cover the following topics:

  • Introduction to Bro
  • Bro architecture
  • Bro events and logs
  • Bro signatures
  • Bro scripting
  • Bro and Elastic Stack

Bio: Eva Szilagyi

Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than 8 years of professional experience in penetration testing, security source code review, digital forensics, IT auditing, telecommunication networks and security research. Previously, she was working for companies like Vodafone Hungary, Ernst & Young Hungary and Deloitte Luxembourg.

Eva has master’s degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications such as GSEC, GICSP, GMON, GSSP-JAVA, GWAPT, GMOB, eWPT, and eJPT. Eva speaks on a regular basis at international conferences like BSidesBUD, BSides Munich, Security Session and she is a member of the organizer team of BSides Luxembourg.

Bio: David Szili

David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. David is also an instructor at SANS Institute, teaching FOR572: Advanced Network Forensics and Analysis. He has more than 8 years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. Previously, he was working for companies like POST Telecom PSF Luxembourg, Dimension Data Luxembourg, Deloitte Hungary, and Balabit.

David has master’s degrees in computer engineering and in networks and telecommunication and a bachelor’s degree in electrical engineering. He holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GNFA, GMOB, OSCP, OSWP, and CEH. David speaks on a regular basis at international conferences like, BruCON, Hacktivity, Nuit du Hack, x33fcon BSidesBUD, BSidesLjubljana, BSidesMunich, Security Session and he is a member of the organizer team of BSides Luxembourg. He occasionally blogs about information security at

Finding security vulnerabilities with modern fuzzing techniques

by René Freingruber

In this talk the attendees learn how to use feedback-based fuzzers like AFL, LibFuzzer and WinAFL.

Bio: René Freingruber

René Freingruber (@ReneFreingruber) has been working as a professional senior security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. For his bachelor thesis he studied modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks on bypassing EMET in 2014 at conferences such as RuxCon, ToorCon, ZeroNights, DeepSec, 31C3 and NorthSec. In 2015 he presented talks on bypassing application whitelisting at CanSecWest, DeepSec, IT-SeCX, BSides Vienna, QuBit, NorthSec and Hacktivity. In 2016 he presented the topic of hacking companies via memory corruptions in firewalls at DeepSec, BSides Vienna, DSS ITSEC and IT-SeCX (lightning talks at and Recon Europe). Since 2017 he works full time as researcher in the field of fuzzing and gave talks on that subject at DefCamp, Heise devSec, IT-SeCX, BSides Vienna and RuhrSec.

MONARC hands-on with a case study

by Fabien Mathey

In this workshop, we will take a use case of a more technical nature and show the audience how a risk analysis is done while focusing on the topics of optimisation and sharing.

Bio: Fabien Mathey

Fabien Mathey has been part of the CASES team since early 2012 and has contributed to open source projects. He assisted in the development of tools and risk assessments and gives trainings, workshops and presentations. This gives him the ability to combine the knowledge gained from those activities to bring the projects forward.

Intro to Binary Analysis with Z3 and Angr

by Sam Brown

This workshop aims to provide some basic knowledge and exposure to the Z3 SMT solver and Angr binary analysis platform. By the end of the workshop attendees should have an appreciation for what an SMT solver is, problems it can be applied too and usage of Z3 and Angr to begin automating tasks which they can be applied to.

Bio: Sam Brown

Sam ( is a consultant in the research team at MWR InfoSecurity. He has a keen interest in Reverse Engineering and Vulnerability Research, paticularly in the automation of common tasks within these areas. He has previously spoken at Steelcon and Securi-Tay on Windows kernel security, at BSides London on ARM exploitation and for the past years at MWR’s internal conference on internally developed automated Reverse Engineering and bug hunting tooling. He regularly publishes on software security, tools and exploit developed on both MWR Labs ( and his personal blog (

Malware Triage: Analyzing Malscripts - Return of The Exploits!

by Sergei Frankoff, Sean Wilson

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to analyze malscripts. This workshop focuses on the fundamental analysis techniques, however, we will also provide an introduction to some automaton tools that can be used to speed up the analysis process.

Bio: Sergei Frankoff

Sergei Frankoff Twitter: @herrcore YouTube: Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With over a decade of experience Sergei has held roles both as the manager of an incident response team, and as a malware researcher.

Bio: Sean Wilson

Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for malware analysis and incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Unpacking for Dummies

by Paul Jung & Remi Chipaux

Most malwares are packed, that is a sad reality. Packing is a common method the hide a PE payload inside another PE payload in order to slow down reverse analysis and fool antiviruses. Some packing are simple but others, virtual machine based, full of anti-debugger, may be a real nightmare. One may only dump the final running payload, but for dynamic analysis, it is a real advantage to unpack cleanly the final payload. Reverser need to master this skill. We propose a workshop to learn how to unpack.

Bio: Paul Jung & Remi Chipaux

Paul Jung aka Thanat0s – Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in MISC magazine (French) about DDos, Botnets and incident response. Since 2014, Paul works at Excellium Services as senior security consultant. He leads Excellium Services CSIRT (CERT-XLM). Within this position, Paul lead the response team involved in incident handling and intrusion responses. He provides security awareness and recommendations to Excellium Services customers. Paul is often speaker at local event and was multiple times speaker at and Botconf security conferences. His mother tongue is French, and he speaks English.

Rémi Chipaux aka Futex – Working at in Luxembourg as a malware reverser, pentester, forensic, incident handling. Passionate by all hacking stuff and CTF challenge. Member of the HackGyver Hackerspace.