Talks and workshops

Opening words

Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps19.

Photo of

Sylvain Pasini

Professor
HEIG-VD, president of Black Alps

Keynotes

Google Bug Hunters

Bug Hunting, just as any other type of hunting, requires preparation, skills, practice, and patience. Over the past 10 years, Google has been hunted by thousands of security researchers from around the world. As a result, we have paid millions of dollars for thousands of vulnerabilities in Google products and services.

But when one runs the security response team for a company of this size, you have literally millions of people trying to talk to you, and from those, one has to find a way to, first, get the noise under control, and then, find ways to grow your community to receive even more and better reports. To make this possible, we had to invest in automation, education, appreciation, recognition, entertainment and outreach - but most of all? Trust.

In this talk you'll learn about some of our favorite vulnerabilities from the last decade, and show why we love this program so much. Then you'll see how we fine-tuned it to make it sustainable for 10-years. And finally, how we have used it for growing the rest of Google's product security program. This talk will go through some of our biggest failures as well as some of our most surprising insights - in the hope that you can avoid making our mistakes, and maybe get inspired by how we tackled them.

Spoilers? We support public disclosure of unfixed bugs. We pay bug hunters even when they don't find bugs. We put senior engineers in front triage. We encourage bug hunters to dispute reward decisions.

Photo of

Eduardo Vela Nava

Security Engineer
Google

To be announced

Track "attacks"

New Tales of Wireless Input Devices

In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years. We want to present answers to unanswered questions of our previous wireless desktop set research and raise the awareness of security issues and practical attacks against vulnerable wireless input devices.

Photo of

Matthias Deeg

Matthias is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.

Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is head of R&D.

His research results concerning different IT security topics were presented on different international IT security conferences (Chaos Communication Congress, DeepSec, Hacktivity, ZeroNights, PHDays, Ruxcon, Hack.lu, BSidesVienna). He also published several IT security papers and security advisories.
Photo of

Gerhard Klostermeier

  • Interested in all things concerning IT security – especially when it comes to hardware or radio protocols.
  • Penetration tester.
  • Speaker at GPN 2013/2018, Ruxcon, DeepSec, IT-Sicherheitskonferenz and more.
  • Author of the Mifare Classic Tool Android app.

OS X RAM forensic analysis - Extracting encryption keys and other secrets

The memory is full of incredible artefacts. Some of them are secrets being used for security purpose, such as encryption keys. Acquiring memory and analysing it in order to find such secrets could help you get around some security measures. This talk is about a Bachelor thesis which has been written this summer, at HEIG-VD. It will expose the obtained results and the methodologies used to recover treasures from memory. It will then explain how to use the recovered artefacts to gain access to protected data. The research is focused on the Apple disk encryption solution, FileVault 2 and some common password managers you may be using. The work was performed on an OS X environment, but same methodologies could be applied on different systems.

Photo of

Léo Cortès

Léo Cortès is a Swiss MSc student in a Scottish university. He achieved his Bachelor focused on Information Security last summer at HEIG-VD.

Swisscom Bug Bounty - Retour d'un chercheur

Retour sur le Bug Bounty de Swisscom d'un chercheur qui a trouvé une centaine de vulnérabilités chez eux. Le but est de parler un peu du scope particulièrement important, de présenter quelques statistiques, mais aussi de décrire quelques vulnérabilités qui ont pu être découvertes chez eux.

Photo of

Daniel Le Gall

Daniel Le Gall est un jeune chercheur en sécurité informatique, spécialisé dans les technologies du Web. Il a commencé le Bug Bounty il y'a 2 ans, et y est maintenant accroc. Il est également joueur de CTF de sécurité informatique, dans l'équipe 0daysober.

The inner guts of a connected glucose sensor for diabetes

Connected glucose sensors are a very handy way for people with diabetes to get their glucose readings and adjust their insulin treatment. How does the device work? We'll walk you through our investigation, from the PCB to the firmware, to NFC communication.

Photo of

Axelle Apvrille

Principal security researcher
Fortinet

Axelle Apvrille is principal security researcher at Fortinet. She specifically looks into mobile malware and smart devices (not always that smart...).

She is the lead organizer of Ph0wn CTF, a Capture The Flag dedicated to smart devices. Finally, she enjoys drawing comics and 3D printing.
Photo of

Travis Goodspeed

Travis Goodspeed is a digital watchmaker and Studebaker enthusiast from East Tennessee. He is fluent in MSP430 assembly language, but writes the same illiterate dialect of Java that he learned as a teenager.

Fuzzing Java Code With the Help of JQF

Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.

Photo of

Tobias Ospelt

IT security analyst
Pentagrid

Tobias ''floyd'' Ospelt started his professional life working for a bank before he studied IT and focused on IT security during his Master degree. Tobias lectures information security for Bachelor students at Zurich University of Applied Sciences (ZHAW), is a trainer for Liechtenstein's ECSC team and the founder of Pentagrid AG - a company focused on security analysis of software, hardware and infrastructure. Since a decade he is working as a technical IT security analyst in various customer projects. Tobias main interests are web application security, mobile app security, mobile device management security and fuzzing. He publishes tools and research in various fields of the IT security world and is the author of several Burp Suite extensions.

Track "lessons learned"

Battle in the Clouds: Attacker vs Defender on AWS

The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive, Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS.

One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.

Photo of

Dani Goland

Chief Technology Officer
Net Alpha Financial Systems

At the age of 20, he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 2500 researchers. Dani spoke at numerous cybersecurity conferences such as BlackHat USA, CodeBlue Japan, CONfidence, SEC-T, and more. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.
Photo of

Mohsan Farid

Mohsan has over 12 years of experience in cyber security. Mohsan has ran the gamut in the security space: from penetration testing for Rapid7 as a consultant, penetration testing for numerous federal agencies, pentesting mobile applications for HP, pentesting Fortune 500 companies, and contributing exploits to the Metasploit framework as well as contributing to open source projects. Mohsan's spoke at numerous cybersecurity conferences such as Defcon, SEC-T, QUBIT and more.

Building Your Own WAF as a Service and Forgetting about False Positives

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing.

This talk will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it’s possible impact.

Photo of

Juan Berner

Juan Berner is a security researcher with over 9 years of experience in the field, currently working as Security Lead Developer at Booking.com, as SME for Application Security and Architect for security solutions.

He has given talks in the past on how to build an open source SIEM (https://www.ekoparty.org/security-monitoring-like-the-nsa.php) and on exploiting A/B Testing frameworks (Exploiting A/B Testing for Fun and Profit).

Burger Quiz de la securite du code

Qui ne connaît pas le jeu BurgerQuiz présente par Alain Chabat et son équipe de joyeux compagnons.

Base sur plusieurs centaines d’audit de code source sur divers langages ce talk propose de revisiter de manière humoristique les codes les plus loufoques, à risques, les erreurs, les bonnes pratiques rencontrées en securite.

Photo of

Sebastien Gioria

Sebastien Gioria (https://www.linkedin.com/in/gioria) est expert en securite applicative depuis plus de 10 ans. Il est aussi Leader OWASP France, et expert judiciaire près la cour d’appel de Poitiers. Il cumule environ 2000 personnes formées en Securite du code depuis près de 15 ans, environ 500 audits de code source et divers autres faits a son actif.

Computing on Encrypted Data: a Survey

Techniques related to computing on encrypted data are more and more deployed by large companies, notably to build privacy-preserving, GDPR-compliant large-scale systems. We propose to provide a high-level, synthetic and hopefully easy-to-understand overview of the capabilities of cryptographic schemes allowing to compute on encrypted data.

Photo of

Pascal Junod

Cryptographer
Snap Inc.

Pascal has done and taught applied and less applied cryptography for a living since 2000. He knows several things in the domain of software protection, too.

Maintaining cryptographic library for 11 languages: fun stories and epic bugs

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.

Photo of

Anastasiia Voitova

Product Engineer in Security & Cryptography
Cossack Labs

Product Engineer in Security and Cryptography at Cossack Labs

A software engineer with a wide background, I started as a mobile developer. Then I focused on cryptography/applied security, and now I'm building security tools for protecting data during the whole app life cycle, not depending on a platform. Conduct workshops and training for developers about building apps with data protection, consult as software security engineer.

Often speaking at international conferences like QCon NY, QCon London, JavaZone, UIKonf, Codemotion, etc; co-organizing practical cyber-security conference NoNameCon in Kyiv; being a security chapter lead in WomenWhoCode Kyiv.

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities

We frequently see the same types of security vulnerabilities appearing repeatedly over the course of a software project’s lifetime, and often across multiple projects. In this talk I’ll be discussing how security teams at companies such as Google and Microsoft use variant analysis to address this in their own software.

Photo of

Sam Lanning

Sam started working at Semmle in October 2014, after deciding to drop out of his Masters at Oxford University after having completed his undergraduate Computer Science degree there. Sam was the first full-time developer for Semmle’s LGTM platform, and worked on it for over 3 years before becoming a developer advocate. Sam’s has been an active member of the security and privacy community for a while, with a particular interest in vulnerability research, cryptography and peer-to-peer networks, having previously contributed to Signal’s Android and Desktop clients, among other open source projects. Most recently, in his free time he’s been working on an open source project that ties together music and lighting.

Nouveaux métiers et formations dans la cybersécurité

Le domaine de la cybersécurité a évolué très rapidement ses 3 dernières années. Les formations qualifiantes en cyber sécurité sont pour la plupart assez récentes. L’expérience dans ce domaine passe par beaucoup de pratique. Comment valoriser cette expérience et en faire un atout pour pouvoir évoluer dans de nouveaux métiers ? Quelle formation choisir et avec quels objectifs ? Quelles compétences sont nécessaires pour pouvoir accéder à des postes spécifiques en cybersécurité ? Comment bien valoriser ses expériences pour obtenir l’emploi souhaité et préparer son avenir ? Il est aussi primordial de bien comprendre les profils attendus sur les nouveaux métiers et de qualifier son propre parcours professionnel pour trouver le poste rêvé.

L’intérêt de réfléchir à une telle démarche est direct et permet d’acquérir les bons outils pour piloter et maitriser sa propre carrière. Les nouveaux métiers dans ce domaine sont nombreux et sont plus accessibles parfois qu’il n’y parait. Un panorama de l’emploi et des formations dans la cybersécurité et dans les technologies émergentes mettra en valeur les actions clefs à mener pour obtenir le poste souhaité.

Photo of

Lennig Pedron

President & Co-founder
ICON NGO

Active depuis une quinzaine d’années dans le développement, la gestion d’entreprises et des talents, Lennig Pedron a développé une spécialité dans le domaine de la cybersécurité, l’économie de la confiance numérique et les technologies émergentes. Passionnée par le hacking, Lennig a concentré ses recherches sur la relation que l’homme attribut à la technologie et son contournement. Elle a notamment été directrice RH et formatrice dans un laboratoire de R&D en cyber sécurité pour une société Suisse. Elle a une spécialisation dans le « facteur humain » et intervient en conseil et lors de formations à des publics variés comme la police, les procureurs, l’industrie, les banques, le médical et aussi pour les jeunes générations.

Lennig Pedron travaille notamment pour la fondation EPFL Innovation Park. Elle est Présidente et co-fondatrice de l’ONG ICON (Organisation Non Gouvernementale) basée à Genève au cœur des organisations internationales et à EPFL Innovation Park. L’ONG ICON fédère une communauté internationale d’experts travaillant sur la confiance dans le cyberespace, en mettant l’accent sur la cybersécurité, l’intelligence artificielle et les technologies émergentes. Lennig a créé en 2018 un Collège d'été pour réfléchir sur les comportements responsables dans le cyberespace qui s’est concrétisé par la rencontre de 25 parties prenantes dont le haut panel à la coopération digitale, ONU, ITU, GCSP, DFAE, OFCOM, ISOC, ICANN, UNI, Conférence des OING, société civile, Microsoft, Airbus, IS Quantique, Tenable...

Elle travaille au niveau Européen et international sur les défis de l’ICT liant les enjeux de la confiance numérique, de la cyber sécurité, de l’intelligence artificielle et des technologies émergentes. Lennig a représenté en 2018 et 2019 ICON au Conseil de l’Europe. Elle a été conférencière sur le digital trust et l’intelligence artificielle au Forum du Sommet mondial sur la société de l'information (SMSI). Elle a été juge lors du challenge de géopolitique 9/12 du GCSP (Geneva Center for Security Policy).

Elle est membre fondateur du label Suisse en cyber sécurité: Cyber-Safe.ch

En juin 2019, elle a été invité comme conférencière pour le discours d’ouverture de l’Assemblée Générale de la Commission Européenne CEN et CENELEC à Bucarest. Vidéo RTS NOUVO : https://youtu.be/iuappwoKDvc

On Verifiable Delay Functions - How to Slow Burning the Planet Down (Verifiably)

The year is 2089, Venice is under the water and Bitcoin finally replaced Dollar as the global reserve currency. Let's try to change the course of events. Verifiable Delay Functions (VDF) is a new fascinating cryptographic primitive that is revolutionizing the blockchain space. Notably cryptocurrencies (Bitcoin et al) that use consensus strategies based on Proof of Work (PoW) burn a considerable amount of electricity. The promise of a tool like VDF is to (used in combination with Proof of Stake or other similar tecniques) eliminate such a plague. Many cryptocurrencies (notably Ethereum 2.0 and Chia ) are currently evaluating this approach. On top VDF can be used to build Verifiable Lotteries, encrypt into the future and much more. In this talk we are going to present what a VDF is and how, due its peculiar properties, is actually a rare object in the mathematical Universe. We will also see how to construct a simple VDF and we'll give some hint of some more complex ones.

Photo of

Antonio Sanso

Security Researcher
Adobe

Antonio works as Security Researcher at Adobe Research Switzerland where he is part of the Adobe Experience Manager security team. He is co-author of “OAuth 2 in Actionˮ book. Antonio found vulnerabilities in popular software as OpenSSL, Google Chrome, Apple Safari and is included in the Google, Facebook, Microsoft, Paypal and Github security hall of fame. His working interests span from web application security to cryptography. Antonio is also the author of more than a dozen computer security patents and applied cryptography academic papers. He holds an MSc in Computer Science and he is currently PhD candidate at the Ruhr-University.

PatrOwl - Red Flavour of SOC Automation

PatrOwl is an Open Source, adaptive and scalable Security Operations Orchestration Platform. The main objective is to provide a continuous and full-stack risk overview of your assets, using open-source tools, commercial solutions or custom scripts.

Photo of

Nicolas Mattiocco

Expert with 10 years of experience in information security, I have performed various security consulting engagements, from penetration tests to global risk assessments and implementation of security solutions.

I'm currently Freelance since 4 years and onboarded in the Red Team of a CERT in a large financial institution.

Also founder of PatrOwl, a scalable, free and open-source solution for orchestrating Security Operations.

Workshops

Blockchain vulnerabilities and exploitation in practice

Cryptocurrencies and blockchains are still relatively new, and there have been plenty of news stories about people losing money through compromises in various components making up a blockchain ecosystem.

Those components include base blockchain infrastructure, smart contracts, DApps and wallets.

Topics explored during this workshop:

  • What is a blockchain?
  • Components in a blockchain ecosystem
  • Smart contracts and decentralized applications (DApps)
  • Blockchain vulnerabilities and exploitation
  • Hands-on blockchain CTF. Everyone will run their own blockchain on
  • their laptop.
  • Where to go from here? Existing tools
Requirements:
  • Linux laptop with power cable or macOS
  • docker
  • docker-compose
  • git
  • wifi or network cable
  • Familiar with Python

Photo of

Nils Amiet

Senior Security Engineer
Kudelski Security

Nils is a Senior Security Engineer on Kudelski Security's research team performing research on various topics including blockchain, big data analytics, and internet scanning. He also writes blog posts on various topics for Kudelski's research blog. Nils likes open source software and has presented his research at DEF CON, Black Hat USA Arsenal, Blockchain Village and was part of creating a massively distributed system for breaking RSA public keys.

Modern cryptography for modern applications (IoT, mobile, blockchain)

This is a workshop about cryptography that aims to be as little about cryptography as possible, in order to focus on what matters for engineers and application builders: protecting their data and information—be it in transit, on endpoints, or in databases. We'll first review the general principles (what encryption really means, and why it's harder than it looks), and then provide recommendations of tools, APIs, and software to deploy state-of-the-art yet easy-to-use cryptography in your applications.

Photo of

JP Aumasson

Photo of

Anastasiia Voitova

Product Engineer in Security & Cryptography
Cossack Labs

Product Engineer in Security and Cryptography at Cossack Labs

A software engineer with a wide background, I started as a mobile developer. Then I focused on cryptography/applied security, and now I'm building security tools for protecting data during the whole app life cycle, not depending on a platform. Conduct workshops and training for developers about building apps with data protection, consult as software security engineer.

Often speaking at international conferences like QCon NY, QCon London, JavaZone, UIKonf, Codemotion, etc; co-organizing practical cyber-security conference NoNameCon in Kyiv; being a security chapter lead in WomenWhoCode Kyiv.

Badge

This year's badge is already packed with lots of features, but what if you want to add your very own feature in it ? If that's the case, feel free to hop in this workshop and learn how to program the badge to your liking. Maybe you'll learn something cool in the process ?

This workshop is 100% hands-on, with very few slides, lots of programming and (hopefully !) fun. Have a cool idea ? Want to work with others on a bigger project ? Join in ! # Prerequisites - A laptop - A micro-USB cable

Photo of

Nicolas Oberli

Security researcher
Kudelski Security

Nicolas works as a security researcher for Kudelski Security in Switzerland. His research focuses on embedded devices and communication protocols. In his spare time, he now spends more time designing CTF challenges than solving them. He is also one of the main developers of the Hydrabus hardware hacking tool.

Hash collision exploitation

A system indexes files by MD5. How secure is it?

This workshop is an introduction to file manipulations, hash collisions attacks and how to combine both to exploit them.
It doesn't require any cryptographic knowledge.
It covers all existing hash collisions attacks for MD5 and SHA1:

  • Identical Prefix collisions: FastColl, then Unicoll.
    • the PNG format and develop instant MD5 collisions via UniColl.
    • the GIF format and develop instant MD5 collisions via FastColl.
  • Chosen prefix collisions: HashClash.
  • Collisions chaining and combining.
  • Shattered (SHA1)
Note this is not about password cracking (hash cracking), but hash collision: ie, making 2 files of arbitrary contents with the same MD5 value.

Photo of

Ange Albertini

Infosec engineer
Google

File formats enthusiast, author of Corkami.
Currently infosec engineer at Google.

Hands-On Security Lab with Hacking-Lab

This training is based on the new Hacking-Lab 2.0 platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com).

This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the Linux command line and also have basic knowledge of the HTTP protocol.

Requirements for participants:

  • Laptop
  • Virtual Box or VMWare player
  • Hacking-Lab LiveCD (media.hacking-lab.com)

Photo of

Nicolas Heiniger

Security Analyst
Compass Security Schweiz AG

Nicolas Heiniger is a happy husband and proud father of 3 children. After some years in public health and at an IT service provider, he's now working at Compass Security where he is most interested in web applications and penetration testing. At night, he hacks for fun and bounty.
Photo of

Sylvain Heiniger

Security Analyst
Compass Security Schweiz AG

Sylvain Heiniger works as a Security Analyst for Compass Security. He is interested in testing networks, web applications and new technologies. Sylvain Heiniger holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPF) in Lausanne with a Minor in Information Security.

CFP

Call For Proposals: Talks and Workshops

Proposal submission

The submission process is now closed (it was open until 31 July 2019).

Program committee

The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.

  • Julien Bachmann (chair), Hacknowledge
  • Jean-Philippe Aumasson, Teserakt
  • Fred Blaise, Cloudbees
  • Alexandre Herzog
  • Fabien Perigaud, Synacktiv
  • Sylvain Pélissier, Kudelski Security
  • Nicolas Ruff, Google
  • Candid Wueest, Symantec