Talks at Area41 conference 2016

more talks will be announced shortly...


Joshua Corman(@joshcorman)
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon’s Heinz College and on the 2016 US HHS Cybersecurity Task Force.
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.
The USB armory from Inverse Path is an open source hardware design, implementing a flash drive sized computer for security applications.
The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.
Leveraging on the current maturity of the project, the defensive and offensive uses of the USB armory are also fully explored, covering topics such as the INTERLOCK application, its Genode OS support and its role and usage in identifying new vulnerabilities affecting widely deployed USB stacks.

Andrea Barisani(@AndreaBarisani)
Andrea Barisani is an internationally recognized security researcher and founder of Inverse Path information security consultancy firm. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and code auditing with particular focus on safety critical environments, with more than 14 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team.
He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded systems security and many other topics.
Exploitation of memory corruption vulnerabilities is a prevalent problem – despite the huge amount of effort put into solving it. Nevertheless, exploitation is getting harder as new hardening techniques are being adopted.
Two of the most prominent techniques in the Windows world that were lately adopted are Return Oriented Programming (ROP) mitigations and Control-Flow Guard (CFG). Both techniques aim to obstruct code-reuse attacks.
ROP mitigations are run-time checks that try to detect ongoing ROP attacks by hooking into sensitive code locations to perform various checks. CFG is a compile-time technique that implements static coarse grained control flow integrity checks with minimal memory and CPU overhead. In this talk we have a look at the latest versions of these mitigations, namely the ROP mitigations that come with EMET 5.5 and Visual Studio 2015’s CFG. We present the implementation and discuss the implications for an attacker trying to exploit a hardened application.

Matthias Ganz(@GanzMatthias)
Matthias is a software engineer and security expert with a special interest in hardware and low-level programming.
He graduated from ETH Zurich with a Master of Science in Computer Science. He has worked on many software projects across different industry sectors, with a focus on building failsafe software systems. As a technical supervisor, he has coached his co-workers on software design and implementation.
In 2015, he co-founded xorlab and was appointed CTO where he is responsible for product development and strategy.
Providing a native mobile application in addition to an existing web solution, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore. We will see with the exploitation of a real world Android application how it is possible to
- retrieve documents without paying for them
- decrypt and use them on any device despite the DRM in place
The approach will combine some Java reverse engineering and HTTP monitoring, enabling to understand how basic cryptography is used by the server authentication logic. The various vulnerabilities discovered, at design or code level, will be detailed and serve as examples not to follow. Then it will be explained how to use them altogether to collect and decrypt unauthorized resources via a Python script.
To conclude, practical recommendations will be provided to address those common categories of issues.

Biography: Jeremy Matos (@SecuringApps)
Jeremy Matos has been working in building secure software over the last 10 years.
With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties.
Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understanding the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage.
In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels.

Christian Folini(@ChrFolini)
Dr. Christian Folini is a partner at netnea AG in Berne. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian found that defending webservers is equally interesting.
With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling.
Christian is a frequent committer to the OWASP ModSecurity Core Rules project, vice president of Swiss Cyber Experts, a public private partnership, member of the committee of the Swiss Cyberstorm conference and many other things.
Contact by owners of medieval castles welcome.
Digital Substation is a core of the modern Smart Grid technologies. More that 4000 of IEC 61850 compatible substations operated in Europe, 20 000+ worldwide. During this talk SCADA StrangeLove team will share results of deep technical security analysis of key Digital Substation components, such as network protocols, relay protection terminals and SCADA, network devices. Mission-centric threat modelling approach for Digital Substations will be discussed.
The goal of the talk is to demonstrate how technical vulnerabilities in the IT components can be used to bypass industrial and functional safety features and create cablemelting or blackout conditions. Few (fixed) vulnerabilities in Relay Protection terminals discovered by the SCADA StrangeLove team will be discussed.

Biography: Sergey Gordeychik
Sergey Gordeychik was appointed Deputy CTO and Head of Security Services at Kaspersky Lab in 2015. His responsibilities include establishing the vision for Kaspersky Lab’s R&D services and leading the technological development for threat intelligence, security assessment, incident response and vulnerability research for enterprise, banks, telecom and ICS/SCADA niches.
Before moving to Kaspersky Lab, Sergey gained a wealth of practical experience in the cybersecurity industry. In particular, he led the development of enterprise security products at Positive Technologies and was a director of Positive Hack Days Forum. From 2012 he is leading SCADA StrangeLove industrial cybersecurity research team. Sergey graduated from the Far Eastern State Transport University in 1999. He is a popular speaker on internationals security conferences such as CCC, CodeBlue, POC, Zeroniighs, member of the ENISA TRANSSEC expert group and CIGRE problem group D2/B5.

Biography: Alexander Timorin
Alexander leads the ICS security group. He has deep knowledge and experience in penetration testing, ICS security assessment and research. Alexander contribute SCADA StrangeLove team, gave talks at different international security conferences, such as Confidence,, CodeBlue, CCC, Power of Community etc. He has found dozens of zero day vulnerabilities in ICS hardware and software of popular vendors, maintains ICS/SCADA network security toolkits.
Unlike in the past, social engineering has become an engineering discipline with precise tools, selected dynamic approaches and execution plans. This makes it also so damn hard to define counter-measures against SE attacks on the receiving end. You really never know where you could get hit next.
The social engineering framework I am going to present is comprised of well-defined methods, instructions, skills and definitions. SEEF offers the most comprehensive view on social engineering today and will boost you to the front of social engineering tomorrow.
Come to this session:
- If you are a social engineering nerd and want to get insights on some of the latest concepts and developments in social engineering.
- If have to integrate SE into your risk framework.
- If you want to complement your technical hacking skills with some soft skills.
- If you are curious about social engineering.
- If you want to become a professional social engineer.

Biography: Dominique-Cédric Brack
Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. His passion and personality will energize and inspire you and his ability to formulate complicated information clear and understandable will help you to apply what you have learned. Besides his work as a management consultant, advisor to the government and CEO of Reputelligence™, he has lectured at trade shows and conferences and is the author of various articles and white papers. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information on breaking news. Whether he is speaking on camera, to a single group of executives, or sharing his personal stories and tips as a speaker or workshop leader, Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly – inspire and empower action.
The Security Assertion Markup Language (SAML) provides a framework for cross-domain single sign-on in the enterprise field ... with a single point of failure; what if you could break it? In this talk we will first discuss the benefits of SAML by presenting two showcases of Swiss institutions that heavily rely on it. Then, we’ll turn to the risks by reviewing previous attacks on SAML and a new one we call X509 certificate tampering.

Antoine Neuenschwander(@ant0inet)
Antoine Neuenschwander worked as a software engineer in the development of security products for several years before joining Compass Security in 2014 as a penetration tester and security analyst. His fields of expertise include web application security in general and authentication protocols in particular. Antoine Neuenschwander holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPFZ) in Zurich.
Last summer Roland Bischofberger finished his BSc studies with a bachelor thesis, which discusses some SAML vulnerabilities and the creation of a SAML penetration testing tool named SAMLRaider. As a term paper he researched vulnerabilities in XSLT implementations and gave a presentation at OWASP Switzerland about the results. He has been working as a security analyst at Compass Security since autumn 2015.
Even in europe a couple of mobile operators already provide voice services over LTE to their customers. To provide this service they have to use the so called IP Multimedia Subsystem (short: IMS), a new element standardized by the 3GPP. But the IMS is not only providing VoLTE services, there are also a lot of other interesting features like messaging and VoWifi (LTE voice calls over WiFi).
In our talk we will introduce the audience to the IMS architecture, its provided features and how to attack these. Surely, with new methods come new challenges, even if the technology is well standardized, they will always differ in their implementation. As a case study we have analyzed some of the implementations in the european area and will demonstrate some of the vulnerabilities identified in major operator networks.

Hendrik Schmidt & Brian Butterly
Hendrik Schmidt is a seasoned security researcher with vast experiences in large and complex enterprise networks. He is a pentester at the german based ERNW GmbH with focus on telecommunication networks. Over the years he evaluated and reviewed all kinds of network protocols and applications. He loves to play with complex technologies and networks and demonstrated several implementation and design flaws. In this context he learned how to play around with core and backhaul networks, wrote protocol fuzzers and spoofers for testing implementations and security architecture. As his profession of pentester, security researcher and consultant he will happily share his knowledge with the audience.
Brian Butterly is a security researcher, analyst and simply a hacker at Heidelberg (Germany) based ERNW GmbH. Coming from the field of electronic engineering he tends to choose alternate approaches when hitting new projects. He currently works on the intersection of embedded-, mobile and telco-security, with tasks and research ranging from evaluating apps and devices through to analyzing their transport networks and backend infrastructures. Resulting from the broad range of practical experience and natural curiosity he has developed a very diverse set of skills and knowledge. He enjoys cracking open black boxes and learning about their details down to the electronic circuits. He is always happy to share his knowledge and findings.
This presentation explores how your shiny new Cyber Threat Intelligence program can also be used to understand your internal environment – the targets of the attacker. You can use CTI tools and processes to improve your understanding of internal context such as system characteristics, network architectures, system business alignment and purpose to directly support cyber security incident detection and response. Most security incident response centers are too small to be familiar with all aspects of their internal network – which means that time-consuming analysis is often required to understand what is potentially affected by a security incident. Intelligence techniques and tools can be used to address this. This talk will explore common incident handling and threat intelligence models and tools, and demonstrate how they can be turned on their head to solve an often-ignored problem in incident detection and response.

Mark Baenziger
Mark Baenziger has 20 years of commercial and government security engineering, incident handling, and threat intelligence experience. Other interests include pentesting, agile development, using systems engineering techniques to solve security and process problems, and strategic planning. He currently works for FIreEye in their managed defense organization (FireEye as a Service) helping customers overcome their incident response and threat intelligence challenges.
Two key components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.

Biography: Veit Hailperin (@fenceposterror)
Veit Hailperin is a security researcher and consultant at scip AG. They are based in Zürich, Switzerland with clients covering a wide range, from non-profit organizations and governmental agencies to banks and insurance companies. His research interests are focused on network and application layer security.
When securing a software application, implementing cryptographic protections is often an unavoidable step. Many software libraries, being open-source or not, provide cryptographic functionalities. This talk will demonstrate that most cryptographic APIs are badly designed and how they tend to increase the likelihood for the developer to use them in a wrong way. A sketch of an ideal crypto API will also be discussed.

Pascal Junod(@cryptopathe)
Pascal Junod is a cryptographer, a professor of information security at HEIG-VD in Yverdon-les-Bains and a co-founder of the startup SA, active in the domain of software protection. When not playing with obfuscated cryptographic implementations or teaching reverse engineering, he is probably paddling on white-water in a location where no network is available.
This talk introduces a new type of attack in web browsers that can be used to extract secret and sensitive information from trusted websites. These timing attacks obtain side-channel information by performing various operations on remote resources. The speaker will demonstrate the harmful consequences by the means of several real-world scenarios against widely popular web services.

Tom Van Goethem(@tomvangoethem)
As a PhD researcher at the University of Leuven, Tom Van Goethem engaged in a (not so secret) love affair with security and privacy on the web. In his work, Tom explores the malpractises of various web-based ecosystems, and tries to demystify security claims, such as those made by security seal providers and cloud-based DDoS protection services. By the means of large-scale evaluations, Tom aims to analyse the current security practises, and estimate how worried we should be about our online security. More recently, his focus has shifted towards exposing side-channel attacks that allow adversaries to circumvent the Same-Origin principles which form the foundations of browser security.
While Developers and Operators have learned to collaborate in DevOps both application and infrastructure security have had it hard to be kept in the loop. In this talk I’ll shed some light on keeping the DevOps infrastructure (Continuous Integration/Delivery, Configuration Managment, Containers/Docker) safe, integrating security-relevant automated tests in both CI/CD and production-monitoring and security best practices in automating infrastructure. I will show examples from customer projects at and use mostly open-source tools. After the talk you will be able to argue why you need automated tools and know what to look out for when deploying them.

Aarno Aukia (@aarnoaukia)
Aarno Aukia is Co-Founder and CTO at VSHN AG, the leading Swiss DevOps company. VSHN does software reliability engineering for operating (web-) applications on different public and private clouds and is involved on the defensive side of web application security. Before VSHN he was engaged with a managed security company and Google after his masters degree at ETH Zurich.
Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.

Biography: Ian Amit (@iiamit)
Iftach (Ian) Amit, has over a decade of experience in hands-on and strategic roles, working across a diversity of security fields: business, industry, marketing, technical and research. His career spans innovative and disruptive startups, high-end consulting firms, information security vendors. He is also a sought after keynote speaker, with frequent appearances at conferences such as BlackHat, DEFCON, RSA, and others. A skilled researcher, Ian has deep technical knowledge of programming, operating systems, applications (including most network server applications), penetration testing, databases and infrastructures. He founded the Tel-Aviv DefCon chapter (DC9723) and also was a founding member of the Penetration Testing Execution Standard (PTES). Ian studied Computer Science and Business Administration at the Herzliya Interdisciplinary Center and lives in Manhattan.
Internet of Things (IoT) are not a hype: they are already here and growing, Despite concerns on their security and privacy - IDC predicted that in two years 90% of IT networks s will have an IoT-based security breach - not so many security researchers are investigating the field yet. The (likely) reason for this status is that the reverse engineering of IoT is difficult. Indeed, nearly each product has its own custom hardware, firmware, operating system, protocols etc. Consequently, the first few steps are painful: gather the equipment, start research with close to no help from the community (no tools, documentation...).
However, there is an easier way in: IoT often come with a mobile companion application. That’s where to focus your initial efforts, because the app contains lots of valuable information. That’s what I did with several devices (Recon Jet smart glasses, a house safety alarm of Meian etc). Very fruitful! The reverse engineering of the mobile apps was fruitful beyond expectations! Hardware details,interactions with the devices, where to place protection against viruses, and discovery of vulnerabilities ;)

Biography: Axelle Apvrille (@cryptax)
Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called "smart" devices.
Known in the community by her more or less mysterious handle "Crypto Girl", she turns red each time someone mentions using MD5 (or CRC...) for hashing.
Creditcards using EMV chips are known to be way safer than the alternative with magnetic stripes. With encryption and signing in place abuse seems to be impossible, but in the end of 2014 first rumors about a EMV chip cloning case were reported after some banks in brazil and the US became victims of a creditcard fraud. Carders succeeded to clone track2 information of valid creditcards to white plastics with EMV chips. This talk gives insights about that case and how it works in depth.

Biography: Frank Boldewin
Frank Boldewin is a reverse engineer and has long experience in security & malware research. By day he works as a security-architect for a large german datacenter in the finance sector. He is well known for his researches on the Stuxnet case and his forensics tool Officemalscanner.
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Biography: Abraham Aranguren (@7a_)
Abraham was an honors student in Information Security at university. His work experience from 2000 until 2007 was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security.
He is a senior member of the Cure53 team, and a senior consultant for Version 1 - the top IT consultancy in Ireland. Abraham is also the creator of Practical Web Defense - a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.

Biography: Fabian Faessler (@samuirai)
Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security, but started to seriously get into it, after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice.
Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification.
Fabian is interested in all computer topics from low level hardware up to high level web applications and writes about it on his blog at and twitters with @samuirai
Contrary to Abraham, Fabian cannot grow a full beard.
Technology invades our modern homes. The rapid growth of the Internet of Things is influencing our living concepts. Modern homes are full of smart devices and a new generation of smart appliances promises to make life easier and more comfortable, but what about the risk of cyber attacks.These smart devices in many cases are poorly configured and lack security by design, opening the domestic network to cyber intruders. People buy IoT devices to make their home more comfortable and secure, but instead they are opening the door of their home to crooks and hackers.

Biography: Daniel Marner
Daniel Marner, educated software developer, was already focused on security engineering, before joining NTT Com Security in 2015 as an IT security consultant and analyst. His core competencies lie in the fields of audits and penetration testing especially for automotive, finance, insurance and utility industries. He is an expert in detecting and exploiting security vulnerabilities and has got long experiences with complex security compliance related projects like penetration tests according to PCI/PA DSS, web audits In compliance with OWASP/OSTMM and security evaluations following the German Federal Armed Forces Standard ZDV 54/100. Daniel Marner also worked as security consultant in the Cyber Defense Department of the Fraunhofer FKIE and holds security certificates like OSCP, CEH, LPI 1+2.
The term "trust" has been misused and abused by pretty much everyone in computer security, probably including this speaker before he knew better. Trust, however, is what every human on the plant knows how to operate, much to the contrast of cryptography, accounts, roles, or permissions. This talk will try to explain the differences, before it will use the result of over a decade of research to show why nobody will ever again need to make, distribute, or operate devices in the field with static passwords, or with constant fear of certificate expiration dates. This talk will showcase among other things a simple business case of customized device production without shelve life, shipped directly to where it is needed, and a legally transparent transition of ownership on-site with full flexibility for sub-contractors or transparent divestment.

Biography: Gregor Jehle
Nobody wants to find their sensitive information exposed in the latest breach, making Data Loss Prevention systems an attractive solution. However, the silver lining of every security product has the grey could of increased attack surface surrounding it. I’ve spent a good number of years working with DLP products both in defense and attack scenarios. Here I will discuss the trends in DLP security/insecurity, use/misuse, and how to best slay the data vampire menace.

Biography: Kelly Lum(@aloria)
I’ve been working in infosec for over 12 years, working in everything from .gov/mil, finance, and start ups. I teach Application Security at NYU Tandon School of Engineering and am presently a Security Engineer at Tumblr.
With Android 5.0, Google announced to enable full-disk encryption with every device out-of-the-box. Along with other smartphone manufacturers announcing similar efforts, this lead to criticism by law enforcement officials. Interested in how "dark" we are actually going, we have analysed the security of Android's full-disk encryption. The assessment revealed that the previously known Offline Attack indeed was resolved by Google. However, by changing a small aspect in the attack prerequisites, we have discovered that a similar attack is still possible. We named this attack the Semi-Offline Attack, pinpointing that the device is required during the attack. Though, the computationally intensive calculations of key derivation functions is still leveraged to a different and more powerful host. While increasing the attack time and complexity, the difference between the Offline and Semi-Offline Attack are not huge.

Biography: Oliver Kunz
Oliver Kunz is an information security consultant. Working in the field of information security since 2010, he has assisted his clients to resolve incidents, perform risk assessments, and analyse the security of applications. His current main field of research is mobile related security, in particular of Android systems and applications.
Content Security Policy (CSP) is a defense-in-depth mechanism to whitelist content sources in a web application, significantly reducing the risk and impact of injections in a web application. It is supported by most modern browsers, and it already is at its third version - yet, meaningful adoption in the web is struggling. In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about what works and what doesn't in different browsers, show how easy it is to defeat most whitelist based CSPs. I'll also discuss prototyping of an effective strict policy based on nonces only, new features we contributed to CSP3 that will make CSP easier to maintain and much more usable for big web applications and some success stories of CSP at Google. Finally, we will show some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS, or loading different frameworks in a particular sequence. We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well is CSP keeping up with modern web technologies, and how to break it. Fun is guaranteed!

Biography: Lukas Wecichselbaum(@we1x)
Information Security Engineer at Google. He’s currently working, among other stuff, on researching security enhancements and mitigations for web applications. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.

Biography: Michele Spagnuolo(@mikispag )
Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.