Born in Luxembourg, I have over 25 years of experience working in different types of information security management roles,  Engineering, Governance Risk and Compliance, Management, Leadership, Development, Product Management. 

I have worked for J.P Morgan, HSBC, Amazon, Verizon Enterprise, Proximus and n.runs in a number of Senior Information Security and Privacy related roles and consulted many of the now fortune 100 companies.

I work for J.P. Morgan Payment Solutions S.A. as the Chief Information Security Officer, and my former position include  CISO @ Amazon Payments, and Head of Country Risk for HSBC Luxembourg, EMEA hreat and Vulnerability Management Practice Lead for @ Verizon Enterprise,  Senior Consultant (Offensive) @ n.runs, Security Engineer @ Telindus/Proximus, and CEO of my own Startup (Security Software Development)

I am a proud founding father and distinguished subject matter expert for the ISC2 CSSLP certification, a board member at OWASP Benelux and an Advisory Board Member for C|ASE (Certified Application Security Engineer) at EC-Council. I had the opportunity to publish numerous research results that I presented at various international security conferences.

Published Software and Proof of Concepts

The list is available here

Contact me

In case you want to reach out, I can be found on XLinked-in and can be reached via an online form.


Academic References and Citations


The following is a list of academic papers, that either cite or reference my publications (Whitepapers, Papers, Tools, Articles, Public Speaking) : 



Patents


Subject : Cryptograhy


2021 - Assessing Non-Intrusive Vulnerability Scanning Methodologies for Detecting Web Application Vulnerabilities on Large Scale
2021 International Conference on System, Computation, Automation and Networking (ICSCAN)

2020 - SecWIR: securing smart home IoT communications via wi-fi routers with embedded intelligence
MobiSys '20: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services
https://doi.org/10.1145/3386901.3388941

2017 - PHD Dissertation - Authentication Techniques for heteroeneous Telephone Networks 
University Of Florida  - Bradley Galloway Reaves
https://ufdcimages.uflib.ufl.edu/UF/E0/05/15/06/00001/REAVES_B.pdf

2017 - “Metodología de Hacking Ético para Instituciones Financieras, aplicación de un caso práctico"
Master Thesis - UNIVERSIDAD DE CUENCA

2016 - A Comprehensive Survey on SSL/ TLS and their Vulnerabilities
International Journal of Computer Applications
https://www.researchgate.net/profile/Ashutosh_Satapathy3/publication/310761924_A_Comprehensive_Survey_on_SSL_TLS_and_their_Vulnerabilities/links/58d1045e92851c1db43dfbfd/A-Comprehensive-Survey-on-SSL-TLS-and-their-Vulnerabilities.pdf

2016 - Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare
PHD Thesis - Paul D. Martin- The Johns Hopkins University

2016 - Authloop: End-to-end cryptographic authentication for telephony over voice channels
25th {USENIX} Security Symposium - B Reaves, L Blue, P Traynor
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/reaves

2015 - Evaluation of TFTP DDoS amplification attack
The Cyber Academy, Edinburgh Napier University
https://www.sciencedirect.com/science/article/pii/S0167404815001285


2015 - Optimizing TLS for Low Bandwidth Environments
International Symposium on Foundations and Practice of Security
FPS 2014: Foundations and Practice of Security
https://link.springer.com/chapter/10.1007/978-3-319-17040-4_10

2015 - A Segurança das Comunicações dos Sítios Web Disponibilizados pelo Estado Português
http://comum.rcaap.pt/handle/10400.26/10658

2014 - Visualization of SSL Setting Status Such as the FQDN Mismatch
IMIS 14 - Proceedings of the 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
Source: 10.1109/IMIS.2014.88  https://ieeexplore.ieee.org/abstract/document/6975532

2014 - PhD Thesis - Modeling and analyzinh Cryptographic real world protocols
Ruhr Uni Bochum - Florian Bergsma
Source: https://d-nb.info/1201554365/34

2013 - Safe Configuration of TLS Connections - Beyond Default Settings
6th Symposium on Security Analytics and Automation 2013
https://ieeexplore.ieee.org/abstract/document/6682755

2013 - Ataques a las comunicaciones sin hilos y sus principales métodos de mitigación
Master Thesis - Laura Rasal Blasco
http://openaccess.uoc.edu/webapps/o2/bitstream/10609/23181/3/lrasalTFC0613memoria.pdf

2013 - Cyber-security Defense in Large-scale M2M System: Actual Issues and Proposed Solutions
Proceedings of the International Conference on Security and Management (SAM)
Technische Universität Berlin
http://worldcomp-proceedings.com/proc/p2013/SAM9763.pdf

2013 - On the security of TLS renegotiation
CCS13 - Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Authors: F Giesen, F Kohlar, D Stebila - Queensland Universtity
Source: https://dl.acm.org/doi/abs/10.1145/2508859.2516694

2012 - SSL/TLS status survey in Japan-transitioning against the renegotiation vulnerability and short RSA key length problem
IEEE - Asia Joint Conference on Information Security (Asia JCIS)
Source: 10.1109/AsiaJCIS.2012.10 - https://ieeexplore.ieee.org/abstract/document/6298128

2012 - Attacks on re-keying and renegotiation in Key Exchange Protocols
Bachelor Thesis - Rati Gelashvili
Eidgenössische Technische Hochschule Zürich

2012 - Analysis of the Functionality, Risks and Counter-Measures of Current Padding Attacks
Bachelor Thesis - Alexander Colin Jüttner
Frankfurt School of Finance and Management
https://www.cryptool.org/assets/img/ctp/documents/BA_Juettner_Padding-Oracle-Attack.pdf

2012 - Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability
IEEE - 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)
Source: 10.1109/IMIS.2012.138 - https://ieeexplore.ieee.org/abstract/document/6296932

2011 - Security in Bluetooth, RFID and wireless sensor networks
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security
https://dl.acm.org/doi/abs/10.1145/1947940.1948071

2011 - TLS and Energy Consumption On a Mobile Device: A Measurement Study
Publisher: IEEE - https://ieeexplore.ieee.org/abstract/document/5983970/metrics
DOI: 10.1109/ISCC.2011.5983970

2011 - MITM attacks on SSL/TLS related to renegotiation
Thor Siiger Prentow

2010 - Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs
Published :IEEE Transactions on Power Delivery ( Volume: 26, Issue: 1, Jan. 2011)
DOI: 10.1109/TPWRD.2010.2061872
https://ieeexplore.ieee.org/abstract/document/5673737/references#references

2010 - Problems on the shifts to a new specification with countermeasures of the SSL / TLS renegotiation vulnerability
Yuji Suga
Source: https://ipsj.ixsq.nii.ac.jp/ej/?action=repository_uri&item_id=69748&file_id=1&file_no=1



Subject : SSLscan Tool


Classifying Network Protocol Implementation Versions: An OpenSSL Case Study
Johns Hopkins University
Martin, Paul D.Rubin - Rushanan, Michael - Aviel D. - Green Matthew; Checkoway Stephen
Source: http://jhir.library.jhu.edu/handle/1774.2/36570



Subject: Bluetooth and Wireless


2024 - Low-power Bluetooth/RFID devices to Track Inventory in the Supply Chain
Asian Journal of Multidisciplinary Research & Review | ISSN 2582 8088
Volume 5 Issue 1 – January February 2
https://ajmrr.thelawbrigade.com/article/low-power-bluetooth-rfid-devices-to-track-inventory-in-the-supply-chain/

2020 - Detecting Bluetooth Attacks Against Smartphones by Device Status Recognition
ICAIS 2020: Artificial Intelligence and Security
https://link.springer.com/chapter/10.1007/978-3-030-57884-8_11

2019 - Bluetooth Intrusion Detection System (BIDS)
IEEE : DOI: 10.1109/AICCSA.2018.8612809
https://ieeexplore.ieee.org/abstract/document/8612809

2019 - Analysis on Bluetooth Security
International Journal of Research in Engineering, Science and Management
https://www.ijresm.com/Vol.2_2019/Vol2_Iss5_May19/IJRESM_V2_I5_249.pdf

2019 - Wi-Fi Channel Saturation as a Mechanism to Improve Passive Capture of Bluetooth Through Channel Usage Restriction
Journal of Network Technology, 2019
https://arxiv.org/abs/2002.05126

2018 - Seguretat en Bluetooth. Anàlisi de vulnerabilitats
Universitat Oberta de Catalunya
http://openaccess.uoc.edu/webapps/o2/handle/10609/72388

2017 - Penetration testing and testing to diagnose and detect vulnerabilities in wireless data networks
Katsadouros, Evangelos - School of Technological Applications Department of Computer Systems Engineering 
http://okeanis.lib.puas.gr/xmlui/handle/123456789/3683

2016 - Data security in telehealth and smart home environment
Master Thesis - UNIVERSITY OF EASTERN FINLAND
https://epublications.uef.fi/pub/urn_nbn_fi_uef-20160946/urn_nbn_fi_uef-20160946.pdf

2015 - Bluetooth security and threats
Norwegian Defence Research Establishment (FFI)
https://ffi-publikasjoner.archive.knowledgearc.net/handle/20.500.12242/1115

2015 - Enhancement of bluetooth security authentication using hash-based message
Master Thesis - Diallo Alhassane Saliou
International Islamic University Malaysia
https://www.researchgate.net/profile/Diallo_Alhassane3/publication/296443620_ENHANCEMENT_OF_BLUETOOTH_SECURITY_AUTHENTICATION_USING_HASH-BASED_MESSAGE_AUTHENTICATION_CODE_HMAC_ALGORITHM/links/56d5694608aefd177b118ceb/ENHANCEMENT-OF-BLUETOOTH-SECURITY-AUTHENTICATION-USING-HASH-BASED-MESSAGE-AUTHENTICATION-CODE-HMAC-ALGORITHM.pdf

2014 - Exploiting Bluetooth 4.0 for Secure, Cloud-Enabled Monitoring of Palliative Care Patients
Master Dissertation - Will Browne - University of Dublin, Trinity College
https://www.scss.tcd.ie/publications/theses/diss/2014/TCD-SCSS-DISSERTATION-2014-073.pdf

2013 - Ubertooth - Bluetooth Monitoring und Injection
Proceedings of the Seminars Future Internet (FI) and Innovative Internet Technologies and Mobile Communications (IITM)
Martin Herrmann - Technische Universität München
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.642.4141&rep=rep1&type=pdf#page=29

2012 - Analysis of Bluetooth threats and v4.0 security features
S. Sandhya, K. S. Devi
Publisher: 2012 International Conference on Computing, Communication and Applications (ICCCA)
https://www.semanticscholar.org/paper/Analysis-of-Bluetooth-threats-and-v4.0-security-Sandhya-Devi/baf77cd278ba0a22c27066f376eb7596cc95424a

2012 - Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems
International Journal of Critical Infrastructure Protection - Volume 5, Issues 3–4, December 2012
Bradley Reaves, Thomas Morris
https://www.sciencedirect.com/science/article/pii/S1874548212000492
https://doi.org/10.1016/j.ijcip.2012.10.001

2012 - Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering
Master thesis - Univeristyo of Catalunya
https://upcommons.upc.edu/handle/2099.1/16014

2012 - Bluetooth security analysis for mobile phones
João Alfaiate
Publisher : 7th Iberian Conference on Information Systems and Technologies (CISTI)
https://ieeexplore.ieee.org/abstract/document/6263117

2011 - A Secured Bluetooth Based Social Network
Nateq Be-Nazir Ibn Minar, M. Tarique
International Journal of Computer Applications
https://doi.org/10.5120/3069-4196?sid=

Bluetooth security threats and solutions: a survey
International Journal of Distributed and Parallel Systems (IJDPS)
University, Bangladesh 
http://www.academia.edu/download/39062477/0112ijdps10.pdf

2011 - BlueSnarf Revisited: OBEX FTP Service Directory Traversal
International Conference on Research in Networking
NETWORKING 2011: NETWORKING 2011 Workshops
Authors: Alberto MorenoEiji Okamoto
https://link.springer.com/chapter/10.1007/978-3-642-23041-7_16

2010 - Battery-Sensing Intrusion Protection System Validation Using Enhanced Wi-Fi and Bluetooth Attack Correlation
2009 IEEE 70th Vehicular Technology Conference Fall
https://ieeexplore.ieee.org/abstract/document/5378889

2010 - Bluetooth Sniffing and the PS3
College of Engineering and Computer Science
Luke Vincent
http://courses.cecs.anu.edu.au/courses/CS_PROJECTS/10S2/Reports/Luke%20Vincent.pdf

2010 - Effects of Wi-Fi and Bluetooth Battery Exhaustion Attacks on Mobile Devices
IEEE - 10.1109/HICSS.2010.170
https://ieeexplore.ieee.org/abstract/document/5428422

2010 - Taming the Blue Beast: A Survey of Bluetooth Based Threats
Published: IEEE Security & Privacy ( Volume: 8, Issue: 2, March-April 2010)
Source: https://ieeexplore.ieee.org/abstract/document/5396321

2009 - Secure Physical Layer using Dynamic Permutations in Cognitive OFDMA Systems
VTC Spring 2009 - IEEE 69th Vehicular Technology Conference
IEEE - 10.1109/VETECS.2009.5073843
https://ieeexplore.ieee.org/abstract/document/5073843

2009 - Security Issues in Pervasive Computing
LA Mohammed, K Munir - Risk Assessment and Management
https://www.igi-global.com/chapter/security-issues-pervasive-computing/28456
DOI: 10.4018/978-1-60566-220-6.ch010

2008 - Towards Pervasive Computing Security
Proceedings of the World Congress on Engineering 2008 Vol I
http://iaeng.org/publication/WCE2008/WCE2008_pp810-815.pdf

2008 - Breaking into Bluetooth
Author links open overlay panelKenMunro
Network Security Volume 2008, Issue 6,
https://www.sciencedirect.com/science/article/abs/pii/S1353485808700746

2007 - Studying Bluetooth Malware Propagation: The BlueBag Project
Authors:  Luca Carettoni; Claudio Merloni; Stefano Zanero
DOI: 10.1109/MSP.2007.43
https://ieeexplore.ieee.org/abstract/document/4140986

2007 - Wireless Ordering with the use of technology Bluetooth
http://83.212.168.57/jspui/bitstream/123456789/2348/1/012007113.pdf

2007 - Bluetooth Security & Hacks
RUB Seminar Arbeit
Andreas Becker
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.392.8834&rep=rep1&type=pdf



Subject : Risk Management



Perspectives in Cyber Security, the Future of Cyber Malware
Indian Journal of Criminology (ISSN 0974 – 7249), Vol .41 (1) & (2), Jan. & July,2013, p.210-227
Sandeep Mittal
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2975931




Subject - Fuzzing / Vulnerability Discovery


2018 - Study of Security Attacks against IoT Infrastructures
The University of Newcastle - Advanced Cyber Security Engineering Research Centre (ACSRC)
https://www.newcastle.edu.au/__data/assets/pdf_file/0020/552017/TR1-ISIF-ASIA.pdf

2017 - Malware Detection Based on Multiple PE Headers Identification and Optimization for Specific Types of Files
Ton Duc Thang University
http://jaec.vn/index.php/JAEC/article/view/64 - ISSN (Print): 1859-2244

2017 - Automatically Inferring Malware Signatures for Anti-Virus Assisted Attack
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
https://doi.org/10.1145/3052973.3053002

2016 - From Malware Signatures to Anti-Virus Assisted Attacks
Technische Universität Braunschweig
https://arxiv.org/pdf/1610.06022.pdf

2016 - A novel malware for subversion of self‐protection in anti‐virus
Software—Practice & ExperienceMarch 2016
https://dl.acm.org/doi/10.1002/spe.2317

2015 - A security analysis method of antivirus software upgrade process
Journal of Wuhan University (Science Edition) 
http://www.cnki.com.cn/Article/CJFDTotal-WHDY201506002.htm

2015 - Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT)
2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS)
https://ieeexplore.ieee.org/abstract/document/7384232

2015 - Design, implementation and evaluation of a novel anti-virus parasitic malware
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied ComputingApril
https://dl.acm.org/doi/abs/10.1145/2695664.2695683

2015 - Error-Correcting Codes as Source for Decoding Ambiguity
2015 IEEE Security and Privacy Workshops - DOI: 10.1109/SPW.2015.28
https://ieeexplore.ieee.org/abstract/document/7163213

2014 - Feature-Distributed Malware Attack: Risk and Defence
European Symposium on Research in Computer Security - ESORICS 2014: Computer Security - ESORICS 2014 
https://link.springer.com/chapter/10.1007/978-3-319-11212-1_26

2014 - Design and Analysis of a New Feature-Distributed Malware
2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications
https://ieeexplore.ieee.org/abstract/document/7011282

2014 - Fuzzing analysis: Evaluation of properties for developing a feedback driven fuzzer tool
Master Thesis Kris Gundersen
https://www.duo.uio.no/bitstream/handle/10852/42126/Gundersen-Master.pdf

2012 - PE-Header-Based Malware Study and Detection
University of Giorgia
http://cobweb.cs.uga.edu/~liao/PE_Final_Report.pdf

2012 - Abusing file processing in malware detectors for fun and profit
2012 IEEE Symposium on Security and Privacy : DOI 10.1109/SP.2012.15
Section II - Related Work
https://ieeexplore.ieee.org/abstract/document/6234406



Subject : Misc


2009 - Client-side threats and a honeyclient-based defense mechanism, Honeyscout
Master Thesis - Clementson, Christian
Linköping University, Department of Electrical Engineering.
https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A233195&dswid=7007


2011 - Exposing the Lack of Privacy in File Hosting Services
Universiteit Leuven, Belgium
LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
https://limo.libis.be/primo-explore/fulldisplay?docid=LIRIAS1655651&context=L&vid=Lirias&search_scope=Lirias&tab=default_tab&lang=en_US&fromSitemap=1



How I started in the field of Information Security


As a teenager I was captivated by technology. My self-taught journey began with dabbling in BASIC development on the Atari 1024ST— yes, the one with cassette decks! The thrill of watching a machine come alive with my commands and logic was nothing short of magical.

I'm grateful to my parents for nurturing my tech inclinations and later transitioned to the iconic IBM x68 architecture. This shift allowed me to delve into the world of 3D modeling and animations with 3D Studio, which later evolved into 3DS Max. I also happen to explore  the realm of music production using "Fast Tracker II", a music tracker with roots in the Demo Scene (Example).

The advent of the Internet was a game-changer for me. It opened doors to a universe of free knowledge, introducing me to the intricacies of networks, protocols, and the intriguing world of cyberattacks.

My deep dive into the Infosec realm began when I stumbled upon an article about a Remote Access Tool named BO (cDC) in the German magazine "ct". At 15, my curiosity was piqued. I was eager to understand its mechanics and the technology that facilitated remote access. This led me to explore the intricacies of IP, TCP, UDP, and the inner workings of operating systems. I dedicated years to building a solid foundational understanding.

By the late 90s, I had analyzed and reverse-engineered a vast number of malicious codes. Back then, the tools for analysis were rudimentary compared to today's standards. To the best of my recollection, there weren't any publicly accessible ones. I took it upon myself to curate what might have been the world's most extensive repository of malware analysis, possibly pioneering the first centrally maintained list of indicators of compromise.

My work gained recognition, with mentions by the SANS Institute, citations in various books, and integration into both commercial and non-commercial IDS rules, as well as AV vendors. Reflecting on it now, I'm struck by the realization that some IDS systems still carry my original signatures.

Much of my personal time was dedicated to learning, reading, and hands-on practice. As I delved into multiple programming languages, explored both binary and dynamic reverse engineering, and immersed myself in an information security environment, significant breakthroughs began to emerge.

During this period, my passion for Information Security truly crystallized. After parting ways with n.runs in mid-2009, I established G-SEC. My vision was to create a local non-profit organization aimed at fostering interest and awareness, especially for those still contemplating their career paths.

My research led me to uncover hundreds of vulnerabilities, including critical defects in key tech components. I pioneered the first Bluetooth cryptographic attack and made the code open-source. I take particular pride in identifying high-profile vulnerabilities in software from giants like Microsoft, Oracle, Google, and Apple. This body of work culminated in IBM X-Force recognizing me as one of the Global Top Vulnerability Discoverers of 2009.

0 comments

Post a Comment