About me

Born and Living in Luxembourg, I have over 25 years of experience working in various information security roles. Currently CISO at J.P. Morgan Payment Solutions, Former CISO @ Amazon Payments, Former CISO at HSBC Luxembourg, Former  EMEA Practice Lead for Threat and Vulnerability Management @ Verizon,  Penetration Testing and Appsec @ n.runs, Security Engineering at Proximus. 

I have worked for J.P Morgan, HSBC, Amazon, Verizon, Proximus and n.runs in a number of Senior Information Security and Privacy related roles. 

I have published numerous research results and presented at various international security conferences [1]. I am a proud founding father and distinguished subject matter expert for the ISC2 CSSLP certification, a board member at OWASP Benelux and an Advisory Board Member for C|ASE (Certified Application Security Engineer) at EC-Council.


I can be found on TwitterLinked-in and can be reached via E-mail.

Tools and other releases

A summary of my Publications can be found here

Citations / References

The following is a list of academic papers, including PHD and Master Thesis that either cite or reference my work : 


Subject : Cryptograhy

2021 - Assessing Non-Intrusive Vulnerability Scanning Methodologies for Detecting Web Application Vulnerabilities on Large Scale
2021 International Conference on System, Computation, Automation and Networking (ICSCAN)

2020 - SecWIR: securing smart home IoT communications via wi-fi routers with embedded intelligence
MobiSys '20: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services

2017 - PHD Dissertation - Authentication Techniques for heteroeneous Telephone Networks 
University Of Florida  - Bradley Galloway Reaves

2017 - “Metodología de Hacking Ético para Instituciones Financieras, aplicación de un caso práctico"

2016 - A Comprehensive Survey on SSL/ TLS and their Vulnerabilities
International Journal of Computer Applications

2016 - Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare
PHD Thesis - Paul D. Martin- The Johns Hopkins University

2016 - Authloop: End-to-end cryptographic authentication for telephony over voice channels
25th {USENIX} Security Symposium - B Reaves, L Blue, P Traynor

2015 - Evaluation of TFTP DDoS amplification attack
The Cyber Academy, Edinburgh Napier University

2015 - Optimizing TLS for Low Bandwidth Environments
International Symposium on Foundations and Practice of Security
FPS 2014: Foundations and Practice of Security

2015 - A Segurança das Comunicações dos Sítios Web Disponibilizados pelo Estado Português

2014 - Visualization of SSL Setting Status Such as the FQDN Mismatch
IMIS 14 - Proceedings of the 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
Source: 10.1109/IMIS.2014.88  https://ieeexplore.ieee.org/abstract/document/6975532

2014 - PhD Thesis - Modeling and analyzinh Cryptographic real world protocols
Ruhr Uni Bochum - Florian Bergsma
Source: https://d-nb.info/1201554365/34

2013 - Safe Configuration of TLS Connections - Beyond Default Settings
6th Symposium on Security Analytics and Automation 2013

2013 - Ataques a las comunicaciones sin hilos y sus principales métodos de mitigación
Master Thesis - Laura Rasal Blasco

2013 - Cyber-security Defense in Large-scale M2M System: Actual Issues and Proposed Solutions
Proceedings of the International Conference on Security and Management (SAM)
Technische Universität Berlin

2013 - On the security of TLS renegotiation
CCS13 - Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Authors: F Giesen, F Kohlar, D Stebila - Queensland Universtity
Source: https://dl.acm.org/doi/abs/10.1145/2508859.2516694

2012 - SSL/TLS status survey in Japan-transitioning against the renegotiation vulnerability and short RSA key length problem
IEEE - Asia Joint Conference on Information Security (Asia JCIS)
Source: 10.1109/AsiaJCIS.2012.10 - https://ieeexplore.ieee.org/abstract/document/6298128

2012 - Attacks on re-keying and renegotiation in Key Exchange Protocols
Bachelor Thesis - Rati Gelashvili
Eidgenössische Technische Hochschule Zürich

2012 - Analysis of the Functionality, Risks and Counter-Measures of Current Padding Attacks
Bachelor Thesis - Alexander Colin Jüttner
Frankfurt School of Finance and Management

2012 - Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability
IEEE - 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)
Source: 10.1109/IMIS.2012.138 - https://ieeexplore.ieee.org/abstract/document/6296932

2011 - Security in Bluetooth, RFID and wireless sensor networks
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

2011 - TLS and Energy Consumption On a Mobile Device: A Measurement Study
Publisher: IEEE - https://ieeexplore.ieee.org/abstract/document/5983970/metrics
DOI: 10.1109/ISCC.2011.5983970

2011 - MITM attacks on SSL/TLS related to renegotiation
Thor Siiger Prentow

2010 - Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs
Published :IEEE Transactions on Power Delivery ( Volume: 26, Issue: 1, Jan. 2011)
DOI: 10.1109/TPWRD.2010.2061872

2010 - Problems on the shifts to a new specification with countermeasures of the SSL / TLS renegotiation vulnerability
Yuji Suga
Source: https://ipsj.ixsq.nii.ac.jp/ej/?action=repository_uri&item_id=69748&file_id=1&file_no=1

Subject : SSLscan Tool

Classifying Network Protocol Implementation Versions: An OpenSSL Case Study
Johns Hopkins University
Martin, Paul D.Rubin - Rushanan, Michael - Aviel D. - Green Matthew; Checkoway Stephen
Source: http://jhir.library.jhu.edu/handle/1774.2/36570

Subject: Bluetooth and Wireless

2020 - Detecting Bluetooth Attacks Against Smartphones by Device Status Recognition
ICAIS 2020: Artificial Intelligence and Security

2019 - Bluetooth Intrusion Detection System (BIDS)
IEEE : DOI: 10.1109/AICCSA.2018.8612809

2019 - Analysis on Bluetooth Security
International Journal of Research in Engineering, Science and Management

2019 - Wi-Fi Channel Saturation as a Mechanism to Improve Passive Capture of Bluetooth Through Channel Usage Restriction
Journal of Network Technology, 2019

2018 - Seguretat en Bluetooth. Anàlisi de vulnerabilitats
Universitat Oberta de Catalunya

2017 - Penetration testing and testing to diagnose and detect vulnerabilities in wireless data networks
Katsadouros, Evangelos - School of Technological Applications Department of Computer Systems Engineering 

2016 - Data security in telehealth and smart home environment

2015 - Bluetooth security and threats
Norwegian Defence Research Establishment (FFI)

2015 - Enhancement of bluetooth security authentication using hash-based message
Master Thesis - Diallo Alhassane Saliou
International Islamic University Malaysia

2014 - Exploiting Bluetooth 4.0 for Secure, Cloud-Enabled Monitoring of Palliative Care Patients
Master Dissertation - Will Browne - University of Dublin, Trinity College

2013 - Ubertooth - Bluetooth Monitoring und Injection
Proceedings of the Seminars Future Internet (FI) and Innovative Internet Technologies and Mobile Communications (IITM)
Martin Herrmann - Technische Universität München

2012 - Analysis of Bluetooth threats and v4.0 security features
S. Sandhya, K. S. Devi
Publisher: 2012 International Conference on Computing, Communication and Applications (ICCCA)

2012 - Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems
International Journal of Critical Infrastructure Protection - Volume 5, Issues 3–4, December 2012
Bradley Reaves, Thomas Morris

2012 - Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering
Master thesis - Univeristyo of Catalunya

2012 - Bluetooth security analysis for mobile phones
João Alfaiate
Publisher : 7th Iberian Conference on Information Systems and Technologies (CISTI)

2011 - A Secured Bluetooth Based Social Network
Nateq Be-Nazir Ibn Minar, M. Tarique
International Journal of Computer Applications

Bluetooth security threats and solutions: a survey
International Journal of Distributed and Parallel Systems (IJDPS)
University, Bangladesh 

2011 - BlueSnarf Revisited: OBEX FTP Service Directory Traversal
International Conference on Research in Networking
NETWORKING 2011: NETWORKING 2011 Workshops
Authors: Alberto MorenoEiji Okamoto

2010 - Battery-Sensing Intrusion Protection System Validation Using Enhanced Wi-Fi and Bluetooth Attack Correlation
2009 IEEE 70th Vehicular Technology Conference Fall

2010 - Bluetooth Sniffing and the PS3
College of Engineering and Computer Science
Luke Vincent

2010 - Effects of Wi-Fi and Bluetooth Battery Exhaustion Attacks on Mobile Devices
IEEE - 10.1109/HICSS.2010.170

2010 - Taming the Blue Beast: A Survey of Bluetooth Based Threats
Published: IEEE Security & Privacy ( Volume: 8, Issue: 2, March-April 2010)
Source: https://ieeexplore.ieee.org/abstract/document/5396321

2009 - Secure Physical Layer using Dynamic Permutations in Cognitive OFDMA Systems
VTC Spring 2009 - IEEE 69th Vehicular Technology Conference
IEEE - 10.1109/VETECS.2009.5073843

2009 - Security Issues in Pervasive Computing
LA Mohammed, K Munir - Risk Assessment and Management
DOI: 10.4018/978-1-60566-220-6.ch010

2008 - Towards Pervasive Computing Security
Proceedings of the World Congress on Engineering 2008 Vol I

2008 - Breaking into Bluetooth
Author links open overlay panelKenMunro
Network Security Volume 2008, Issue 6,

2007 - Studying Bluetooth Malware Propagation: The BlueBag Project
Authors:  Luca Carettoni; Claudio Merloni; Stefano Zanero
DOI: 10.1109/MSP.2007.43

2007 - Wireless Ordering with the use of technology Bluetooth

2007 - Bluetooth Security & Hacks
RUB Seminar Arbeit
Andreas Becker

Subject : Risk Management

Perspectives in Cyber Security, the Future of Cyber Malware
Indian Journal of Criminology (ISSN 0974 – 7249), Vol .41 (1) & (2), Jan. & July,2013, p.210-227
Sandeep Mittal

Subject - Fuzzing / Vulnerability Discovery

2018 - Study of Security Attacks against IoT Infrastructures
The University of Newcastle - Advanced Cyber Security Engineering Research Centre (ACSRC)

2017 - Malware Detection Based on Multiple PE Headers Identification and Optimization for Specific Types of Files
Ton Duc Thang University
http://jaec.vn/index.php/JAEC/article/view/64 - ISSN (Print): 1859-2244

2017 - Automatically Inferring Malware Signatures for Anti-Virus Assisted Attack
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

2016 - From Malware Signatures to Anti-Virus Assisted Attacks
Technische Universität Braunschweig

2016 - A novel malware for subversion of self‐protection in anti‐virus
Software—Practice & ExperienceMarch 2016

2015 - A security analysis method of antivirus software upgrade process
Journal of Wuhan University (Science Edition) 

2015 - Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT)
2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS)

2015 - Design, implementation and evaluation of a novel anti-virus parasitic malware
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied ComputingApril

2015 - Error-Correcting Codes as Source for Decoding Ambiguity
2015 IEEE Security and Privacy Workshops - DOI: 10.1109/SPW.2015.28

2014 - Feature-Distributed Malware Attack: Risk and Defence
European Symposium on Research in Computer Security - ESORICS 2014: Computer Security - ESORICS 2014 

2014 - Design and Analysis of a New Feature-Distributed Malware
2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

2014 - Fuzzing analysis: Evaluation of properties for developing a feedback driven fuzzer tool
Master Thesis Kris Gundersen

2012 - PE-Header-Based Malware Study and Detection
University of Giorgia

2012 - Abusing file processing in malware detectors for fun and profit
2012 IEEE Symposium on Security and Privacy : DOI 10.1109/SP.2012.15
Section II - Related Work

Subject : Misc

2009 - Client-side threats and a honeyclient-based defense mechanism, Honeyscout
Master Thesis - Clementson, Christian
Linköping University, Department of Electrical Engineering.

2011 - Exposing the Lack of Privacy in File Hosting Services
Universiteit Leuven, Belgium
LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats

How I started in the field of Information Security

My interest in tech started at a young age, self-learning early on I started by teaching myself development (BASIC) on the Atari 1024ST (Casette decks!) and was fascinated that this machine would execute logic that I succeeded in embedding into it, even if it were just basic logic constructs and outputs, my interest was peaked.

I consider myself lucky that my parents supported my interests and as I became older I was able to move to the classical IBM x68 architecture.  Learned how to create 3D models and animations in 3D Studio (Later 3DS Max)  and how to make music tracks (I am still bad at it  to this date) using  "Fast Tracker II" (Sound) a "Music Tracker" originating from the Demo Scene.

As I got access to the Internet, I discovered the world of free knowledge; interconnectivity, networks, protocols and attacks.

I remember started to take a particular interest into this field when I read about a Remote Access Tool called BO (cDC) in a German Paper magazine called "ct". I must have been 15 and wanted to know all about it, how it worked, what enabled Remote Access.  I discovered IP, TCP, UDP, discovered OS internals, spend years to aquire foundational knowledge.

Fast forward, in the late 90s I analysed and reverse engineered an uncountable amount of malicious code, back in the days analysis tools were not as advanced as they were today; in fact, to my knowledge, there weren't any publicly available. I single handily maintained what must have been the world largest repositry of analysis of malware and the first (?) centrally maintained list of indicators of compromise. 

These publications were covered by the the SANS Institute, various books and  found it's way into commercial and non-commercial IDS rules and of course AV vendors. Actually, as I write these lines I came to realise that some IDS have still have my signatures in them.

It was during these years that I solidified my interest in the field of Information Security. After leaving n.runs, in Mid 2009 I founded G-SEC where I build up a local non-profit  Team of Security Specialists and wanted to create an  interest in this profession for those that yet have to make a career choice. My thirst for knowledge let me to discover hundreds of vulnerabilities, developed the first Bluetooth PIN and LinkKey Bruteforcer and found high-profile vulnerabilities within Microsoft, Oracle, Google, Apple software which led to IBM X-Force to mention me of the list of the  Top Vulnerability Discoverers of 2009