About me

Living in Luxembourg, married I have over 20 years of professional information security background - In Risk Management, Engineering, Leadership, and in both operational and non-operational capacity. I have been employed by Verizon, Amazon, HSBC, Proximus, n.runs in a number of Senior Information Security and Privacy related roles.

I have published numerous research results and presented at various international security conferences [1]. I am a proud founding father and distinguished subject matter expert for the ISC2 CSSLP certification, a board member at OWASP BeNeLux and an Advisory Board Member for C|ASE (Certified Application Security Engineer) at EC-Council.

Contact

I can be found on TwitterLinked-in and can be reached via E-mail.

Tools and Releases

A list of Talks, Tools, Papers, and reported Vulnerabilities can be found here

Citations / References

My research results and publications are referenced throughout numerous Academic Papers (Including PHD and Master Thesis) as well as Books.

2020 - SecWIR: securing smart home IoT communications via wi-fi routers with embedded intelligence
MobiSys '20: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services
https://doi.org/10.1145/3386901.3388941

2017 - PHD Dissertation - Authentication Techniques for heteroeneous Telephone Networks 
University Of Florida  - Bradley Galloway Reaves
https://ufdcimages.uflib.ufl.edu/UF/E0/05/15/06/00001/REAVES_B.pdf

2017 - “Metodología de Hacking Ético para Instituciones Financieras, aplicación de un caso práctico"
Master Thesis - UNIVERSIDAD DE CUENCA
http://dspace.ucuenca.edu.ec/bitstream/123456789/28552/1/Trabajo%20de%20titulaci%C3%B3n.pdf

2016 - A Comprehensive Survey on SSL/ TLS and their Vulnerabilities
International Journal of Computer Applications
https://www.researchgate.net/profile/Ashutosh_Satapathy3/publication/310761924_A_Comprehensive_Survey_on_SSL_TLS_and_their_Vulnerabilities/links/58d1045e92851c1db43dfbfd/A-Comprehensive-Survey-on-SSL-TLS-and-their-Vulnerabilities.pdf

2016 - Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare
PHD Thesis - Paul D. Martin- The Johns Hopkins University
https://jscholarship.library.jhu.edu/bitstream/handle/1774.2/39692/MARTIN-DISSERTATION-2016.pdf?sequence=1&isAllowed=y

2016 - Authloop: End-to-end cryptographic authentication for telephony over voice channels
25th {USENIX} Security Symposium - B Reaves, L Blue, P Traynor
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/reaves

2015 - Evaluation of TFTP DDoS amplification attack
The Cyber Academy, Edinburgh Napier University
https://www.sciencedirect.com/science/article/pii/S0167404815001285

2014 - Visualization of SSL Setting Status Such as the FQDN Mismatch
IMIS 14 - Proceedings of the 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
Source: 10.1109/IMIS.2014.88  https://ieeexplore.ieee.org/abstract/document/6975532

2014 - PhD Thesis - Modeling and analyzinh Cryptographic real world protocols
Ruhr Uni Bochum - Florian Bergsma
Source: https://d-nb.info/1201554365/34

2013 - Safe Configuration of TLS Connections - Beyond Default Settings
6th Symposium on Security Analytics and Automation 2013
https://ieeexplore.ieee.org/abstract/document/6682755

2013 - Ataques a las comunicaciones sin hilos y sus principales métodos de mitigación
Master Thesis - Laura Rasal Blasco
http://openaccess.uoc.edu/webapps/o2/bitstream/10609/23181/3/lrasalTFC0613memoria.pdf

2013 - Cyber-security Defense in Large-scale M2M System: Actual Issues and Proposed Solutions
Proceedings of the International Conference on Security and Management (SAM)
Technische Universität Berlin
http://worldcomp-proceedings.com/proc/p2013/SAM9763.pdf

2013 - On the security of TLS renegotiation
CCS13 - Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Authors: F Giesen, F Kohlar, D Stebila - Queensland Universtity
Source: https://dl.acm.org/doi/abs/10.1145/2508859.2516694

2012 - SSL/TLS status survey in Japan-transitioning against the renegotiation vulnerability and short RSA key length problem
IEEE - Asia Joint Conference on Information Security (Asia JCIS)
Source: 10.1109/AsiaJCIS.2012.10 - https://ieeexplore.ieee.org/abstract/document/6298128

2012 - Attacks on re-keying and renegotiation in Key Exchange Protocols
Bachelor Thesis - Rati Gelashvili
Eidgenössische Technische Hochschule Zürich

2012 - Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability
IEEE - 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)
Source: 10.1109/IMIS.2012.138 - https://ieeexplore.ieee.org/abstract/document/6296932

2011 - Security in Bluetooth, RFID and wireless sensor networks
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security
https://dl.acm.org/doi/abs/10.1145/1947940.1948071

2011 - TLS and Energy Consumption On a Mobile Device: A Measurement Study
Publisher: IEEE - https://ieeexplore.ieee.org/abstract/document/5983970/metrics
DOI: 10.1109/ISCC.2011.5983970

2011 - MITM attacks on SSL/TLS related to renegotiation
Thor Siiger Prentow

2010 - Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs
Published :IEEE Transactions on Power Delivery ( Volume: 26, Issue: 1, Jan. 2011)
DOI: 10.1109/TPWRD.2010.2061872
https://ieeexplore.ieee.org/abstract/document/5673737/references#references

2010 - Problems on the shifts to a new specification with countermeasures of the SSL / TLS renegotiation vulnerability
Yuji Suga
Source: https://ipsj.ixsq.nii.ac.jp/ej/?action=repository_uri&item_id=69748&file_id=1&file_no=1

Subject : SSLscan Tool

Classifying Network Protocol Implementation Versions: An OpenSSL Case Study
Johns Hopkins University
Martin, Paul D.Rubin - Rushanan, Michael - Aviel D. - Green Matthew; Checkoway Stephen
Source: http://jhir.library.jhu.edu/handle/1774.2/36570

Subject: Bluetooth and Wireless

2020 - Detecting Bluetooth Attacks Against Smartphones by Device Status Recognition
ICAIS 2020: Artificial Intelligence and Security
https://link.springer.com/chapter/10.1007/978-3-030-57884-8_11

2019 - Bluetooth Intrusion Detection System (BIDS)
IEEE : DOI: 10.1109/AICCSA.2018.8612809
https://ieeexplore.ieee.org/abstract/document/8612809

2019 - Analysis on Bluetooth Security
International Journal of Research in Engineering, Science and Management
https://www.ijresm.com/Vol.2_2019/Vol2_Iss5_May19/IJRESM_V2_I5_249.pdf

2019 - Wi-Fi Channel Saturation as a Mechanism to Improve Passive Capture of Bluetooth Through Channel Usage Restriction
Journal of Network Technology, 2019
https://arxiv.org/abs/2002.05126

2018 - Seguretat en Bluetooth. Anàlisi de vulnerabilitats
Universitat Oberta de Catalunya
http://openaccess.uoc.edu/webapps/o2/handle/10609/72388

2017 - Penetration testing and testing to diagnose and detect vulnerabilities in wireless data networks
Katsadouros, Evangelos - School of Technological Applications Department of Computer Systems Engineering 
http://okeanis.lib.puas.gr/xmlui/handle/123456789/3683

2016 - Data security in telehealth and smart home environment
Master Thesis - UNIVERSITY OF EASTERN FINLAND
https://epublications.uef.fi/pub/urn_nbn_fi_uef-20160946/urn_nbn_fi_uef-20160946.pdf

2015 - Bluetooth security and threats
Norwegian Defence Research Establishment (FFI)
https://ffi-publikasjoner.archive.knowledgearc.net/handle/20.500.12242/1115

2015 - Enhancement of bluetooth security authentication using hash-based message
Master Thesis - Diallo Alhassane Saliou
International Islamic University Malaysia
https://www.researchgate.net/profile/Diallo_Alhassane3/publication/296443620_ENHANCEMENT_OF_BLUETOOTH_SECURITY_AUTHENTICATION_USING_HASH-BASED_MESSAGE_AUTHENTICATION_CODE_HMAC_ALGORITHM/links/56d5694608aefd177b118ceb/ENHANCEMENT-OF-BLUETOOTH-SECURITY-AUTHENTICATION-USING-HASH-BASED-MESSAGE-AUTHENTICATION-CODE-HMAC-ALGORITHM.pdf

2014 - Exploiting Bluetooth 4.0 for Secure, Cloud-Enabled Monitoring of Palliative Care Patients
Master Dissertation - Will Browne - University of Dublin, Trinity College
https://www.scss.tcd.ie/publications/theses/diss/2014/TCD-SCSS-DISSERTATION-2014-073.pdf

2013 - Ubertooth - Bluetooth Monitoring und Injection
Proceedings of the Seminars Future Internet (FI) and Innovative Internet Technologies and Mobile Communications (IITM)
Martin Herrmann - Technische Universität München
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.642.4141&rep=rep1&type=pdf#page=29

2012 - Analysis of Bluetooth threats and v4.0 security features
S. Sandhya, K. S. Devi
Publisher: 2012 International Conference on Computing, Communication and Applications (ICCCA)
https://www.semanticscholar.org/paper/Analysis-of-Bluetooth-threats-and-v4.0-security-Sandhya-Devi/baf77cd278ba0a22c27066f376eb7596cc95424a

2012 - Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems
International Journal of Critical Infrastructure Protection - Volume 5, Issues 3–4, December 2012
Bradley Reaves, Thomas Morris
https://www.sciencedirect.com/science/article/pii/S1874548212000492
https://doi.org/10.1016/j.ijcip.2012.10.001

2012 - Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering
Master thesis - Univeristyo of Catalunya
https://upcommons.upc.edu/handle/2099.1/16014

2012 - Bluetooth security analysis for mobile phones
João Alfaiate
Publisher : 7th Iberian Conference on Information Systems and Technologies (CISTI)
https://ieeexplore.ieee.org/abstract/document/6263117

2011 - A Secured Bluetooth Based Social Network
Nateq Be-Nazir Ibn Minar, M. Tarique
International Journal of Computer Applications
https://doi.org/10.5120/3069-4196?sid=

Bluetooth security threats and solutions: a survey
International Journal of Distributed and Parallel Systems (IJDPS)
University, Bangladesh 
http://www.academia.edu/download/39062477/0112ijdps10.pdf

2011 - BlueSnarf Revisited: OBEX FTP Service Directory Traversal
International Conference on Research in Networking
NETWORKING 2011: NETWORKING 2011 Workshops
Authors: Alberto MorenoEiji Okamoto
https://link.springer.com/chapter/10.1007/978-3-642-23041-7_16

2010 - Battery-Sensing Intrusion Protection System Validation Using Enhanced Wi-Fi and Bluetooth Attack Correlation
2009 IEEE 70th Vehicular Technology Conference Fall
https://ieeexplore.ieee.org/abstract/document/5378889

2010 - Bluetooth Sniffing and the PS3
College of Engineering and Computer Science
Luke Vincent
http://courses.cecs.anu.edu.au/courses/CS_PROJECTS/10S2/Reports/Luke%20Vincent.pdf

2010 - Effects of Wi-Fi and Bluetooth Battery Exhaustion Attacks on Mobile Devices
IEEE - 10.1109/HICSS.2010.170
https://ieeexplore.ieee.org/abstract/document/5428422

2010 - Taming the Blue Beast: A Survey of Bluetooth Based Threats
Published: IEEE Security & Privacy ( Volume: 8, Issue: 2, March-April 2010)
Source: https://ieeexplore.ieee.org/abstract/document/5396321

2009 - Secure Physical Layer using Dynamic Permutations in Cognitive OFDMA Systems
VTC Spring 2009 - IEEE 69th Vehicular Technology Conference
IEEE - 10.1109/VETECS.2009.5073843
https://ieeexplore.ieee.org/abstract/document/5073843

2009 - Security Issues in Pervasive Computing
LA Mohammed, K Munir - Risk Assessment and Management
https://www.igi-global.com/chapter/security-issues-pervasive-computing/28456
DOI: 10.4018/978-1-60566-220-6.ch010

2008 - Towards Pervasive Computing Security
Proceedings of the World Congress on Engineering 2008 Vol I
http://iaeng.org/publication/WCE2008/WCE2008_pp810-815.pdf

2008 - Breaking into Bluetooth
Author links open overlay panelKenMunro
Network Security Volume 2008, Issue 6,
https://www.sciencedirect.com/science/article/abs/pii/S1353485808700746

2007 - Studying Bluetooth Malware Propagation: The BlueBag Project
Authors:  Luca Carettoni; Claudio Merloni; Stefano Zanero
DOI: 10.1109/MSP.2007.43
https://ieeexplore.ieee.org/abstract/document/4140986

2007 - Wireless Ordering with the use of technology Bluetooth
http://83.212.168.57/jspui/bitstream/123456789/2348/1/012007113.pdf

2007 - Bluetooth Security & Hacks
RUB Seminar Arbeit
Andreas Becker
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.392.8834&rep=rep1&type=pdf

Subject : Risk Management


Perspectives in Cyber Security, the Future of Cyber Malware
Indian Journal of Criminology (ISSN 0974 – 7249), Vol .41 (1) & (2), Jan. & July,2013, p.210-227
Sandeep Mittal
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2975931


Subject - Fuzzing / Vulnerability Discovery

2018 - Study of Security Attacks against IoT Infrastructures
The University of Newcastle - Advanced Cyber Security Engineering Research Centre (ACSRC)
https://www.newcastle.edu.au/__data/assets/pdf_file/0020/552017/TR1-ISIF-ASIA.pdf

2017 - Malware Detection Based on Multiple PE Headers Identification and Optimization for Specific Types of Files
Ton Duc Thang University
http://jaec.vn/index.php/JAEC/article/view/64 - ISSN (Print): 1859-2244

2017 - Automatically Inferring Malware Signatures for Anti-Virus Assisted Attack
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
https://doi.org/10.1145/3052973.3053002

2016 - From Malware Signatures to Anti-Virus Assisted Attacks
Technische Universität Braunschweig
https://arxiv.org/pdf/1610.06022.pdf

2016 - A novel malware for subversion of self‐protection in anti‐virus
Software—Practice & ExperienceMarch 2016
https://dl.acm.org/doi/10.1002/spe.2317

2015 - A security analysis method of antivirus software upgrade process
Journal of Wuhan University (Science Edition) 
http://www.cnki.com.cn/Article/CJFDTotal-WHDY201506002.htm

2015 - Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT)
2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS)
https://ieeexplore.ieee.org/abstract/document/7384232

2015 - Design, implementation and evaluation of a novel anti-virus parasitic malware
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied ComputingApril
https://dl.acm.org/doi/abs/10.1145/2695664.2695683

2015 - Error-Correcting Codes as Source for Decoding Ambiguity
2015 IEEE Security and Privacy Workshops - DOI: 10.1109/SPW.2015.28
https://ieeexplore.ieee.org/abstract/document/7163213

2014 - Feature-Distributed Malware Attack: Risk and Defence
European Symposium on Research in Computer Security - ESORICS 2014: Computer Security - ESORICS 2014 
https://link.springer.com/chapter/10.1007/978-3-319-11212-1_26

2014 - Design and Analysis of a New Feature-Distributed Malware
2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications
https://ieeexplore.ieee.org/abstract/document/7011282

2014 - Fuzzing analysis: Evaluation of properties for developing a feedback driven fuzzer tool
Master Thesis Kris Gundersen
https://www.duo.uio.no/bitstream/handle/10852/42126/Gundersen-Master.pdf

2012 - PE-Header-Based Malware Study and Detection
University of Giorgia
http://cobweb.cs.uga.edu/~liao/PE_Final_Report.pdf

2012 - Abusing file processing in malware detectors for fun and profit
2012 IEEE Symposium on Security and Privacy : DOI 10.1109/SP.2012.15
Section II - Related Work
https://ieeexplore.ieee.org/abstract/document/6234406

Subject : Misc

2009 - Client-side threats and a honeyclient-based defense mechanism, Honeyscout
Master Thesis - Clementson, Christian
Linköping University, Department of Electrical Engineering.
https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A233195&dswid=7007


2011 - Exposing the Lack of Privacy in File Hosting Services
Universiteit Leuven, Belgium
LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
https://limo.libis.be/primo-explore/fulldisplay?docid=LIRIAS1655651&context=L&vid=Lirias&search_scope=Lirias&tab=default_tab&lang=en_US&fromSitemap=1


History (For those that care)

My interest in tech started at a young age, self-learning early on I started by teaching myself development (BASIC) on the Atari 1024ST (Casette decks!) and was fascinated that this machine would execute logic that I succeeded in embedding into it, even if it were just basic logic constructs and outputs, my interest was peaked.

I consider myself lucky that my parents supported my interests and as I became older I was able to move to the classical IBM x68 architecture.  Learned how to create 3D models and animations in 3D Studio (Later 3DS Max)  and how to make music tracks (I am still bad at it  to this date) using  "Fast Tracker II" (Sound) a "Music Tracker" originating from the Demo Scene.

As I got access to the Internet, I discovered the world of free knowledge; interconnectivity, networks, protocols and attacks.

I remember started to take a particular interest into this field when I read about a Remote Access Tool called BO (cDC) in a German Paper magazine called "ct". I must have been 15 and wanted to know all about it, how it worked, what enabled Remote Access.  I discovered IP, TCP, UDP, discovered OS internals, spend years to aquire foundational knowledge.

Fast forward, in the late 90s I analysed and reverse engineered an uncountable amount of malicious code, back in the days analysis tools were not as advanced as they were today; in fact, to my knowledge, there weren't any publicly available. I single handily maintained what must have been the world largest repositry of analysis of malware and the first (?) centrally maintained list of indicators of compromise. 

These publications were covered by the the SANS Institute, various books and  found it's way into commercial and non-commercial IDS rules and of course AV vendors. Actually, as I write these lines I came to realise that some IDS have still have my signatures in them.

It was during these years that I solidified my interest in the field of Information Security. After leaving n.runs, in Mid 2009 I founded G-SEC where I build up a local non-profit  Team of Security Specialists and wanted to create an  interest in this profession for those that yet have to make a career choice. My thirst for knowledge let me to discover hundreds of vulnerabilities, developed the first Bluetooth PIN and LinkKey Bruteforcer and found high-profile vulnerabilities within Microsoft, Oracle, Google, Apple software which led to IBM X-Force to mention me of the list of the  Top Vulnerability Discoverers of 2009

0 comments

Post a Comment