Born in Luxembourg, I have over 25 years of experience working in different types of information security roles, Engineering, Governance Risk and Compliance, Leadership, Software Development, Product Management.
I currently work for J.P. Morgan Mobility Payment Solutions S.A. as the Chief Information Security Officer and Head of Technology Risk.
My former positions include that of CISO @ Amazon Payments, EMEA Head of Security Risk and Compliance Europe @Amazon, Head of Country Risk for HSBC Luxembourg, EMEA Threat and Vulnerability Management Practice Lead for @ Verizon Enterprise, Senior Security Engineer (Offensive) @ n.runs, Security Engineer @ Telindus/Proximus, and CEO of my own Startup (Security Software Development)
I am a proud founding father and distinguished subject matter expert for the ISC2 CSSLP certification, a board member at OWASP Benelux and an Advisory Board Member for C|ASE (Certified Application Security Engineer) at EC-Council. I had the opportunity to publish numerous research results that I presented at various international security conferences.
Published Software and Proof of Concepts
The list of tools and whitepapers that I published is available here
Get in touch
In case you want to reach out, I can be found on X, Linked-in and can be reached via an online form.
Academic References and Citations
The following is a list of academic papers, peer reviewed papers that either cite or reference my publications:
2021 - Assessing Non-Intrusive Vulnerability Scanning Methodologies for Detecting Web Application Vulnerabilities on Large Scale
2021 International Conference on System, Computation, Automation and Networking (ICSCAN)
2020 - SecWIR: securing smart home IoT communications via wi-fi routers with embedded intelligence
MobiSys '20: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services
https://doi.org/10.1145/3386901.3388941
2017 - PHD Dissertation - Authentication Techniques for heteroeneous Telephone Networks
University Of Florida - Bradley Galloway Reaves
https://ufdcimages.uflib.ufl.edu/UF/E0/05/15/06/00001/REAVES_B.pdf
2017 - “Metodología de Hacking Ético para Instituciones Financieras, aplicación de un caso práctico"
Master Thesis - UNIVERSIDAD DE CUENCA
2016 - A Comprehensive Survey on SSL/ TLS and their Vulnerabilities
International Journal of Computer Applications
https://www.researchgate.net/profile/Ashutosh_Satapathy3/publication/310761924_A_Comprehensive_Survey_on_SSL_TLS_and_their_Vulnerabilities/links/58d1045e92851c1db43dfbfd/A-Comprehensive-Survey-on-SSL-TLS-and-their-Vulnerabilities.pdf
2016 - Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare
PHD Thesis - Paul D. Martin- The Johns Hopkins University
2016 - Authloop: End-to-end cryptographic authentication for telephony over voice channels
25th {USENIX} Security Symposium - B Reaves, L Blue, P Traynor
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/reaves
2015 - Evaluation of TFTP DDoS amplification attack
The Cyber Academy, Edinburgh Napier University
https://www.sciencedirect.com/science/article/pii/S0167404815001285
2015 - Optimizing TLS for Low Bandwidth Environments
International Symposium on Foundations and Practice of Security
FPS 2014: Foundations and Practice of Security
https://link.springer.com/chapter/10.1007/978-3-319-17040-4_10
2015 - A Segurança das Comunicações dos Sítios Web Disponibilizados pelo Estado Português
http://comum.rcaap.pt/handle/10400.26/10658
2014 - Visualization of SSL Setting Status Such as the FQDN Mismatch
IMIS 14 - Proceedings of the 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
Source: 10.1109/IMIS.2014.88 https://ieeexplore.ieee.org/abstract/document/6975532
2014 - PhD Thesis - Modeling and analyzinh Cryptographic real world protocols
Ruhr Uni Bochum - Florian Bergsma
Source: https://d-nb.info/1201554365/34
2013 - Safe Configuration of TLS Connections - Beyond Default Settings
6th Symposium on Security Analytics and Automation 2013
https://ieeexplore.ieee.org/abstract/document/6682755
2013 - Ataques a las comunicaciones sin hilos y sus principales métodos de mitigación
Master Thesis - Laura Rasal Blasco
http://openaccess.uoc.edu/webapps/o2/bitstream/10609/23181/3/lrasalTFC0613memoria.pdf
2013 - Cyber-security Defense in Large-scale M2M System: Actual Issues and Proposed Solutions
Proceedings of the International Conference on Security and Management (SAM)
Technische Universität Berlin
http://worldcomp-proceedings.com/proc/p2013/SAM9763.pdf
2013 - On the security of TLS renegotiation
CCS13 - Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Authors: F Giesen, F Kohlar, D Stebila - Queensland Universtity
Source: https://dl.acm.org/doi/abs/10.1145/2508859.2516694
2012 - SSL/TLS status survey in Japan-transitioning against the renegotiation vulnerability and short RSA key length problem
IEEE - Asia Joint Conference on Information Security (Asia JCIS)
Source: 10.1109/AsiaJCIS.2012.10 - https://ieeexplore.ieee.org/abstract/document/6298128
2012 - Attacks on re-keying and renegotiation in Key Exchange Protocols
Bachelor Thesis - Rati Gelashvili
Eidgenössische Technische Hochschule Zürich
2012 - Analysis of the Functionality, Risks and Counter-Measures of Current Padding Attacks
Bachelor Thesis - Alexander Colin Jüttner
Frankfurt School of Finance and Management
https://www.cryptool.org/assets/img/ctp/documents/BA_Juettner_Padding-Oracle-Attack.pdf
2012 - Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability
IEEE - 6th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)
Source: 10.1109/IMIS.2012.138 - https://ieeexplore.ieee.org/abstract/document/6296932
2011 - Security in Bluetooth, RFID and wireless sensor networks
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security
https://dl.acm.org/doi/abs/10.1145/1947940.1948071
2011 - TLS and Energy Consumption On a Mobile Device: A Measurement Study
Publisher: IEEE - https://ieeexplore.ieee.org/abstract/document/5983970/metrics
DOI: 10.1109/ISCC.2011.5983970
2011 - MITM attacks on SSL/TLS related to renegotiation
Thor Siiger Prentow
2010 - Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs
Published :IEEE Transactions on Power Delivery ( Volume: 26, Issue: 1, Jan. 2011)
DOI: 10.1109/TPWRD.2010.2061872
https://ieeexplore.ieee.org/abstract/document/5673737/references#references
2010 - Problems on the shifts to a new specification with countermeasures of the SSL / TLS renegotiation vulnerability
Yuji Suga
Source: https://ipsj.ixsq.nii.ac.jp/ej/?action=repository_uri&item_id=69748&file_id=1&file_no=1
Subject : SSLscan Tool
Classifying Network Protocol Implementation Versions: An OpenSSL Case Study
Johns Hopkins University
Martin, Paul D.Rubin - Rushanan, Michael - Aviel D. - Green Matthew; Checkoway Stephen
Source: http://jhir.library.jhu.edu/handle/1774.2/36570
Subject: Bluetooth and Wireless
2024 - Low-power Bluetooth/RFID devices to Track Inventory in the Supply Chain
Asian Journal of Multidisciplinary Research & Review | ISSN 2582 8088
Volume 5 Issue 1 – January February 2
https://ajmrr.thelawbrigade.com/article/low-power-bluetooth-rfid-devices-to-track-inventory-in-the-supply-chain/
2020 - Detecting Bluetooth Attacks Against Smartphones by Device Status Recognition
ICAIS 2020: Artificial Intelligence and Security
https://link.springer.com/chapter/10.1007/978-3-030-57884-8_11
2019 - Bluetooth Intrusion Detection System (BIDS)
IEEE : DOI: 10.1109/AICCSA.2018.8612809
https://ieeexplore.ieee.org/abstract/document/8612809
2019 - Analysis on Bluetooth Security
International Journal of Research in Engineering, Science and Management
https://www.ijresm.com/Vol.2_2019/Vol2_Iss5_May19/IJRESM_V2_I5_249.pdf
2019 - Wi-Fi Channel Saturation as a Mechanism to Improve Passive Capture of Bluetooth Through Channel Usage Restriction
Journal of Network Technology, 2019
https://arxiv.org/abs/2002.05126
2018 - Seguretat en Bluetooth. Anàlisi de vulnerabilitats
Universitat Oberta de Catalunya
http://openaccess.uoc.edu/webapps/o2/handle/10609/72388
2017 - Penetration testing and testing to diagnose and detect vulnerabilities in wireless data networks
Katsadouros, Evangelos - School of Technological Applications Department of Computer Systems Engineering
http://okeanis.lib.puas.gr/xmlui/handle/123456789/3683
2016 - Data security in telehealth and smart home environment
Master Thesis - UNIVERSITY OF EASTERN FINLAND
https://epublications.uef.fi/pub/urn_nbn_fi_uef-20160946/urn_nbn_fi_uef-20160946.pdf
2015 - Bluetooth security and threats
Norwegian Defence Research Establishment (FFI)
https://ffi-publikasjoner.archive.knowledgearc.net/handle/20.500.12242/1115
2015 - Enhancement of bluetooth security authentication using hash-based message
Master Thesis - Diallo Alhassane Saliou
International Islamic University Malaysia
https://www.researchgate.net/profile/Diallo_Alhassane3/publication/296443620_ENHANCEMENT_OF_BLUETOOTH_SECURITY_AUTHENTICATION_USING_HASH-BASED_MESSAGE_AUTHENTICATION_CODE_HMAC_ALGORITHM/links/56d5694608aefd177b118ceb/ENHANCEMENT-OF-BLUETOOTH-SECURITY-AUTHENTICATION-USING-HASH-BASED-MESSAGE-AUTHENTICATION-CODE-HMAC-ALGORITHM.pdf
2014 - Exploiting Bluetooth 4.0 for Secure, Cloud-Enabled Monitoring of Palliative Care Patients
Master Dissertation - Will Browne - University of Dublin, Trinity College
https://www.scss.tcd.ie/publications/theses/diss/2014/TCD-SCSS-DISSERTATION-2014-073.pdf
2013 - Ubertooth - Bluetooth Monitoring und Injection
Proceedings of the Seminars Future Internet (FI) and Innovative Internet Technologies and Mobile Communications (IITM)
Martin Herrmann - Technische Universität München
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.642.4141&rep=rep1&type=pdf#page=29
2012 - Analysis of Bluetooth threats and v4.0 security features
S. Sandhya, K. S. Devi
Publisher: 2012 International Conference on Computing, Communication and Applications (ICCCA)
https://www.semanticscholar.org/paper/Analysis-of-Bluetooth-threats-and-v4.0-security-Sandhya-Devi/baf77cd278ba0a22c27066f376eb7596cc95424a
2012 - Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems
International Journal of Critical Infrastructure Protection - Volume 5, Issues 3–4, December 2012
Bradley Reaves, Thomas Morris
https://www.sciencedirect.com/science/article/pii/S1874548212000492
https://doi.org/10.1016/j.ijcip.2012.10.001
2012 - Theoretical analysis of security features and weaknesses of telecommunication specifications for Smart Metering
Master thesis - Univeristyo of Catalunya
https://upcommons.upc.edu/handle/2099.1/16014
2012 - Bluetooth security analysis for mobile phones
João Alfaiate
Publisher : 7th Iberian Conference on Information Systems and Technologies (CISTI)
https://ieeexplore.ieee.org/abstract/document/6263117
2011 - A Secured Bluetooth Based Social Network
Nateq Be-Nazir Ibn Minar, M. Tarique
International Journal of Computer Applications
https://doi.org/10.5120/3069-4196?sid=
Bluetooth security threats and solutions: a survey
International Journal of Distributed and Parallel Systems (IJDPS)
University, Bangladesh
http://www.academia.edu/download/39062477/0112ijdps10.pdf
2011 - BlueSnarf Revisited: OBEX FTP Service Directory Traversal
International Conference on Research in Networking
NETWORKING 2011: NETWORKING 2011 Workshops
Authors: Alberto MorenoEiji Okamoto
https://link.springer.com/chapter/10.1007/978-3-642-23041-7_16
2010 - Battery-Sensing Intrusion Protection System Validation Using Enhanced Wi-Fi and Bluetooth Attack Correlation
2009 IEEE 70th Vehicular Technology Conference Fall
https://ieeexplore.ieee.org/abstract/document/5378889
2010 - Bluetooth Sniffing and the PS3
College of Engineering and Computer Science
Luke Vincent
http://courses.cecs.anu.edu.au/courses/CS_PROJECTS/10S2/Reports/Luke%20Vincent.pdf
2010 - Effects of Wi-Fi and Bluetooth Battery Exhaustion Attacks on Mobile Devices
IEEE - 10.1109/HICSS.2010.170
https://ieeexplore.ieee.org/abstract/document/5428422
2010 - Taming the Blue Beast: A Survey of Bluetooth Based Threats
Published: IEEE Security & Privacy ( Volume: 8, Issue: 2, March-April 2010)
Source: https://ieeexplore.ieee.org/abstract/document/5396321
2009 - Secure Physical Layer using Dynamic Permutations in Cognitive OFDMA Systems
VTC Spring 2009 - IEEE 69th Vehicular Technology Conference
IEEE - 10.1109/VETECS.2009.5073843
https://ieeexplore.ieee.org/abstract/document/5073843
2009 - Security Issues in Pervasive Computing
LA Mohammed, K Munir - Risk Assessment and Management
https://www.igi-global.com/chapter/security-issues-pervasive-computing/28456
DOI: 10.4018/978-1-60566-220-6.ch010
2008 - Towards Pervasive Computing Security
Proceedings of the World Congress on Engineering 2008 Vol I
http://iaeng.org/publication/WCE2008/WCE2008_pp810-815.pdf
2008 - Breaking into Bluetooth
Author links open overlay panelKenMunro
Network Security Volume 2008, Issue 6,
https://www.sciencedirect.com/science/article/abs/pii/S1353485808700746
2007 - Studying Bluetooth Malware Propagation: The BlueBag Project
Authors: Luca Carettoni; Claudio Merloni; Stefano Zanero
DOI: 10.1109/MSP.2007.43
https://ieeexplore.ieee.org/abstract/document/4140986
2007 - Wireless Ordering with the use of technology Bluetooth
http://83.212.168.57/jspui/bitstream/123456789/2348/1/012007113.pdf
2007 - Bluetooth Security & Hacks
RUB Seminar Arbeit
Andreas Becker
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.392.8834&rep=rep1&type=pdf
Subject : Risk Management
Perspectives in Cyber Security, the Future of Cyber Malware
Indian Journal of Criminology (ISSN 0974 – 7249), Vol .41 (1) & (2), Jan. & July,2013, p.210-227
Sandeep Mittal
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2975931
Subject - Fuzzing / Vulnerability Discovery
2018 - Study of Security Attacks against IoT Infrastructures
The University of Newcastle - Advanced Cyber Security Engineering Research Centre (ACSRC)
https://www.newcastle.edu.au/__data/assets/pdf_file/0020/552017/TR1-ISIF-ASIA.pdf
2017 - Malware Detection Based on Multiple PE Headers Identification and Optimization for Specific Types of Files
Ton Duc Thang University
http://jaec.vn/index.php/JAEC/article/view/64 - ISSN (Print): 1859-2244
2017 - Automatically Inferring Malware Signatures for Anti-Virus Assisted Attack
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
https://doi.org/10.1145/3052973.3053002
2016 - From Malware Signatures to Anti-Virus Assisted Attacks
Technische Universität Braunschweig
https://arxiv.org/pdf/1610.06022.pdf
2016 - A novel malware for subversion of self‐protection in anti‐virus
Software—Practice & ExperienceMarch 2016
https://dl.acm.org/doi/10.1002/spe.2317
2015 - A security analysis method of antivirus software upgrade process
Journal of Wuhan University (Science Edition)
http://www.cnki.com.cn/Article/CJFDTotal-WHDY201506002.htm
2015 - Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT)
2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS)
https://ieeexplore.ieee.org/abstract/document/7384232
2015 - Design, implementation and evaluation of a novel anti-virus parasitic malware
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied ComputingApril
https://dl.acm.org/doi/abs/10.1145/2695664.2695683
2015 - Error-Correcting Codes as Source for Decoding Ambiguity
2015 IEEE Security and Privacy Workshops - DOI: 10.1109/SPW.2015.28
https://ieeexplore.ieee.org/abstract/document/7163213
2014 - Feature-Distributed Malware Attack: Risk and Defence
European Symposium on Research in Computer Security - ESORICS 2014: Computer Security - ESORICS 2014
https://link.springer.com/chapter/10.1007/978-3-319-11212-1_26
2014 - Design and Analysis of a New Feature-Distributed Malware
2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications
https://ieeexplore.ieee.org/abstract/document/7011282
2014 - Fuzzing analysis: Evaluation of properties for developing a feedback driven fuzzer tool
Master Thesis Kris Gundersen
https://www.duo.uio.no/bitstream/handle/10852/42126/Gundersen-Master.pdf
2012 - PE-Header-Based Malware Study and Detection
University of Giorgia
http://cobweb.cs.uga.edu/~liao/PE_Final_Report.pdf
2012 - Abusing file processing in malware detectors for fun and profit
2012 IEEE Symposium on Security and Privacy : DOI 10.1109/SP.2012.15
Section II - Related Work
https://ieeexplore.ieee.org/abstract/document/6234406
Subject : Misc
2009 - Client-side threats and a honeyclient-based defense mechanism, Honeyscout
Master Thesis - Clementson, Christian
Linköping University, Department of Electrical Engineering.
https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A233195&dswid=7007
2011 - Exposing the Lack of Privacy in File Hosting Services
Universiteit Leuven, Belgium
LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
https://limo.libis.be/primo-explore/fulldisplay?docid=LIRIAS1655651&context=L&vid=Lirias&search_scope=Lirias&tab=default_tab&lang=en_US&fromSitemap=1
How I started in the field of Information Security
As a teenager I was captivated by technology. My self-taught journey began with dabbling in BASIC development on the Atari 1024ST— yes, the one with cassette decks! The thrill of watching a machine come alive with my commands and logic was nothing short of magical.
I'm grateful to my parents for nurturing my tech inclinations and later transitioned to the iconic IBM x68 architecture. This shift allowed me to delve into the world of 3D modeling and animations with 3D Studio, which later evolved into 3DS Max. I also happen to explore the realm of music production using "Fast Tracker II", a music tracker with roots in the Demo Scene (Example).
The advent of the Internet was a game-changer for me. It opened doors to a universe of free knowledge, introducing me to the intricacies of networks, protocols, and the intriguing world of cyberattacks.
My deep dive into the Infosec realm began when I stumbled upon an article about a Remote Access Tool named BO (cDC) in the German magazine "ct". At 15, my curiosity was piqued. I was eager to understand its mechanics and the technology that facilitated remote access. This led me to explore the intricacies of IP, TCP, UDP, and the inner workings of operating systems. I dedicated years to building a solid foundational understanding.
By the late 90s, I had analyzed and reverse-engineered a vast number of malicious codes. Back then, the tools for analysis were rudimentary compared to today's standards. To the best of my recollection, there weren't any publicly accessible ones. I took it upon myself to curate what might have been the world's most extensive repository of malware analysis, possibly pioneering the first centrally maintained list of indicators of compromise.
My work gained recognition, with mentions by the SANS Institute, citations in various books, and integration into both commercial and non-commercial IDS rules, as well as AV vendors. Reflecting on it now, I'm struck by the realization that some IDS systems still carry my original signatures.
Much of my personal time was dedicated to learning, reading, and hands-on practice. As I delved into multiple programming languages, explored both binary and dynamic reverse engineering, and immersed myself in an information security environment, significant breakthroughs began to emerge.
During this period, my passion for Information Security truly crystallized. After parting ways with n.runs in mid-2009, I established G-SEC. My vision was to create a local non-profit organization aimed at fostering interest and awareness, especially for those still contemplating their career paths.
My research led me to uncover hundreds of vulnerabilities, including critical defects in key tech components. I pioneered the first Bluetooth cryptographic attack and made the code open-source. I take particular pride in identifying high-profile vulnerabilities in software from giants like Microsoft, Oracle, Google, and Apple. This body of work culminated in IBM X-Force recognizing me as one of the Global Top Vulnerability Discoverers of 2009.
.png)
0 comments
Post a Comment