| ]

This page collects my published research output: conference talks and whitepapers given between 2006 and 2011, and the tools and proof-of-concept code I released publicly between 2004 and 2010.

Talks & Whitepapers

Tools & Code Releases



Threat Modeling & Risk

The Rise of Vulnerability Markets: History, Impacts, Mitigations

OWASP BeNeLux 2011 · Belgium · November 2011

In 2011 vulnerability markets were still considered fringe, and discussing the price and structure of the zero-day market was seen as irresponsible by most of the industry. So I did jut that.

This talk looked at the economics of the global vulnerability market and at the fact that it had already split into two: a mass market (organised crime recycling known flaws) and a targeted market (state-funded actors trading custom zero-days). I introduced an attacker-class pyramid and a four-tier Assurance Level framework for matching defence to the threat tier. The attacker-class split and the assurance-tiering logic later became standard threat-modelling framing, and are reflected in frameworks that followed later including IEC 62443 (SL1 to SL4, 2013 onward), NIST SP 800-30 Rev 1 (2012), OWASP ASVS (2014 onward), and the CBEST (2014) to TIBER-EU (2018) to DORA TLPT (2025) lineage of threat-intelligence-led testing.

Download Slides ↓

Cited in: Computer Law & Security Review (Elsevier) 2022, University of Amsterdam, Institute for Information Law (van Daalen, footnote 8).

Managing Application Risk in Enterprises: Thoughts and Recommendations

ISSA EMEA 2011 · Israel · 2011

I proposed Application Risk Management as a broader discipline than SDLC. It covers acquisition, vendor due diligence, supply chain and decommissioning, not only in-house development. I introduced a four-tier Assurance Level framework (automated, then manual, then source-code and database audit, then architectural review) for matching effort to how critical the application is. The same risk-tiered idea later appeared in DORA, NIS2 and the EU Cyber Resilience Act. The talk also covered the political side of setting up an SDL programme in a large company: management buy-in as a precondition, the need for an evangelist role, and how to rebrand the work away from words that translate to "cost" in product management.

Download Slides ↓


Anti-Virus Bypass, Malware & Fuzzing

Anti-Virus Bypass, Malware & Fuzzing

The Death of AV Defense in Depth? Revisiting Anti-Virus Software

CanSecWest 2008 · Vancouver, Canada · March 2008 · co-presented with Sergio Alvarez (n.runs AG)

When this talk was given, the industry treated AV failures as "missed detection": a marketing problem, not a security problem. The talk reframed AV as software-with-vulnerabilities, running with the highest privileges on mail gateways and Exchange servers, parsing arbitrary attacker-controlled file formats before any user interaction. We showed that the multi-vendor stacking pattern, the consensus best-practice at the time and codified in Microsoft's own AV-DiD guide, was multiplying attack surface instead of reducing it. The vendor responses we reproduced in the slides (refusing to credit researchers, multi-year patch timelines, claiming bypass files were not security issues) captured an industry in denial. Most of the critique was quietly accepted over the following years. Deployment-context-aware risk rating spread across vendors. Bypass-class issues moved out of "not a security issue" triage. Parser isolation and reduced-privilege scanning became standard. Four years later Tavis Ormandy's Project Zero AV campaign validated the core thesis at scale. Modern mail-gateway architectures (Mimecast, Proofpoint) reflect the talk's conclusions directly, and the content disarm-and-reconstruction (CDR) product category, where parser isolation is deployed before AV rather than relying on it, traces back to this research.

Download Slides ↓

Cited in: USENIX Security 2025, Tsinghua University & Zhongguancun Laboratory (Distinguished Paper Award) · IEEE Symposium on Security and Privacy 2012, University of Michigan (Oberheide, Cooke, Jahanian) and Cornell & UT Austin (Jana & Shmatikov) · Communications of the ACM 2011, MIT & Stanford (Zeldovich et al., HiStar) · ESORICS 2014, Macquarie University (Min & Varadharajan) · IEEE Symposium on Security and Privacy Workshops 2015, University of Tübingen (Šrndić & Laskov) · ACM Asia CCS 2017 · Bell Labs Technical Journal 2007.

Press: Le Monde Informatique, "Les antivirus aussi vulnérables que les logiciels qu'ils protègent" (Marie-Anne Delalande, November 2007) · Washington Post, "Is security software becoming a security risk?" (Robert McMillan, PC World, November 2007) · Heise Security, "Antiviren-Software als Einfallstor" (December 2007).

Wenn der Schutz dem Angriff dient: Antivirus-Lösungen ausgehebelt

CeBIT / Heise Security Track 2008 · Frankfurt, Germany · 2008

German-language version of the AV defence-in-depth findings. How the products that are supposed to protect endpoints actually expand the attack surface through their privileged file-parsing components.

The Death of Anti-Virus Defense in Depth?

Hack.lu 2007 · Luxembourg · 2007

First public presentation of the AV bypass research with Sergio Alvarez, before the expanded CanSecWest 2008 talk.

Download Slides ↓

Cited in: IEEE Symposium on Security and Privacy 2012, University of Michigan (Oberheide et al.) · Communications of the ACM 2011, MIT & Stanford (Zeldovich et al., HiStar) · Bell Labs Technical Journal 2007, Bell Labs (Luettmann & Bender).


Cryptography

TLS / SSLv3 Renegotiation Vulnerability Explained

G-SEC Whitepaper · first draft November 2009, final version December 2011

I published this whitepaper a few days after Marsh Ray, Steve Dispensa and Martin Rex disclosed CVE-2009-3555 (VU#120541). The vulnerability sat at the protocol level in TLS and SSLv3 itself, not in an implementation. It let a man-in-the-middle inject attacker plaintext at the start of an authenticated, encrypted session. I independently rediscovered the HTTPS to HTTP downgrade variant and published it. I built two proof-of-concept exploits, one via HTTP TRACE for response injection and a full inline PoC. With Wietse Venema (Postfix, SMTPS) and Alun Jones (WFTPD, FTPS) I produced the multi-protocol impact matrix and extended the analysis to EAP-TLS. The paper was cited by US-CERT, DFN-CERT, BELNET-CERT, SWITCH-CERT, Nessus, Qualys and Heise c't, and used as internal training material by a major OS vendor.

Whitepaper

Cited in: USENIX Security 2016, University of Florida (Reaves, Blue & Traynor, AuthLoop, ref. 75) · ACM CCS 2013, Queensland University of Technology (Giesen, Kohlar & Stebila, ref. 28) · PhD Dissertation 2014, Ruhr-Universität Bochum (Florian Bergsma) · PhD Dissertation 2017, University of Florida (Bradley Reaves) · PhD Thesis 2016, Johns Hopkins University (Paul D. Martin).

TLS / SSL Hardening and Compatibility Report

G-SEC Research Report · 2010, updated 2011

A three-month research effort answering practical questions on SSL/TLS configuration: what is state of the art, what ciphers and hashes are recommended, which cipher suites give the best compromise between compatibility and security, what each major browser actually supports, what each common SSL provider supports, and how much RSA still has left. The report came out of reverse-engineering the SCHANNEL cipher suites across Windows versions, and was published with two companion tools (SSL Audit and Harden SSL/TLS, listed in the tools section below).

Download Report (full) ↓ · Condensed version ↓


IPv6 Security

IPv6: Common Vulnerabilities & Countermeasures

Verizon Business · May 20, 2011

Enterprise IPv6 security crash course covering NDP and stateless configuration spoofing (the IPv6 counterparts of ARP and DHCP spoofing), dual-stack firewall gaps where the IPv4 rules are written but the IPv6 ones forgotten, and the latent threat of hidden IPv6 capability on supposedly IPv4-only networks. Closed with a note on PCI-DSS: it required NAT for security, NAT66 was missing in most firewalls of the time, so PCI compliance with pure IPv6 was an open question. Main takeaway: most IPv6 threats map to IPv4 equivalents with similar countermeasures, but dual-stack and auto-configuration leave real operational gaps.

Download Slides ↓


Bluetooth & Wireless Security

All Your Bluetooth Is Belong To Us: Bluetooth Hacking Revisited

23C3, Chaos Communication Congress 2006 · Berlin, Germany · December 2006

This talk contributed materially to Secure Simple Pairing (Bluetooth 2.1, mid 2007), the protocol overhaul that closed the pairing weaknesses it exposed. The thesis was that Bluetooth belonged in enterprise threat models, not dismissed as a 10 metre consumer nuisance. Core argument: the linkkey is what matters. Hold it, replay it, own the device. There are only two ways to get it, capture and break the pairing exchange, or remote code execution over Bluetooth. I demonstrated both. BTCrack 1.0, released at the talk, was the first public Windows implementation of linkkey recovery from a captured pairing. The live demo was the first ever remote root over Bluetooth with an interactive shell, chaining an OBEX file-path traversal, the OS X InputManager auto-start vector, and a 0day local privilege escalation. Solo presentation. Some slide material draws on earlier collaboration with Kevin Finistere and is credited there.

Download Slides ↓ · Full talk (video) ▶ · RCE demo: remote root shell over Bluetooth ▶ · BTCrack tool ↓

Cited in: PhD Thesis 2022, Pace University (Mantie N. Reid, Bluetooth Secure Pairing) · IJCTT Systematic Review 2021 · PhD Dissertation 2017, University of Florida (Bradley Reaves) · International Journal of Critical Infrastructure Protection (Elsevier) 2012, Mississippi State University (Reaves & Morris) · Springer NETWORKING 2011 Workshops, Moreno & Okamoto, "BlueSnarf Revisited: OBEX FTP Service Directory Traversal" · IEEE Security & Privacy 2010, Dunning, "Taming the Blue Beast" · IEEE Transactions on Power Delivery 2010, "Cybersecurity Myths on Power Control Systems" · IEEE Security & Privacy 2007, Politecnico di Milano (Carettoni, Merloni & Zanero, "The BlueBag Project").

Scheunentor Bluetooth / Bluetooth: A Barn Door (tour)

Heisec 2007 · Hamburg / Munich / Frankfurt · 2007

Follow-up to 23C3, delivered in April 2007, that closed the case against two defensive assumptions still commonly used to justify tolerating Bluetooth in enterprise environments. First, long PINs did not help. The spec calls the PIN a "Passkey" and permits letters and umlauts, but almost no vendor implemented it that way. Devices constrained input to digits, and any captured pairing exchange became a near-guaranteed compromise regardless of nominal PIN length. Second, time-to-crack was no longer measured in hours. Working with David Hulton at PicoComputing, I released BTCrack 1.1 with FPGA acceleration: 30 million keys/sec on an E14 board versus 200,000 in software, six-digit PINs recovered in about four seconds. The talk also released a real-time patch for the Carwhisperer hardcoded-PIN attack against car kits and consolidated practical mitigation guidance for enterprises. Slides in German and English.

Download Slides (DE) ↓ · Download Slides (EN) ↓

BTCrack referenced in: Hacking Exposed Wireless, 3rd ed. (McGraw-Hill, 2015) · Encyclopedia of Information Assurance (CRC, 2011) · CEH v9 Cert Guide (Pearson, 2017) · Managing Security Services in Heterogenous Networks (CRC, 2020).

Scheunentor Bluetooth: wie Handys ausspioniert werden

M-Vision 2007 · Frankfurt, Germany · 2007

Industry talk on Bluetooth surveillance and pairing attacks against consumer mobile devices.

Scheunentor Bluetooth

IT-Sicherheits Forum 2007 · Frankfurt, Germany · 2007

Earlier presentation of the Scheunentor Bluetooth findings, before the wider Heisec tour and the M-Vision appearance.

Bluetooth Hacking Revisited

Hack.lu 2006 · Luxembourg · 2006

Survey of the practical Bluetooth attack landscape in 2006. The methodology I used here is what I later released publicly as BTCrack and demonstrated at the 23C3 0day disclosure.

Download Slides ↓

Cited in: Network Security (Elsevier) 2008, Ken Munro · IJCA 2011, Minar & Tarique · IJDPS Survey 2012.



Cashback & Online Payment Vulnerabilities

Cash-back System Revisited

OWASP BENELUX 2010 · Netherlands · 2010

Analysis of vulnerabilities in cash-back online payment systems. Slides are not publicly available.

Cited in: USENIX LEET 2011, KU Leuven (Nikiforakis et al.).


Tools & Code Releases

I am not a developer, but I have released proof-of-concept code and tools where useful. The list below covers Bluetooth cracking, Windows hardening, browser fuzzing and card reader reverse engineering. Released between 2004 and 2010.


Offensive & Proof of Concept

BTCrack 1.1

Bluetooth passkey and linkkey brute-force tool · initial release at 23C3, December 2006 · FPGA support added in 1.1

BTCrack was the world's first public Bluetooth passkey (PIN) and linkkey brute-force tool. I released it at SAAL1 at the 23C3 Chaos Communication Congress in Berlin in December 2006. It brute-forces the passkey and the linkkey from captured Bluetooth pairing exchanges. To capture the pairing exchange you need a professional Bluetooth analyser (FTE BPA-100, BPA-105, Merlin) or you flash a CSR-based consumer USB dongle with special firmware. Ubertooth became another option from 2011 onward. From version 1.1, BTCrack added FPGA acceleration through picocomputing E-series boards. Speed comparison: a P4 2 GHz dual core managed 200,000 keys/sec; an FPGA E12 at 50 MHz reached 7.6 million keys/sec; E12 at 75 MHz hit 10 million; E14 reached 30 million keys/sec.
§202c StGB, the "Hackerparagraph" (2007)When Germany's §202c StGB took effect in August 2007 and criminalised making "hacking tools" available, I initially took BTCrack offline. On 26 September 2007, I announced on the Full Disclosure mailing list that n.runs and I were putting BTCrack back online with its source code, to publicly test the law's interpretation. Dark Reading and ZDNet both covered the challenge; per Dark Reading, we were the first researchers in Germany to publicly restore their own tools after having taken them down.

Download BTCrack 1.1 · 23C3 talk (slides) · 23C3 talk (video) · Heisec Scheunentor Bluetooth talk · Tool demo ▶

Referenced in: Hacking Exposed Wireless, 3rd ed. (McGraw-Hill, 2015) · Encyclopedia of Information Assurance (CRC, 2011) · CEH v9 Cert Guide (Pearson, 2017) · Managing Security Services in Heterogenous Networks (CRC, 2020)

Press: Dark Reading, "New Hacking Tools Bite Bluetooth" (Dec 2006) · Heise Online, "23C3: Neue Hacker-Tools für Bluetooth" (Dec 2006) · Network World, "Researcher creates Bluetooth crack tool" (Apr 2007)

BTCrack Open Source (GPL)

Linux port of BTCrack · GPL · 2009

A straightforward Linux port of BTCrack, released under GPL.

Download BTCrack Open Source

CSS-DIE

Browser CSS fuzzer · co-authored with HD Moore, Matt Murphy and Aviv Raff  · 2006

CSS-DIE is a community-developed fuzzer for browser integrity testing, written with HD Moore, Matt Murphy and Aviv Raff. It looks for common CSS1, CSS2 and CSS3 implementation flaws by specifying bad values for style attributes.

More information

Referenced in: Fuzzing: Brute Force Vulnerability Discovery (Sutton, Greene & Amini, Addison-Wesley, 2007) · A Review of Fuzzing Tools and Methods (Fell, 2017) · eWeek (Naraine, 2006)


Defensive & Hardening

Secure-It

Local Windows security hardening tool · last update 2005


Secure-It was a local Windows hardening tool that proactively reduced the attack surface by disabling intrusion and propagation vectors, or simply disabling functions that were not needed. It worked on workstations and on servers. It had a track record of preventing several 0-day exploits proactively before patches were available: the Help ActiveX control exploit (2004), a second Help ActiveX exploit that Microsoft did not fully patch (2004), the DHTML ActiveX control exploit (2004), and the Microsoft MSHTA script execution vulnerability (2005). The last update was in 2005, so some settings (like the ActiveX blacklist) are outdated and should not be used today.

More information · Press coverage (Heise)

Harden-It

Windows network and system hardening tool  · Last update 2006

Harden-It hardens the Windows TCP and IP stack (ICMP, SYN, SYN-ACK), reducing or mitigating the effects of DoS and other network-based attacks. It enables SYN flood protection on detection, lets you set the threshold values used to identify an attack, and applies various other network-level protections. It also has a record of proactive protection: it blocked the 2006 Windows IGMP denial-of-service attack before the official patch was available.

More information · Press coverage (Heise)

Harden SSL/TLS

Windows SSL/TLS hardening tool · 2010, updated through 2013

Harden SSL/TLS configures and hardens the SSL/TLS settings of Windows from XP through 8 and Windows Server 2003 through 2012. It lets you set SSL policies locally or remotely, allowing or denying specific ciphers, hashes or whole cipher suites. The tool works at the SCHANNEL level, so the settings apply to every application that uses SCHANNEL crypto: IIS, SQL Server, Internet Explorer, Safari, Google Chrome and others. Developed during of G-SEC's TLS/SSL hardening and compatibility research.

Download Harden SSL/TLS ↓ · Documentation  · Demo video ▶

SSL Audit

SSL/TLS server scanner with fingerprinting · 2010 (alpha)

SSL Audit scans remote web servers for SSL/TLS support. Unlike scanners built on OpenSSL or NSS, it is not limited to the ciphers those libraries support, so it can detect all known cipher suites. The tool includes an experimental fingerprint engine that identifies the SSL engine running server-side (IIS 6/7/7.5 Schannel, Apache OpenSSL, Apache NSS, Certicom, RSA BSAFE) by sending normal and malformed SSL packets and looking at how each is interpreted.

Download SSL Audit ↓ · Documentation  · Demo video ▶

USB Write Blocker

Windows USB write-protection tool · 2009 · requires .NET 2.0

USB Write Blocker is a small tool that blocks write requests to USB devices, making them effectively read-only. Useful for forensics and incident response, when you want to plug a suspect USB device into a workstation without modifying its contents.

Download USB Write Blocker ↓ · Blog post


Reverse Engineering & Research

Omron Communicator

Hitachi Omron Hybrid Card reader research tool · 2009

Omron Communicator is based on my work reverse-engineering the Hitachi Omron Hybrid Card readers. These card readers are used in commercial deployments including ATMs, identity management, payment systems and parking systems. The work was done for research and awareness purposes.

Part 1: New toy · Part 2: protocol partly reversed · Part 3: demo of implementation · Demo video ▶


Administration

Remote Administration Tool (GPL)

Small free remote control package · derived from TightVNC · GPL

A small free remote-control package derived from TightVNC. It lets you see the desktop of a remote machine and control it with your local mouse and keyboard, just like sitting in front of that computer. Small, easy, no installation required.

More information