The Swiss Cyber Storm 2019 Program – Part 2 of 2
Swiss Cyber Storm 2019 will run under the motto “Embracing the Hackers”. We have presented and explained this overall theme for our conference in a separate blog post in Spring. Now it is time to present you our lineup for our conference on October 15. This is the 2nd of two blog posts about our speakers. The first one is here.
Nicoletta della Valle and Sandra Schweingruber
Social Engineering and its use in financial fraud are rapidly expanding: as the criminals’ methods are being refined into sophisticated and targeted processes, more and more people fall for their scams. The fraudsters are often organized in international networks, which presents traditional law enforcement with a variety of legal problems. Bringing such criminals to justice requires close cooperation between law enforcement and criminal prosecution. Nicoletta della Valle is the director of the Swiss Federal Police (FEDPOL), an agency tasked with coordinating international cooperation in law enforcement. She is joined by Sandra Schweingruber, the Swiss Federal prosecutor for Cyber Crime. In their talk, Mrs. della Valle and Mrs. Schweingruber will present us their talk titled “An Exemplary Case of International Financial Fraud”. A case that has been challenging both FEDPOL and the national prosecution office as well.
Fuzzying Java code is a relatively new discipline. The technique has long been established in unsafe languages like C and C++, but new tools allow to treat Java code in a similar way. JQF is such a tool. It has been inspired by the American Fuzzy Loop (AFL) and allows to integrate the fuzzying in the development process or when reviewing code. Of course, it’s a new tool and there are still some rough edges. So it’s very welcome that Tobias Ospelt from Pentagrid introduces us to the use of the new machine: “Fuzzying Java Code With the Help of JQF”.
Enrique Serrano is an author and very popular IT security expert in Spain where he is a frequent speaker and expert on new cyber developments on TV. Currently working for Israeli Cymulate Ltd., he previously worked for IBM security and founded several companies. Lately he investigated Android security and the ability to use the various capabilities of a smart phone to spy on the owner. The news of similar possibilities on Apple’s iOS hit the news in early September, but of course, you can pull off the same tricks on Android too. Enrique demonstrates how he can control the front end camera from a background task. All in his talk “Not Only On Apple: Spying on Android Users Through The Camera”.
There are a lot of people who have started to use GraphQL as a welcome abstraction when working with traditional Rest APIs. GraphQL solves a lot of problems, that the latter bring with them. Nikta Stupin has been examining GraphQL setups closely as a bug bounty researcher. He has discovered a higher server-side complexity when compared with Rest APIs and subsequently identified several implementation bugs that he thinks are systematical. His talk “Access control vulnerabilities in GraphQL APIs” will give an overview over typical pitfalls and best practices to secure GraphQL.
Swiss Post did not get the best press for the source code of its E-Voting offering this year. However, the results of the Bug Bounty Program / Public Intrusion Test are not so bad and of course, there is a lot more to Swiss Post than E-Voting. Marcel Zumbühl joined Swiss Post as CISO in 2018. He immediately started to do things in a remarkably different way. We are pleased to welcome him at Swiss Cyber Storm to hear how he and his team steer his company “Towards Customer Trust” for the variety of its offering in a wildly complex world and amidst growing security concerns and intensified interconnections.
Melanie Rieback’s company Radically Open Security is not your standard Pen Testing Company. In fact it is a for profit frontend that invests its profits tax free in a Dutch foundation to do internet research and fight for digital rights. Radically Open Security brings together a group of idealistic security experts that trieve on their ambition to use their hacking skills in socially responsible way. A tool that Melanie has developed with Radically Open Security is a ChatBot that they use during their Pen-Testing gig. If you think this must be a social engineering utility, you could not be more wrong. Join us to hear more about “Pentesting ChatOps” from Melanie Rieback.
If you have been counting, then you probably noticed, that there are two additional presentations in the standard tracks of the conference. These are slots taken by speakers that have not yet been confirmed. I plan to expand the blog post above as soon as we have more to tell.
[Disclosure: Christian Folini is consulting Swiss Post on its E-Voting system.]