Confirmed lectures for FSec 2014
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Speaker NameAffiliationLecture nameLecture abstractSpeaker Bio
FSEC Keynote: AlucFactor a 512-bit RSA modulus for a fistful of dollars. Wanted Solve glt mod p 256$ reward!So you use ssh and encrypt your email with gpg? Good! But is it really good enough to make sure there is no mitm on your ssh or 3 letter service reading your mails? In this talk aluc describes how it is broken and what are realistic scenarios in which you will get pwned. This talk relays only a bit on math since we do not break any keys. A pre installed sage on your system is welcome for a few easy calculations we can do together. But this is not a requirement, it’s only for entertaining purposes.

I will go through a few statements of the past. Than there is a very brief description how RSA, DH, DSA and the Discrete Log work in the first part of the talk. After that I will talk very short which factoring methods are out there. I will focus on Number Field sieving a bit more without becoming to mathematical (as much this is possible).
Than I will describe how to break a 512 bit modulus in 32h for 256$ on EC2 time. In the second part of the talk we work our way into the real problem of bad randomization starting with the explanation of the “birthday paradox” working our way up to industry grade firewalls. We gonna talk about a project i did last year.

Aluc started in the mid ’70s to play with computers and was fast drawn into them. Later run only on *nix systems. In the mid ’80s start in the Information Security from 1987 ’till 2002 working in the Information Business in both hostile and non-hostile environments. Became freelancer in 1993 -2010 from 2010 -2012 CIO in a mid-size company (14000 people in 35 branches). Now back on the “beat” Aluc is Freelancer again and performs security audits and cryptanalysis/forensics as profession. To contribute something to this great community Aluc is the host of Aluc.TV/Aluc.Radio podcast, speaker and organizer of the BerlinSides conference. If you whish to reach out to him you can ping him over twitter "@theAluc"
Filip Vlašić i Marko StanecNational CERTA short security overview of threats in Croatian Internet space and antibot.hrFilip Vlašić je diplomirao na Fakultetu elektrotehnike i računarstva 2009., a od 2010. godine zaposlen u CARNet-u gdje radi na mjestu inženjera za računalnu sigurnost u Odjelu za Nacionalni CERT. Bavi se razvojem sustava za detekciju računalnih napada. U sklopu Nacionalnog CERT-a, sudionik NATO i EU vježbi obrane od kibernetičkih ugroza.
Marko Stanec završio je informacijsko-komunikacijski smjer na Fakultetu prometnih znanosti, gdje je po završetku bio angažiran kao vanjski suradnik u izvođenju nastave iz kolegija Algoritmi i programiranje, te Računalstvo. Posljednje tri godine zaposlen je u CARNetu, prvo u odjelu za računalnu sigurnost nakon čega prelazi u odjel za Nacionalni CERT. Bavi se obradom računalnih incidenata, te provjerom ranjivosti računalnih sustava. Aktivno sudjeluje u radu Centra za sigurniji Internet.
Bernard ToplakORION informatics / Federation ServersIs your password "monkey", or just obsolete?* what’s wrong with your pa$$w0rd
* how long is yours? how long is mine?
* what passwords are crackable today?
* the alternatives? PKI? OTP? something else?
* demonstration, anyone?
Born in Varazdin, finished high school for economics and studied at the FOI Varaždin. Since the late 90's I enjoyed working with open source systems, experimenting with computer networking and web-oriented development. Since 2004. I was professionally administrating web servers and various systems. First started as co-owner of an IT company named Pacific Varazdin, and since 2008, i am the owner of "ORION" Informatics Varaždin, which currently works on several development projects of advanced web applications and server systems.
Tomica KaniskiN/AWorking with PowerShell DSCSession will provide an overview of PowerShell Desired State Configuration (DSC) feature. DSC is a PowerShell extension which ships with Windows Server 2012 R2 and Windows 8.1, and enables you control over multiple server configurations by providing a means of having “desired state” on all of them. We will show how you can make use of this feature in your test & production environments, and how can it help you to achieve more efficient multiple server configurations. Also, there will be a few words (and hopefully a demo) of using DSC in Linux environments.Tomica is Microsoft MVP (currently) for Hyper-V. You can find him presenting at various local and regional conferences, user group meetings or other events. In addition, he is also a Microsoft Certified Trainer and holder of many Microsoft certificates, as well as IT Pro community lead for Varazdin. He is fully engaged with Microsoft products and technologies, and mostly interested in products that are yet to be released...
Katja MalvoniEnergy-efficient bcrypt crackingBcrypt is a password hashing scheme based on the Blowfish block cipher. It was designed to be resistant to brute force attacks and to remain secure despite of hardware improvements. Peculiarities of bcrypt such as expensive key schedule with user-defined cost setting, random 32-bit lookups and 4 KB of local memory per instance make bcrypt moderately unfriendly to parallel implementation on modern CPUs. However, certain low-power hardware platforms exploit these peculiarities to achieve comparable performance and much better performance per Watt when compared to traditional CPU implementations. These platforms are many-core processor architectures and FPGAs.Katja Malvoni has finished her MSc at the University of Zagreb. In the summer of 2013 she was working with Openwall as Google Summer of Code student. Cooperation continued beyond GSoC and she is working on John the Ripper, developing support for energy-efficient platforms.
Miroslav ŠtamparZSISRiding the Overflow - Then and NowExploiting software vulnerability after finding one one has dramatically become harder, but still not impossible. Times of "Smashing the Stack for Fun and Profit" look like a distant past. Rules have changed in the last decade with introduction of security mechanisms such as: Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), NX (No eXecute)/XD (eXecute Disable)/XN (eXecute Never) bit(s), Stack Canaries, Structured Exception Handler Overwrite Protection (SEHOP), etc. In this talk popular security mechanisms will be presented together with respective counter-methods (if any) used by hackers to bypass them. Also, a small demonstration should be done accompanying the presentation.Working in ZSIS - Croatian Government CERT, one of sqlmap authors, habitating on Planet Earth
Ivan VorasFERA small Dogecoin payment processorTo use Dogecoin (or any other cryptocurrency) in a generic web shop scenario, it's useful to abstract certain functions in a separate service which processes the actual payment processing into s separate generic service. This talk will hopefully present such a service which aims to be easily integrated, with minimal effort, into web applications.Ivan Voras is a researcher and a developer with extensive experience in many fields of computer engineering, including operating system design, server software and hardware, and security. Within the field of computer security he is mostly interested in the cryptography aspect, algorithms and their applications in real life.
Ivan Voras is employed at the University of Zagreb, Faculty of Electrical Engineering and Computing.
Mislav BožičevićFOIOverview of Attacks on SSL/TLSAttack based on RC4 biases, Browser Exploit Against SSL/TLS (BEAST), Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH), Compression Ratio Info-leak Made Easy (CRIME), Lucky 13, Timing Info-leak Made Easy (TIME) and other attacks on SSL/TLS are discussed.Mislav Božičević is a student @ Faculty of Organization and Informatics (FOI) and a member of the Laboratory for Open Systems and Security @ FOI. He finished professional undergraduate program and earned his bachelor of computer engineering @ The Polytechnic of Zagreb and is currently finishing university graduate program @ FOI. At undergraduate level, with mentor, he successfully published "A HTTP-enabled Cryptographically Secure Hardware Random Number Generator" paper which is listed in IEEE Xplore. He enjoys securing networks and programming.
Ivo UgrinaGenos Ltd., Glycoscience laboratoryAnonymized informationIt is obvious that the rise of the modern science and industry
comes largely from the exploitation of the real world data.
It is also obvious that people mostly like their privacy and
being subjects in the data analysis makes them feel uncomfortable
if the personal data like ID number, year of birth, etc.
is not appropriately handled.

In this talk we shall take a look on the modern data analysis
of anonymized data introducing some basic concepts and highlighting
some basic problems.
Dr. Ivo Ugrina graduated Mathematics at the University of Zagreb, Faculty of Science in 2008
and obtained doctoral degree in Mathematics (Mathematical Statistics and Probability) from
the University of Zagreb in 2014. From February 2009 he worked as a research assistant at
the University of Zagreb, Department of Mathematics, in the group for Probability and
Mathematical Statistics. He joined Genos in January 2014 where he is currently Head of
Data analysis. As a part time lecturer he works in Department of Mathematics
(University of Zagreb and University of Split). His fields of interest include:
high dimensional statistics, classification, regression, tensors in applications,
applied probability models in biology and informatics, probability models simulations.
Jakov Andric, Dario Filipaj, Matija KruljacFOISocial Engineering: Student awareness, from different studies, of Phishing attacksToday social engineering and phishing attacks are serious threats. Although students in Croatia are relatively well aware of the existence of these kinds of attacks, they are not educated enough for the protection and prevention of attacks. Education in higher learning institutes is one of the main factors that influence on the positive acquisition - preventive habits and increase awareness of danger generally. Since the attackers do not choose victims according to their profession, in other words all students are equally exposed to attacks, it is necessary to introduce at least basic education about social engineering and phishing attacks in all study fields.
This paper analyze collected data using several statistical methods on which few conclusions are based. Those conclusions may be used for guidelines in future research or decision making. Data was collected using online survey, selected units of observation are students.
Main research questions:
• Exposure of students to Phishing attacks,
• Success of implementing Phishing attacks against students - correlation of perceived success of phishing attacks, and results in real (practical) examples,
• Education as a preventive measure against Phishing attacks - correlation between the students and their education due to the questions:
o How often do you check the URL after opening links?
o Do you know the difference between http and https protocol?
Jakov Andrić
Jakov Andrić was born on 02.11.1990. in Doboj (Bosnia and Herzegovina). He attended elementary school Markuševec in Zagreb and also First Technical School Tesla. Currently he is second year of graduate studies at the Faculty of Organization and Informatics in Varaždin,"Information and Software Engineering.". Main interests are playing strategic games, developing new applications and exploring new scientific stuffs.

Dario Filipaj
Dario Filipaj was born on 17.04.1990. in Zagreb where he attended elementary school. Nikola Tesla, and then the First Technical School Tesla. Currently he is second year of graduate studies at the Faculty of Organization and Informatics in Varaždin, "Information and Software Engineering." The main interests are the development of web and mobile applications, in several student competitions he has achieved very good results. In his free time he trains savate boxing.

Matija Kruljac
Matija Kruljac born 26.04.1990. in Nova Gradiska. Elementary school Matije Gubeca ends in Cernik, then a secondary electrical engineering school in Nova Gradiska, direction "computer technician". Currently he is second year of graduate studies at the Faculty of Organization and Informatics in Varaždin, "Information and Software Engineering." The main interests are the development of web and mobile applications. During his studies, he worked at two companies where he worked on creating web and desktop applications. In his free time he also trains boxing.
Vlatko KosturjakDivertoBypassing personal firewalls - the easy wayImagine you have malicious application and C&C server waiting for apps to report. Or some data waiting on the owned or infected computer to be exfiltrated. If personal firewall is installed and enabled correctly, malicious application usually have hard time bypassing personal firewall. Few tricks would be presented in order to perform bypass of personal firewalls or windows firewall.Vlatko Kosturjak is security consultant at Diverto where he helps clients to reach desired security level(s). He likes to break and build depending on the mood and time of day(night). Beside security, his passion is open and free software, so he contributed code to various free security software like OpenVAS, nmap and Metasploit.
Dobrica PavlinušićI can haz your board with JTAG!In this talk, we will take a reverse engineering approach at commercially available board with Altera CPLD, find out pinout of JTAG and re-purpose it for our needs.

While presented example is intentionally simple so we can pass through all steps in single talk, same skills are useful when trying to figure out security issues in products, so you might leave with more understanding of JTAG, how to find pinouts, figure out components and read data sheets.
Dobrica Pavlinusic, self-proclaimed Unix addict and Internet consultant graduated from The University of Zagreb, Faculty of Organization and Informatics in Varazdin where he received B.Sc. in Information Sciences.

His fields of interest include Internet technologies, Unix, Open Source movement, Free software and Linux.

Member of the supervisory board of HULK - Croatian Linux User Group and member of executive committee of HrOpen - Croatian Open Systems Users Forum.

Most of his time is spend solving problems using Free/Libre Open Source Software.
Tonimir KišasondiFOI / OWASPForce multiplier - Guided password crackingIn this talk, I will show how to better target password cracking and guessing attacks against offline password lists or online systems. We will cover custom wordlist creation from multiple languages and sources, targeting via personal data collected by abusing a popular search provider and scraping various databases to obtain enough data to help us. We will show how to use those lists with the help of a tool called unhash to deliver targeted password cracking attacks and drastically reduce our search space. The popularity of usage "slow" hashes like bcrypt, scrypt and PBKDF2 with big round sizes requires us to try a smaller quantity of possible passwords. The adage "Brute force: If it isn't working, you are not using enough of it" is simply not true anymore, so we have to adapt our methods.Tonimir Kisasondi is the head of the open systems and security laboratory at the Faculty of organization and informatics in Varazdin,Croatia, where he works since 2008. He currently likes to improve systems, usually by breaking them. He authored multiple papers, frequently lectures on regional scientific and professional conferences. He is the organizer of FSec security symposium (
Esteban RibicicNone!Introducing eramba: Open-Source Security GovernanceI’ll be introducing eramba, an open-source web application for IT Security Governance, Risk & Compliance. The tool centralizes the analysis, management and reporting of governance related tasks such as Risk, Compliance, Audits, Asset, Project and Security Awareness management.

We have presented the project during 2013 at conferences Hungary (ISACA), India (CoCon) and Stockholm (Nordics Conference).
I’ve been in security since 1999, first on very technical roles and later as my hair grew whiter mostly focused on governance and business aspects of security. I was responsible for Hewlett-Packard Security Consulting business and portfolio in a large European region and I’ve also worked at managerial roles in multiple organizations. I’ve hands-on consulted since the very beginning.

I hold some formal education (studied Engineering, working on an MBA, Etc), security oriented certificates (CISSP, CISA, CISM, ISO27K LA, Etc) and participated on conferences (in some not just having drinks but also speaking) with other organizations (OWASP, CoCon, ISACA, Etc).
David Kaloper MeršinjakTLS: redoneIn this talk I aim to present our newly developed from-scratch TLS implementation [1], written in OCaml and targeting primarily Mirage [2], an exokernel-like operating system written in (and for) OCaml and running directly on top of Xen. I want to give a brief introduction to the current state of TLS, the lessons learned from a couple of months spent reimplementing it from scratch, the trade-offs of having done that in a high-level programming language and the future perspective of the library.
Joint work with Hannes Mehnert.
[1] -
[2] -
David is an independent hacker and a long-time functional aficionado. His interests turned to security protocols in 2013, after a contracting gig with the Tor Foundation, where he was tasked with fixing bits of Tor infrastructure that were written in Haskell. In early 2014, this led to an effort to reimplement TLS in a functional language, using strong functional principles. TLS project eventually led David and his collaborator Hannes to University of Cambridge, where they worked for The Computer Laboratory for three months, polishing TLS and integrating it with their Mirage project. Collaboration with CL is still ongoing.
Robert PericaReversing LabsPE packers 101In a world where a one-byte change can make a difference between identifying malicious software and claiming the files are "clean", robust unpackers are a must. It's not uncommon for a file to be packed, and to get to the core, to really find out what makes it tick, one must remove the layers which cloud one's vision. This talk will attempt to introduce the topic to the wider audience, as well as clear up some misconceptions closely related to packer identification.Robert Perica graduated in Computer Science at Faculty of Electrical Engineering and Computing, Zagreb, and has since been working for ReversingLabs, analyzing software packers and file formats.
Vedran VukovacOverview of the Current Cyber-war Situation: Russian Information Warfare Capabilities and Is Islamic State (ISIS/ISIL) a Global Cyberspace Threat?--TBD--Years of experience in ICT, marketing and management in almost 10 companies. Learned hacking from Eric “Emmanuel Goldstein” Corley. CCC member in late eighties and early nineties.
Filip SabalićFOIVPN technologies overviewIn this talk we will orient to secure VPN technologies and mention trusted VPN technologies. By using VPN technology everyday we tend to neglect security.
In this lecture we will describe common types of VPN users and considering their needs describe advantages and disadvatages of suggested VPN technologies.
To use PPTP with Microsoft implementation of MSCHAP-v2 or to use double encapsulated L2TP/IPSec, or in the end by using openVPN in location with limited bandwith?
Filip Sabalić is a undergraduate student at Faculty of Organization and Informatics and a member of the Laboratory for Open Systems and Security. His main interests are computer networks and cloud operating systems. In free time he spends a lot of time in GNS and Wireshark, between coffes of course.
Adrie StanderAmsterdam University of Applied Sciences Digital Forensic Trends A Descriptive Literature Review of Digital ForensicsThe young field of Digital Forensics is in strong need of a formal structure. The exact components of Digital Forensics are often uncertain. This makes it difficult to create curricula or research agendas. It is also difficult to determine what to focus on during the acquisition of tools and skills development of staff. This also complicates the creation of proactive incident response programs. This paper aims to determine the areas of importance in the field of Digital Forensics by analyzing a large number of published papers to find the focus areas of the fieldAdrie is a lecturer at the University of Cape Town, South Africa and at the Amsterdam University of Applied Sciences. He specializes in Digital Forensics and was responsible for the first Postgraduate Program in Digital Forensics in Africa. Adrie has published widely on this topic and have spoken at many conferences.
Elmer HoeksemaAmsterdam University of Applied Sciences The ongoing battle against banking malware in the NetherlandsA casual presentation on the ongoing battle between the banks and digital attacks on customer-bank interactions. Attackers are agile and persistent, because gains are high and technology offers them seemingly endless possibilities. Justice systems are complex and ineffective, leaving banks on their own. The wild-west of the modern banking arena.Elmer Hoeksema is a member of the forensics research group in CREATE-IT and program manager of System and Network Engineering at the Amsterdam University of Applied Sciences. Security and forensics are an important and integral part of the curriculum.
Nathan MagniezRapid7Alice in exploit redirection land: A trip down the rabbit holeLearn to understand the sweet complexity that is redirection. Keep yourself anonymous and out of your target's logs. In this lecture we will cover the topic of redirection and how to use it to send our (exploit) packets through to our end target.
Understanding redirection, and how to accomplish it manually, is one of the most important concepts for a PenTester. This talk will cover everything you need to accomplish that goal.
Nathan Magniez is a Senior Security Consultant at Rapid7.
I started my career in the United States Marines Corps. During my time in the Corps, I served on tactical teams, at 2nd Radio Battalion in Camp Lejeune, that focused on wireless collection and Digital Network Exploitation (DNE). I also served as a Red Team Computer Network Operator for the Department of Defense. Prior to joining Rapid7, I worked as a Senior Computer Network Operations (CNO) Instructor and Course Developer at TeleCommunication Systems' Art of Exploitation (AOE) Training Center and at Qualys, Inc. on their team of Vulnerability Research and Detection engineers. I also worked as an Incident Responder and Special Investigator on the National Incident Response Team (NIRT) at the Federal Reserve Bank of NY & SF in support of the U.S. Treasury. I am also actively involved with Hackers For Charity. The program Hack Hunger directly funds and supplements HFC's Food For Work program. For more information on how to help HFC, please see: