[08/01/2011 UPDATE]: An online registration form is available !

Together with a few colleagues, I am organizing three “IT Security Days” at HEIG-VD during the spring of 2011.

The first day targets the topic of “Ethical Hacking” (February 9th, 2011), the second one the specific subject of “Web Application (In-)Security” (March 16th, 2011), and the third day is dedicated to cyberwar, information warfare and other related areas (April 7th). Those three days will happen in the HEIG-VD aula, on the university’s main campus, in Yverdon-les-Bains, each time from 09h30 to 17h00. The pricing is moderate and will include noon’s meal.

Widely recognized experts in their fields will give interesting, informative and entertaining talks to attending IT professionals and anyone concerned by the growing insecurity of our e-world.

Our list of speakers include:

• Paul Such, which is the founder of SCRT, a Swiss company specialized in IT security and providing services such as penetration tests (ethical hacking), forensics, consulting and training;
• Ivan Buetler, a co-founder of Compass Security AG, a Swiss ethical hacking and penetration testing company located in Rapperswill;
• Marco Ricca, the founder and CEO of IRIS, a leading Swiss company in Managed Security Services. Mr. Ricca has been involved in auditing and consulting for Swiss financial institutions and industry enterprises for over 12 years;
• Martin Vuagnoux, an independent security and cryptography consultant specialized in automated cryptanalysis of wireless communication protocols and offensive security;
• Sylvain Maret, a principal consultant for MARET Consulting and a co-founder of the Geneva AppSec forum and the OpenID Swiss chapter;
• Rolf Oppliger, the founder and owner of eSECURITY Technologies (www.esecurity.ch) and an adjunct professor at the University of Zurich;
• Antonio Fontes, which is principal consultant at L7 Security, a Swiss-based consultancy specializing in online security and privacy, as well as a board member of the OWASP Switzerland chapter;
• Philippe Oechslin, the founder of Objectif Sécurité, a company specialized in security audits and consulting in the french part of Switzerland, as well as a lecturer at the Swiss Federal Institute of Technology (EPFL);
• Antti Tikkanen, who works in the F-Secure Labs in Helsinki, Finland. He is responsible for the research and development of rootkit scanning, behavior based protection and heuristic detections;
• Daniel Ventre, an expert in cyber-security and cyber-defense, a researcher at CESDIP, as well as a teacher at Telecom ParisTech and the ESSEC Business School;
• Col. Gerald Vernez, who founded the Information Operation capabilities of the Swiss Armed Forces, and is chief of staff of the Joint Staff;
• Riccardo Sibilia, who is the head of the Cyber-Threat Analysis Team within the Swiss Armed Forces Command Support Organization;
• Mauro Vignati, an analyst at MELANI, the Swiss Reporting and Analysis Centre for Information Assurance.

In the meanwhile, you can find more information on the event’s website, or in the flyer [PDF].

This manifestation is organized in partnership with the GITI, the OWASP and the CLUSIS.

Il y a quelques jours, j’ai reçu un e-mail de la part de la société SCRT de Préverenges nous annonçant la date de la prochaine édition d’Insomni’hack :

• L’édition 2011 aura lieu à l’HEPIA à Genève (rue de la Prairie 4) le vendredi 4 mars 2011, dès 18h00.
• Une nouveauté: des conférences (à contenu technique) seront organisées le vendredi après-midi.

Une date à noter dans son agenda de toute urgence, en attendant de recevoir plus de détails !

À noter que cette société édite également depuis peu un blog en français contenant des articles techniques qui méritent le détour.

I am fortunate enough to give a talk at #days, a security conference organized by the DEFCON Switzerland association and scheduled November 3-6, 2010, at the Radisson BLU hotel in Lucerne (Switzerland).

My talk will focus on the security of open-source cryptography libraries, mainly when used on embedded platforms. Here is its abstract:

In this talk, we will discuss the (low-level) security of common open-source general-purpose cryptographic libraries, like OpenSSL and sisters, towards various types of side-channel attacks. Although bringing a rather adequate practical security when used on high-end architectures, like desktop and server ones, using such libraries to secure applications running on embedded platforms is more than problematic, as we will show using several practical examples. For instance, we will demonstrate that most open-source cryptographic code runs in time dependent on secret values, like RSA private keys, for instance. We propose to discuss how an attacker can leverage this knowledge by mounting practical timing attacks, or by exploiting other physical leakages, which is information that is most of the time quite easily to obtain on embedded platforms. Finally, we will describe several best-practice techniques of secure programming that are currently almost never applied in common open-source cryptographic libraries.