SEC-T - 0x10sion

10-13th of September 2024

Speakers 2016

Speakers will be published continuously during the review process. If you made a submission and have not heard back from us you are still being considered for a speaker position. 

Speakers are presented in no particular order.

Adam Laurie


This research looks at vulnerabilities in UK DVB-T Televisions, created by the requirement to adhere to the MHEG standard in order to support “Freeview”, the UK’s national Free To Air television, radio and data service. This standard pre-dates today’s “Smart” TVs, but affects them as well as older models, and includes some Internet capability, thus opening up the possibility of pivoting from DVB-T to the Internet on every TV installed in the UK that has some kind of Internet connection.

I will demonstrate the attacks as well as providing detailed information on techniques & tools used.

Adam Laurie is a security consultant working the in the field of
electronic communications, and a Director of Aperture Labs Ltd.  who specialise in reverse engineering of secure embedded systems. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe’s largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world’s first CD ripper, ‘CDGRAB’. At this point, he became interested in the newly emerging concept of ‘The Internet’, and was involved in various early open source projects, the most well known of which is probably ‘Apache-SSL’, which went on to become the de-facto standard secure web server. Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres housed in underground nuclear bunkers as secure hosting facilities.

Adam aka “Major Malfunction” has been a senior member of staff at DEFCON since 1997 and is the POC for the London DEFCON chapter DC4420. Over the years has given presentations on forensics, magnetic stripe, EMV, InfraRed, RF, RFID, Terrestrial and  Satellite TV hacking, and, of course, Magic Moonbeams. He is the author and maintainer of the open source python RFID exploration library ‘RFIDIOt’, which can be found at

David Jacoby & Stefan Tanase


Intelligence agencies need intelligence. Recruiting people who know stuff is one of their tasks, but how do they actually do it? What do they want? What is their methods? David and Stefan who both work at Kaspersky Lab have tracked and documented operations from different intelligence agencies and is going to give you a full disclosure presentation about what is actually happening in the industry regarding intelligence and security researchers.

“My name is David, I’ve walked this earth for 35 years. On my spare time I play with myself, and if I get lucky sometimes with other people. I like computers! Most of the time I break stuff and then talk about it. I have no education, no fancy certificates, diplomas or anything like that but i do have a job which i like. I’ve written books, been in movies, traveled the world for security conferences. When I grow up I want to be a unicorn!” /Bio stolen from an undisclosed website dump.

 Neal Hidocha & Lucas Lundgren


IoT has exploded with a plethora of devices and protocols. Lucas will show you some problems with the popular MQTT protocol.
This protocol  exposes thousands of devices, everything from ATM, Medical and Vehicle tracking, to Prisons and Pressure sensors.
Not only can attackers read the data, they can write to it as well which puts this problem in a different light.

Neal Hindocha has been working in the security industry since 1999. He began his work at SARC (Symantec Antivirus Research Center), reverse engineering malware and writing signature for Symantec’s antivirus products. From there, he moved on to penetration testing, and has since been a consultant for Verizon Business and Trustwave, where he helped build the mobile testing services and focused on deliveries for advanced projects.

Currently, Neal is a Principal Consultant at FortConsult (part of NCC Group), focusing on new service areas such as cloud and IoT, whilst still reversing the odd malware and delivering pentests.

Lucas Lundgren has a vast experience in IT security, with the “bad luck” (or tendency) to annoy companies by reporting vulnerabilities in their products.

He started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products.
Having worked with penetration testing professionally for over 12 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive, to name a few.
He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group)
Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside “impenetrable fortresses”.
Most of the working clients have been outside of Sweden where he has traveled around the world.
He is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.

Tyler Bohan


The most recent literature on exploiting the OS X heap was written in Phrack in 2005. Though the same region allocation scheme is still in use, the implementation has changed significantly. I am going to dive into how the OS X heap is laid out in memory, what is unique about it’s region-based allocator, and how this changes common exploitation techniques. We will also be releasing tooling that works with LLDB to further enhance the users ability to look into the current state of the heap and query the various zones for information. We will also be releasing the most advanced LLDB init available and truly push LLDB to be much more user friendly and functional. After an overview of the heap and how it is laid out we will present a case study of real world heap exploitation based on vulnerabilities found at Cisco Talos.

Tyler Bohan is a Senior Research Engineer with the Cisco Talos Vulndev Team specializing in vulnerability research and exploitation. Tyler is the creator of MacDBG, a general purpose debugging framework for OSX.

Arron “Finux” Finnon


There once was a man from Dundee, who traveled quite frequently. He ranted and raved, and laughed and joked about issues in security. He then changed his tune, from hackers and doom, to stories about history. So you should feel quite blessed to have experienced this mess, and witnessed my poetry.

Societies may change, but the staus-quo remains the same. What happens when a super-power has its secrets exposed? Can a government understand the human-cost of wars against religious extremists? Will those chosen to govern ever be able to control the pace of technological developments? Can a state assassinate its exiles in other countries ever really be morally justified? Are just some of the topics covered within this talk.

Granted, this talk looks as though its going to repeat the same Snowden/Wikileaks/Manning stories we’ve all come to expect at a security conference, except you’d be wrong. This talk looks at state-surveillance during the Reformation in Europe during the 16th Century. This particular period in history is interesting for many reasons, yet the parallels to modern dilemmas are clear. Has little changed in 500 years?



The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 BlackHat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

Ulf Frisk


Inexpensive universal DMA attacking is the reality of today! In this talk I will explore and demonstrate how it is possible to take total control of Linux, Windows and OS X kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular open source PCILeech toolkit.
Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer. Ulf has previously spoken at DEF CON 24 this year.

Francisco Blas Izquierdo Riera “Klondike”


After leon-stone published a program in GO able to break Petya’s key using genetic algorithms, I set up to understand which were the weaknesses in Petya’s version of Salsa-20 that allowed such approach to succeed.

In this talk I’ll cover how I modeled Petya’s cipher from leon-stone’s implementation using pen and paper to be able to discover the initial flaw with the 32-bit shifts (which meant 5-bits of the key where unmixed) and how I improved those attacks to be able to recover at least 7-bits and finally the whole key. To this end, I’ll explain how ciphers can be modelled as sets of boolean equations and how these can be used as simple metric to check the difusion of algorithms.

Although Francisco had always had the curiosity inherent to hackers to take apart things to see how they worked and even fix them and learnt how to use MS-DOS with 7 years so he could play Commander Queen on his father’s computer things looked as if he was just going to be a computer programmer. After spending a summer reading Bruce Schneier’s applied cryptography and taking part, after lots of persuasion by the organizers, on a CTF competition where he wrote his own tools things started escalating quickly. Since then Francisco has done things like participating in some CTFs, becoming a Gentoo Hardened developer, writing an Arduino bootloader able to cryptographically verify updates, contributed cryptographic code to the Haskell community, written a fast implementation of the TTH algorithm and championed the introduction of new standards in the ADC protocol. Currently, Francisco works as a pentester and in house developer at Coresec Systems AB where he also supports other workers in cryptographic matters whilst trying to do his research in his spare time.

Anne-Marie Eklund Löwinder


It sounds like fantasy: seven keys, held by individuals from all over the world, that together control security at the core of the internet? The entire process with the DNSSEC signing of the root zone leans heavily on the participation of trusted representatives from the global internet community, selected to take an active role in the key management process based on a n-out-of-m scheme.
Some of these trusted representatives are appointed as Crypto officers, holding keys to retrieve the credentials needed to activate the hardware security module (HSM) with which all the operations are made.
Rumours about the power of the keyholders abound: could they use their keys to switch off the internet? Or, if someone somehow managed to bring the whole domain name system down, could we turn it on again?
The keyholders have been meeting four times a year in the US, twice on the East coast and twice on the West coast beginning in June 2010.
During my presentation I will tell more about the process, the security model and what is going on right now – with a KSK key rollover coming up. Is it worth it?

Vesa Virta


GPU:s and other hardware has during the last years made huge improvements
in hash cracking. Will the time/memory trade off techniques such as Rainbow-tables
ever come to fashion again? Or are there still cases where we can find uses for them or other methods for use of mass storage that also is getting cheaper?

Vesa Virta has over 20-years of experience of being an IT-security-intelligence-dude. An ordinary day contains tasks ranging from things he can not talk about to things he can definitely not talk about. However any similarities between the day job and the presentation are purely circumstantial.

Eric Michaud

Mapping the invisible – A journey into discovering tor hidden services

Eric Michaud has been working in the security industry since about 2008 when he began his first official job out of college at the DoE. Fast forward to today and he’s been working in private industry on the physical side of things with his company Rift Recon and the digital side with Darksum which has been acquired by Intelliagg. In his recent spare time he took up the violin, codes in Python, and picks the occasional lock.

Mattias Borg

SCAM CALLER – Call Dropped

“Hi, I’m calling from technical department and your computer is infected”
This is very common and we saw a high increase of scam calls targeting Sweden in the end of last year.
But sometimes someone decides to have fun with the caller.

Love Björk

Best practice, the inconsistency of doing it the right way

Love is a student in computer networks at Mälardalens Högskola. While working with first line support he realized that he was more interested in how the network actually worked than helping customers. There and then he decided to learn more. Roughly two years has passed since that job and now he is one of our speakers giving his thoughts on how best practice works from the perspective of someone new with fresh eyes.


Solving the FRA challenge, again

Repeating his performance from last SEC-T, olle will show you how to solve this years FRA recruitment challenge. Both python hacking and crypto solving are on the menu in this retro-themed crackme.
While olle’s beard is getting grey, he does try to keep his mind and his razor sharp. His second favorite way of staying relevant is by showing others how to solve fun challenges.

Fredrik Söderblom & Joachim Strömbergsson & Peter Norin

Crypto implementation flaws in Pacom GMS System

The Pacom 1000 CCU and controllers (RTU) is used in security
alarm installations all over the world. The flaws we have found can bypass the security of any unpatched installation.

The talk will describe how we found the flaw, when doing an audit of critical infrastructure, when we was expecting flaws in other parts of the audited system, but not the physical alarm system itself.

The fundamentals of the flaws are described in the CVE we published in December 2015. This talk have only been presented to closed audience under NDA before.

Fredrik Söderblom, Senior Security Advisor and founder of XPD AB.

For more than 20 years, Fredrik been engaged as an IT architect, expert advisor and security advisor, both in Sweden and internationally.

As Fredrik has worked in multiple sectors (ranging from defense sector and financial institutions, governmental agencies and organizations to private businesses) all with different business goals, he has developed an in-depth understanding of what is
required of a security architecture in order to fulfill both the business goals and pass a security audit, to ensure that systems is secure and safe.

Fredrik is also an appreciated teacher and has been hired as a lecturer at universities and conferences both in Sweden and abroad.

He has worked with security since 1992 when he designed and implemented the first firewall for his then employer, Hewlett-Packard in northern Europe.

Joachim has been designing processors, digital hardware and embedded systems since 1991. Way before that he started messing with security. Working at Assured, Joachim helps customers choose the right crypto and other security mechanisms for their products and services.

Since 1998 Peter has focused on network, infrastructure and system design/security.
While working at XPD he has also worked extensively with technical parts of IT security audits focusing mostly on internal and external intrusion reviews both in the EU and the US.