Schedule

The opening keynote by Dave Lewis will be a look at our motto "Embracing the Hackers" from various perspectives, all based on the many, many years of experience, that Dave aka Gattaca brings to the stage.

Efforts to tackle the looming threat of data breaches have seen businesses embrace hackers through crowdsourced security programs, or bug bounties. Bug bounties are used as a financial, or points-based, incentive for independent hackers to find security vulnerabilities within an organization’s infrastructure before cybercriminals do. This approach to security management has become a burgeoning marketplace, with at least half a million hackers now searching for bugs in exchange for cash or recognition. Despite this growth, bug bounties have faced criticism from some within the security community, while many businesses may still balk at the idea of paying hackers to break into their systems.   In this talk you’ll learn what a bug bounty program is, how it can benefit an organization, where it fits alongside other security tools, and the challenges in implementing it to improve your defense posture.

In February of this year, the furthest thing from my mind was e-voting in Switzerland. This talk will take you on a journey through the last 8 months of my life, from my relative ignorance of Swiss elections all the to suspension of the Swiss Post system in Switzerland. On the way we will cover some of the pitfalls of implementing secure, cryptographic zero knowledge proofs and discover why an "unrelated" election system in Australia had to be patched during an election. We will conclude by analyzing what the future of e-voting might look like, and how to build confidence in the next generation of election systems.

Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.

How secure are traditional voting methods really? When it comes to voting or election fraud in Switzerland, there are known occurrences of adversaries destroying casted paper ballots. This talk is based on Christian Killer's security and process analysis of the Swiss Postal Voting Process. In a 2nd part, Melchior Limacher outlines various threat events from a practical, adversarial perspective. Therefore, this talk focuses on the central question that nobody asks: how hard would it be for an adversary to attack traditional voting channels in Switzerland? A few days before the national election, this talk touches on a few inconvenient facts.

Enrique Serrano is an author and very popular IT security expert in Spain where he is a frequent speaker and expert on new cyber developments on TV. Currently working for Israeli Cymulate Ltd., he previously worked for IBM security and founded several companies. Lately he investigated Android security and the ability to use the various capabilities of a smart phone to spy on the owner. The news of similar possibilities on Apple’s iOS hit the news in early September, but of course, you can pull off the same tricks on Android too. Enrique demonstrates how he can control the front end camera from a background task. All in his talk “Not Only On Apple: Spying on Android Users Through The Camera”.

GraphQL is relatively new technology which is used by more and more companies nowadays. While GraphQL solving major problems of the REST APIs at the same time it introduces significant growth of server-side complexity which naturally increases chances for vulnerabilities. In this talk you'll learn about core concepts of GraphQL and its components. On that basis common security pitfalls of GraphQL API implementations will be shown as well as how to prevent them systematically. Research is based on real-world bug hunting experience of multiple people (including the speaker) as well as best practices of GraphQL API secure implementation from world companies.

ChatOps, a concept originating from Github, is chatroom-driven DevOps for distributed teams, using chatbots (like Hubot) to execute custom scripts and plugins. We have applied the concept of ChatOps to the penetration testing workflow, and found that it fits outstandingly – for everything from routine scanning to spearphishing to pentest gamification. This talk discusses the tools that we use (RocketChat, Hubot, Gitlab, pentesting tools), and provides battle stories of using Pentesting ChatOps in practice.

Threat modelling is a software analysis technique capable of finding design defects. But what sort of issues are uncovered in practice using threat modelling? This talk bridges the gap between theory and practice by describing case studies – design flaws uncovered for actual (but anonymised) systems across many domains, for example two-factor authentication, business-to-business interactions, and password storage redesign. In this talk we are less concerned with theory. Instead, the attendee will gain insight into the mindset of threat modelling by considering mistakes in the real-world. Along the way we will (re)learn secure design principles and attack patterns and see how the theory is expressed in reality.

Seven years a CISO is a rich tale of Jaya's time as CISO of KPN. Dramatic war stories and unique successes made her one of the most renown global CISOs. This is going to be a highlight of the day and a worthy conclusion of Swiss Cyber Storm 2019.

Let's close the day with a fireside chat. That is an open discussion with two security experts - Sarah Jamie Lewis and Dave Lewis - and a moderator, Dr. Raphael Reischuk. The topics are not set yet, but we will try to keep the focus on the technology.

Social Engineering and its use in financial fraud are rapidly expanding: as the criminals’ methods are being refined into sophisticated and targeted processes, more and more people fall for their scams. The fraudsters are often organized in international networks, which presents traditional law enforcement with a variety of legal problems. Bringing such criminals to justice requires close cooperation between law enforcement and criminal prosecution. Nicoletta della Valle is the director of the Swiss Federal Police (FEDPOL), an agency tasked with coordinating international cooperation in law enforcement. She is joined by Sandra Schweingruber, the Swiss Federal prosecutor for Cyber Crime. In their talk, Mrs. della Valle and Mrs. Schweingruber will present us their talk titled “An Exemplary Case of International Financial Fraud”. A case that has been challenging both FEDPOL and the national prosecution office as well.

Nicole’s talk will be a primer on Cyber Insurance, a market that is expected to reach $23 billion by 2025. Many companies, large and small, have purchased cyber insurance or are in the process. Technical information security professionals are being asked to participate in this activity with little to no background information on how the commercial insurance industry works, what these policies cover, and more specifically how the cyber insurance market works. This talk will also explore some of the common policy exclusions such as the act of war exclusion, which is at the forefront of the Zurich v. Mondelez case over NotPetya.

Identifying software vulnerabilities is a critical task that requires significant human effort. It is often the responsibility of software testers before release and white-hat hackers afterward. This arrangement can be ad-hoc and far from ideal. This talk discusses a first step toward understanding, and improving, this ecosystem through interviews with 25 testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers use similar processes, but get different results due mostly to differing breadth in experiences. From these results, we provide recommendations to support improved security training, better communication with hackers, and smarter bug bounty policies.

Financial institutions have several motivations to invest and build sophisticated cyber security capabilities. Cyber security is a growing focus of regulatory authorities and financial institutions are being constantly targeted by cyberattacks. Because of these reasons, they are in the forefront of adopting novel defensive capabilities to protect their assets. Two capabilities that stand out are Cyber Threat Intelligence and Red Teaming. This talk will focus on Red Teaming and will answer the following questions: What is the concept of Red Teaming and its mission? How does it compare to other security assessments? How does it interplay with Cyber Threat Intelligence? And lastly, what are the prerequisites for Red Teaming to function optimally?

This talk replaces a presentation by Liis Vihul about Cyber War. Liis' flight was cancelled and she won't make it to our conference. Switch.ch has been rooting for DNSSec for several years and since 2018 we actually see a growing adoption. But there is trouble ahead: the new Swiss law on network blocking forces ISPs do block DNS access to a list of URLs of foreign online casinos with mixed success. And Firefox and Chrome started to roll out DNS over HTTP on a scale (also thanks to Cloudflare). So what does this all mean? Who controls the internet and how does privacy play into this.

• How can companies ensure to meet the trust requirements of their customers? • What role can cybersecurity play in this? • What has Swiss Post learned along its journey towards customer trust?

BFH presents their recent initiatives in areas of research and education. This includes a new threat intelligence startup called Threatray (https://threatray.com/) and a new Master program in Digital Forensics & Cyber Investigation (https://www.bfh.ch/de/weiterbildung/mas/digital-forensics/).

Penetration tests, bug bounty programs, secure coding trainings: companies invest a lot into testing the security of their products and infrastructures, and still get hacked. One of the reasons: manual security testing does not scale well and therefore cannot keep up with the growing number of systems and applications companies nowadays deploy. We need intelligent automation if we really want to get on top of things in security. The talk presents two possible areas where automation can bring immediate benefits for information security and help reduce attack surface.

Let's close the day with a fireside chat. That is an open discussion with two security experts - Sarah Jamie Lewis and Dave Lewis - and a moderator, Dr. Raphael Reischuk. The topics are not set yet, but we will try to keep the focus on the technology.