• Main Track / Tech Track

  • The opening keynote by Dave Lewis will be a look at our motto "Embracing the Hackers" from various perspectives, all based on the many, many years of experience, that Dave aka Gattaca brings to the stage.

  • Efforts to tackle the looming threat of data breaches have seen businesses embrace hackers through crowdsourced security programs, or bug bounties. Bug bounties are used as a financial, or points-based, incentive for independent hackers to find security vulnerabilities within an organization’s infrastructure before cybercriminals do. This approach to security management has become a burgeoning marketplace, with at least half a million hackers now searching for bugs in exchange for cash or recognition. Despite this growth, bug bounties have faced criticism from some within the security community, while many businesses may still balk at the idea of paying hackers to break into their systems.   In this talk you’ll learn what a bug bounty program is, how it can benefit an organization, where it fits alongside other security tools, and the challenges in implementing it to improve your defense posture.

  • In February of this year, the furthest thing from my mind was e-voting in Switzerland. This talk will take you on a journey through the last 8 months of my life, from my relative ignorance of Swiss elections all the to suspension of the Swiss Post system in Switzerland. On the way we will cover some of the pitfalls of implementing secure, cryptographic zero knowledge proofs and discover why an "unrelated" election system in Australia had to be patched during an election. We will conclude by analyzing what the future of e-voting might look like, and how to build confidence in the next generation of election systems.

  • Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.

  • How secure are traditional voting methods really? When it comes to voting or election fraud in Switzerland, there are known occurrences of adversaries destroying casted paper ballots. This talk is based on Christian Killer's security and process analysis of the Swiss Postal Voting Process. In a 2nd part, Melchior Limacher outlines various threat events from a practical, adversarial perspective. Therefore, this talk focuses on the central question that nobody asks: how hard would it be for an adversary to attack traditional voting channels in Switzerland? A few days before the national election, this talk touches on a few inconvenient facts.

  • Enrique Serrano is an author and very popular IT security expert in Spain where he is a frequent speaker and expert on new cyber developments on TV. Currently working for Israeli Cymulate Ltd., he previously worked for IBM security and founded several companies. Lately he investigated Android security and the ability to use the various capabilities of a smart phone to spy on the owner. The news of similar possibilities on Apple’s iOS hit the news in early September, but of course, you can pull off the same tricks on Android too. Enrique demonstrates how he can control the front end camera from a background task. All in his talk “Not Only On Apple: Spying on Android Users Through The Camera”.

  • GraphQL is relatively new technology which is used by more and more companies nowadays. While GraphQL solving major problems of the REST APIs at the same time it introduces significant growth of server-side complexity which naturally increases chances for vulnerabilities. In this talk you'll learn about core concepts of GraphQL and its components. On that basis common security pitfalls of GraphQL API implementations will be shown as well as how to prevent them systematically. Research is based on real-world bug hunting experience of multiple people (including the speaker) as well as best practices of GraphQL API secure implementation from world companies.

  • ChatOps, a concept originating from Github, is chatroom-driven DevOps for distributed teams, using chatbots (like Hubot) to execute custom scripts and plugins. We have applied the concept of ChatOps to the penetration testing workflow, and found that it fits outstandingly – for everything from routine scanning to spearphishing to pentest gamification. This talk discusses the tools that we use (RocketChat, Hubot, Gitlab, pentesting tools), and provides battle stories of using Pentesting ChatOps in practice.

  • Threat modelling is a software analysis technique capable of finding design defects. But what sort of issues are uncovered in practice using threat modelling? This talk bridges the gap between theory and practice by describing case studies – design flaws uncovered for actual (but anonymised) systems across many domains, for example two-factor authentication, business-to-business interactions, and password storage redesign. In this talk we are less concerned with theory. Instead, the attendee will gain insight into the mindset of threat modelling by considering mistakes in the real-world. Along the way we will (re)learn secure design principles and attack patterns and see how the theory is expressed in reality.

  • Seven years a CISO is a rich tale of Jaya's time as CISO of KPN. Dramatic war stories and unique successes made her one of the most renown global CISOs. This is going to be a highlight of the day and a worthy conclusion of Swiss Cyber Storm 2019.

  • Let's close the day with a fireside chat. That is an open discussion with two security experts - Sarah Jamie Lewis and Dave Lewis - and a moderator, Dr. Raphael Reischuk. The topics are not set yet, but we will try to keep the focus on the technology.

  • Management Track / Academy Talks

  • Social Engineering and its use in financial fraud are rapidly expanding: as the criminals’ methods are being refined into sophisticated and targeted processes, more and more people fall for their scams. The fraudsters are often organized in international networks, which presents traditional law enforcement with a variety of legal problems. Bringing such criminals to justice requires close cooperation between law enforcement and criminal prosecution. Nicoletta della Valle is the director of the Swiss Federal Police (FEDPOL), an agency tasked with coordinating international cooperation in law enforcement. She is joined by Sandra Schweingruber, the Swiss Federal prosecutor for Cyber Crime. In their talk, Mrs. della Valle and Mrs. Schweingruber will present us their talk titled “An Exemplary Case of International Financial Fraud”. A case that has been challenging both FEDPOL and the national prosecution office as well.

  • Nicole’s talk will be a primer on Cyber Insurance, a market that is expected to reach $23 billion by 2025. Many companies, large and small, have purchased cyber insurance or are in the process. Technical information security professionals are being asked to participate in this activity with little to no background information on how the commercial insurance industry works, what these policies cover, and more specifically how the cyber insurance market works. This talk will also explore some of the common policy exclusions such as the act of war exclusion, which is at the forefront of the Zurich v. Mondelez case over NotPetya.

  • Identifying software vulnerabilities is a critical task that requires significant human effort. It is often the responsibility of software testers before release and white-hat hackers afterward. This arrangement can be ad-hoc and far from ideal. This talk discusses a first step toward understanding, and improving, this ecosystem through interviews with 25 testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers use similar processes, but get different results due mostly to differing breadth in experiences. From these results, we provide recommendations to support improved security training, better communication with hackers, and smarter bug bounty policies.

  • Financial institutions have several motivations to invest and build sophisticated cyber security capabilities. Cyber security is a growing focus of regulatory authorities and financial institutions are being constantly targeted by cyberattacks. Because of these reasons, they are in the forefront of adopting novel defensive capabilities to protect their assets. Two capabilities that stand out are Cyber Threat Intelligence and Red Teaming. This talk will focus on Red Teaming and will answer the following questions: What is the concept of Red Teaming and its mission? How does it compare to other security assessments? How does it interplay with Cyber Threat Intelligence? And lastly, what are the prerequisites for Red Teaming to function optimally?

  • This talk replaces a presentation by Liis Vihul about Cyber War. Liis' flight was cancelled and she won't make it to our conference. has been rooting for DNSSec for several years and since 2018 we actually see a growing adoption. But there is trouble ahead: the new Swiss law on network blocking forces ISPs do block DNS access to a list of URLs of foreign online casinos with mixed success. And Firefox and Chrome started to roll out DNS over HTTP on a scale (also thanks to Cloudflare). So what does this all mean? Who controls the internet and how does privacy play into this.

  • • How can companies ensure to meet the trust requirements of their customers? • What role can cybersecurity play in this? • What has Swiss Post learned along its journey towards customer trust?

  • BFH presents their recent initiatives in areas of research and education. This includes a new threat intelligence startup called Threatray ( and a new Master program in Digital Forensics & Cyber Investigation (

  • Penetration tests, bug bounty programs, secure coding trainings: companies invest a lot into testing the security of their products and infrastructures, and still get hacked. One of the reasons: manual security testing does not scale well and therefore cannot keep up with the growing number of systems and applications companies nowadays deploy. We need intelligent automation if we really want to get on top of things in security. The talk presents two possible areas where automation can bring immediate benefits for information security and help reduce attack surface.

  • Let's close the day with a fireside chat. That is an open discussion with two security experts - Sarah Jamie Lewis and Dave Lewis - and a moderator, Dr. Raphael Reischuk. The topics are not set yet, but we will try to keep the focus on the technology.

  • Sponsoring Track

  • Every major public electric utility company is rolling out, or already has in place, smart meter infrastructure. A lot has been said about smart meters, and there has been a lot of speculation and concerns about their security. But few people have actually looked into the involved protocols, let alone the devices in the field. In this talk we will introduce one of the most commonly used protocols - G3-PLC. And present the first toolkit to communicate from a standard computer with a G3-PLC network, and use your well-known tools to investigate the devices in the network.

  • Collecting Windows event logs and centralizing them into a Security Information and Event Management (SIEM) has always been a big challenge for managed security service providers (MSSPs) or companies taking care of their system security. Despite the multiple approaches – agent, agentless or hybrid – the landscape remains unclear, and it’s hard to find a proper technical solution that takes care of the security constraints imposed by the environment (Active Directory domain in enterprise or Workgroup in OT). In this talk, we will share how we improved the built-in Windows Event Forwarding (WEF) and Windows Event Collector (WEC) by providing a “crafted toolkit”. Next, new and alternative methods to collect Windows Server DNS logs will be presented. Finally, we discuss how such solutions can help MSSPs or companies to leverage Windows logs and to provide valuable IOCs for threat detection purposes.

  • With the rise of popularity of bug bounty within companies, more and more people are trying to make a living doing ethical hacking. But while low hanging bugs are still easy to find, making big bounty can be difficult. The goal of this talk is to give advice to hunter on how to transform low impacts bugs into more valuable ones.
    We will explore 3 different scenarios. The third scenario includes a demonstration of a new tool made to help hunters exploit this kind of vulnerability:

    • First, we will exploit a self XSS and a lack of CSRF token, two low impacts bugs. But, chained together and with the usage of JS services workers allow an attacker to take persistent control of a victim browser even after the bug is fixed.
    • Then we will demonstrate how a to get a root access on a server running docker using only a SSRF attack. The server will be running NodeJS and Axios as an http client.
    • Finally, we will use a template injection on a flask application to exfiltrate private data from a read-only server by injecting a backdoor directly into memory.

  • The need: As the Board are increasingly interested in the security posture of their organizations, Security leaders have the opportunity to empower the board to execute this role effectively. CISOs need to embrace a new approach in communicating about their programs with their executives and board members. The research project: Kudelski Security surveyed around 80 CISOs about matters relating to board communication. Their collective responses provide insight into what interests boards the most, and what questions are toughest for CISOs to answer. We ended up focusing on a total of five questions in depth, covering the different paths and strategies to answer them.

  • In the “building a SOC” blueprints one key ingredient is often missing. Building trust in the SOC by the organization it is tasked to protect. When the inevitable critical incident happens, it is paramount that the management will rely on the analysis and recommendations of its SOC. In this talk I will present why the trust of the organization is important for a successful SOC. I will explain how you can make building trust part of your SOC project and embed trust building into your SOC operation. The general guidance and concrete examples in this talk will be useful for SOC leaders and Security Analysts starting to build a SOC or help improve the standings and effectiveness of existing SOCs.

  • In 2018, the number of attacks using malicious mobile software doubled compared to 2017 (Kaspersky Lab Research). In this presentation, Cyrill Bannwart demonstrates the current dangers of using smartphones and how cybercriminals can gain access to sensitive data. The talk also highlights how mobile operating system manufacturers attempt to protect their users from these attacks and what protective measures can be taken as an app developer or smartphone user.

  • Distributed denial of service attacks continue to be one of the major cyber threats to businesses. The threat landscape is constantly evolving, with the average number of attacks per customer currently being up 16% year-over-year. Not only keep the attacks growing in magnitude and intensity, their techniques are also getting more and more sophisticated (e.g. TCP SYN, memcached, botnets). The responsible attitude towards DDoS – as with other types of cyber threat – is therefore to treat it as a matter of when, not if. There is no silver bullet, however, when it comes to DDoS protection. Each organisation must therefore first examine their specific requirements with respect to risk assessment and budget very carefully. There are a number of technical pros and cons that have to be considered when designing and implementing a DDoS protection mechanism. This talk reflects our path towards finding an optimal solution for a Swiss-based, high-performance data centre.

  • Let's close the day with a fireside chat. That is an open discussion with two security experts - Sarah Jamie Lewis and Dave Lewis - and a moderator, Dr. Raphael Reischuk. The topics are not set yet, but we will try to keep the focus on the technology.

17:45+ Evening Program - Networking, Flying Dinner and More!

After the talks our evening program awaits you with a rich flying dinner, where you can review what you have heard with the other participants. Use the opportunity to maintain and expand your network and attend the award ceremony for the raffle and the mini-CTF.