Daniel Gruss
(Professor at Graz University of Technology) – Keynote
Keynote. Every Threat Model is Wrong
Abstract. Security is the tension between an adversary trying to break into a system and a defender trying to prevent this. This game is inherently
asymmetric, as the defender tries to anticipate what the adversary could do and the adversary tries to find anything the defender overlooked. Thus, it is at the core of security that threat models are time and again invalidated. In this keynote, we'll explore some historic examples including the change from isolated to interconnected systems, the change of the root
of trust with TEEs, and lastly the change from carbon-ignorant security to carbon-aware security. Finally, we will discuss why threat models are still relevant and how
they can guide security research in a constantly evolving landscape.
Biography. Daniel Gruss is a Professor at Graz University of Technology. He has a great passion for teaching, which he started doing in 2009. Daniel's
research focuses on microarchitectural security, covering both attacks as well as efficient and effective defenses. He implemented the first
remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre
bugs published in early 2018. He frequently speaks at top international venues. In 2022, he was awarded an ERC Starting Grant to research how to make security more sustainable.
@lavados
@lavados@infosec.exchange
Ben Stock
(CISPA Helmholtz Center for Information Security) – Keynote
Keynote. Complexity Kills - Why Adding Layers of Security Doesn’t Solve Much
Abstract. Many of the technologies (e.g., email or the Web) we use today have been designed decades ago. Over the years, several additions have been made to these technologies to add security, be it in the form of transport encryption or security mechanisms supported by major browsers. However, the overwhelming evidence suggests that the addition of these mechanisms is only beneficial for a tiny fraction of affected operators. Indeed, merely adding security mechanisms leads to confusion about threat models and misunderstandings about the mechanisms. In this keynote, I'll underline this statement and identify what I believe are key issues to overcome to secure both the email and Web ecosystem.
Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web and network security, with a recent focus in particular on (un)usability of security mechanisms. His group regularly publishes at all major security conferences and Ben serves on the PC and in chair roles for various security conferences. Beyond the focus on academic output, together with his students, he regularly aims to bridge the gap between scientists and practitioners through talks at non-academic conferences like OWASP AppSec or Ruhrsec.
@kcotsneb
_ _ _ _ _ _ _ _ _ _ _ _ _ _
Fabian Bäumer
(Ruhr University Bochum) – Talk
Talk. Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation
Abstract. The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer to millions of servers worldwide. SSH uses an authenticated key exchange to establish a secure channel between client and server, which protects the confidentiality and integrity of messages sent.
In this talk, we show that as new algorithms and mitigations were added to SSH, the protocol no longer establishes a secure channel: SSH channel integrity is broken for three widely used encryption modes. This allows prefix truncation where encrypted packets at the beginning of the SSH channel can be deleted without either peer noticing it.
We demonstrate real-world applications of this attack. We show that we can break SSH extension negotiation, such that an attacker can downgrade algorithms for user authentication or turn off a countermeasure against keystroke timing attacks. Further, we identify a flaw in AsyncSSH that, together with prefix truncation, allows an attacker to redirect the victim’s login into an attacker-controlled shell.
Biography. Fabian Bäumer completed his M.Sc. degree in IT security by the end of 2021. Since 2022, Fabian has been working as a PhD student at Ruhr University Bochum and is part of the Chair for Network and Data Security. Currently, he is researching the SSH (Secure Shell) network protocol from a security standpoint.
@TrueSkrillor
@Skrillor@infosec.exchange
Vaisha Bernard
(Eye Security) – Talk
Talk. Phishing for Tenants: All I Wanted was for Microsoft to Deliver my Phishing Simulation, but instead I kept Reeling in Bug Bounties and Admin Access to Random Tenants
Abstract. I just wanted to send out a phishing simulation. My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial mistakes and no more faith in the product. Then I tried building it myself and the last thing I needed was only to allowlist my IP address. I ended up in a rabbit hole that took me from a Chinese company that wanted all my access tokens, to intercepting client-side requests made by the Security & Compliance Center with the goal of replaying these to a backend API, only to discover I could now access tenants that were not mine. Tenants which I could now completely turn upside down and extract every bit of information that was in there.
Biography. Vaisha Bernard is a principal cybersecurity specialist at Eye Security, a rapidly growing MSSP based in The Netherlands, Germany, and Belgium. Although he has a formal background in Astrophysics and Artificial Intelligence, he already became an offensive cybersecurity enthusiast at age 12. After graduating it was this expertise that landed him a job at the Dutch government. In 2020 he joined Eye Security as principal cybersecurity specialist, where he splits his time between research, high profile incident response cases and cracking attack surfaces.
@the1bernard
Vaisha Bernard
Jessa Gegax
(Surescripts LLC) – Talk
Talk. Salesforce Snafus: Unveiling and Exploiting Security Misconfigurations Using Commonly Used Widgets
Abstract. This talk explores how to leverage the nooks of Salesforce to find and abuse misconfigurations that chain together and create vulnerabilities that leak data to adversaries.
It highlights that security concerns still exist on applications built on a well-known CRM tool with declarative or "point and click" development, where to discover them, and how they can be remediated.
It provides a real-world scenario of using various Salesforce widgets to find security vulnerabilities like Insecure Direct Object References (IDORs) and Broken Authorization as a means of stealing sensitive information. It offers solutions for detection and prevention for these attacks that relate to common security best practices. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in Salesforce, how they can be discovered, remediated, then prevented.
Biography. Jessa Gegax is an Information Security Testing Analyst at Surescripts LLC in Minneapolis, Minnesota.
Jessa holds an undergraduate degree in Computer Science with research interests in offensive cloud security, networking, and web application/API penetration testing.
Jessa Gegax
Paul Gerste
(SonarSource SA) – Talk
Talk. SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level
Abstract. SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.
Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution.
Biography. Paul Gerste is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing and organizing CTFs with team FluxFingers.
@pspaul95
@pspaul@infosec.exchange
Christoph Heine
(RADIX SECURITY) – Talk
Talk. 5G Security (And Why You Should Care About It
Abstract. The security of cellular networks is still frequently associated with the security of phone networks and personal communication. Attacks discussed in popular media mostly focus on the privacy aspect of phone calls and text messages, e.g. attacks involving eavesdropping or location tracking. However, with the introduction of the 5th Generation technology standard (5G) in 2016, the possible practical applications of cellular network technology have increased significantly beyond usage in phone networks. 5G introduces several new provisions that allow it to be deployed in advanced machine-to-machine communication contexts such as IoT devices, autonomous driving, or aviation. Furthermore, 5G’s new modular design makes it much easier to run a small-scale, dedicated 5G network by placing a greater emphasis on scalability, interoperability, and usage of more “classic” web technologies, e.g. TLS, OAuth2, and HTTP[1].
While these applications offer exciting new opportunities and use cases from a consumer’s point of view, they also have the potential to significantly increase the attack surface and introduce new threats in the fields of mobile security. In our talk, we want to shine a light on the current state of 5G and security threats that have been observed or may arise in the future as the standard is being rolled out all over the world. In this context, we explain which lessons can be learned from related fields of security research, e.g. web security, and how researchers in these fields may apply their findings in the context of 5G. We also discuss the current challenges we face in both 5G security research and practical testing of 5G networks based on our experience on working with the BSI to refine Germany's national 5G certification scheme.
[1] //www.3gpp.org/technologies/5g-system-overview
Biography. Christoph Heine is an independent security researcher and developer of pentesting tools for Radix Security. Christoph is best known for designing and building tools with a high degree of automation, particularly in the field of REST security and testing common vulnerabilities in APIs. His current main focus is the analysis and enhancement of the REST APIs used in the 5G network standards. In this context, he is currently working with a team at Radix Security to create a dedicated security suite for enhancing the testing of 5G networks. In addition to his security related interests, Christoph is also an avid free software advocate and is a frequent collaborator on various open source projects.
Jonas Kaspereit
(FH Münster) – Talk
Talk. LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale
Abstract. The Lightweight Directory Access Protocol (LDAP) is the standard technology to query information stored in directories. These directories can contain sensitive personal data such as usernames, email addresses, and passwords. LDAP is also used as a central, organization-wide storage of configuration data for other services. Hence, it is important to the security posture of many organizations, not least because it is also at the core of Microsoft's Active Directory, and other identity management and authentication services.
We report on a large-scale security analysis of deployed LDAP servers on the Internet. We developed LanDscAPe, a scanning tool that analyzes security-relevant misconfigurations of LDAP servers and the security of their TLS configurations. Our Internet-wide analysis revealed more than 10k servers that appear susceptible to a range of threats, including insecure configurations, deprecated software with known vulnerabilities, and insecure TLS setups. 4.9k LDAP servers host personal data, and 1.8k even leak passwords. We document, classify, and discuss these and briefly describe our notification campaign to address these concerning issues.
Biography. Jonas Kaspereit is currently pursuing a Ph.D. in Computer Science at FH Münster.
Jonas Kaspereit
David Klein
(Technische Universität Braunschweig) – Talk
Talk. Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials
Abstract. TBA
Biography. TBA
Daniel Klischies
(Ruhr University Bochum) – Talk
Talk. Behind Closed Curtains - Insights on Security Vulnerabilities in Smartphone Basebands
Abstract. In an era where smartphones are integral to our daily lives, securing them against vulnerabilities is crucial to protect our overall digital privacy. Consequently, mobile operating systems have been hardened, prompting exploits to become increasingly sophisticated and costly. Threat actors are, therefore, exploring cellular basebands as an alternative and more attractive avenue to compromise the security of smartphones.
In this talk, I provide new insights on the security of modern smartphone basebands. I will outline several vulnerabilities in commercial basebands, affecting thousands of different smartphone models. Besides concrete vulnerabilities, you will learn about the systemic issues in the cellular protocol specifications and firmware lifecycle, promoting the likelihood and longevity of such vulnerabilities.
Biography. Daniel Klischies is a final-year PhD student at the Chair for Security and Privacy of Ubiquitous Systems at Ruhr University Bochum. His main research objective is to understand and improve the security properties of firmware, currently focusing on cellular devices. He prefers to employ a diverse range of methodologies in problem-solving, such as binary analysis, formal methods, and empirical studies.
Prior to his PhD studies, Daniel was a software engineer for data analytics solutions in the automotive industry.
@danielklischies
www.danielklischies.net
Niclas Kühnapfel
(Technische Universität Berlin) – Talk
Talk. Glitching AP4: A Technical Deep Dive Into Tesla’s Autopilot Computer
Abstract. TBA
Biography. TBA
Sarah Mader
(NVISO GmbH) – Talk
Talk. Red Team Operations in OT: A Peek Behind the Curtains of Hacking Industrial Systems
Abstract. In an era where industrial systems are increasingly targeted by sophisticated cyber threats, understanding how these attacks take place and how to defend against these attacks is crucial. This presentation will provide an in-depth look at Red Team operations within Operational Technology (OT) environments, such as factories and power plants.
We will begin by outlining the fundamental differences between OT and IT security, highlighting the unique challenges and vulnerabilities present in OT systems. This foundational knowledge sets the stage for a deeper exploration of the current threat landscape within OT environments.
The core of the presentation will focus on real-world case studies from our Red Team assessments. We will walk you through the methodologies we use to simulate real attacker behaviours, from initial infiltration to identifying critical vulnerabilities, all while ensuring minimal disruption to operational processes.
Agenda:
- Introduction: Overview of Operational Technology (OT) and Red Teaming
- Distinguishing IT from OT: Key Differences and Implications
- Current Threat Landscape: Emerging Threats and Vulnerabilities in OT
- Red Team Operations in OT Environments: Strategies, Tools, and Techniques
- Case Studies: Real-world Examples and Lessons Learned
Biography. Sarah is a Senior Consultant at NVISO, with a focus on Red Team Assessments. Complementing her cybersecurity experience, she has developed proficiency in Operational Technology (OT) assessments and continues to specialize further in this area.
She possesses a Master's degree in Applied IT Security, which has been enriched by her diverse experiences in cybersecurity roles across various companies.
In addition to her professional work, Sarah is dedicated to contributing to the community by leading workshops and delivering presentations at industry conferences.
Jost Rossel
(Paderborn University) – Talk
Talk. 3D Printing Security
Abstract. 3D printing is revolutionizing manufacturing, but its adoption introduces unique security risks. This talk provides an overview of the current state of security research in 3D printing, combining insights from our current work with related studies. Beginning with an introduction to 3D printing, we will explore the various security concerns inherent in this technology, from vulnerabilities in 3D printing file formats, over side-channel attacks that steal print, to vulnerabilities of the printers' instruction set. Attendees will gain a more profound understanding of this emerging field and its implications for secure additive manufacturing.
Biography. Jost Rossel is a PhD student at the System Security Chair at Paderborn University, supervised by Juraj Somorovsky. His research topics are the security of 3D printers and the security of file formats. Naturally, this intersection leads to research on file formats used in 3D printing and the problems that come with them. When not working, you can find him kayaking or playing the guitar.
@JostRossel
@jostrossel
www.jost-rossel.de
David Rupprecht
(RADIX SECURITY) – Talk
Talk. 5G Security (And Why You Should Care About It
Abstract. The security of cellular networks is still frequently associated with the security of phone networks and personal communication. Attacks discussed in popular media mostly focus on the privacy aspect of phone calls and text messages, e.g. attacks involving eavesdropping or location tracking. However, with the introduction of the 5th Generation technology standard (5G) in 2016, the possible practical applications of cellular network technology have increased significantly beyond usage in phone networks. 5G introduces several new provisions that allow it to be deployed in advanced machine-to-machine communication contexts such as IoT devices, autonomous driving, or aviation. Furthermore, 5G’s new modular design makes it much easier to run a small-scale, dedicated 5G network by placing a greater emphasis on scalability, interoperability, and usage of more “classic” web technologies, e.g. TLS, OAuth2, and HTTP[1].
While these applications offer exciting new opportunities and use cases from a consumer’s point of view, they also have the potential to significantly increase the attack surface and introduce new threats in the fields of mobile security. In our talk, we want to shine a light on the current state of 5G and security threats that have been observed or may arise in the future as the standard is being rolled out all over the world. In this context, we explain which lessons can be learned from related fields of security research, e.g. web security, and how researchers in these fields may apply their findings in the context of 5G. We also discuss the current challenges we face in both 5G security research and practical testing of 5G networks based on our experience on working with the BSI to refine Germany's national 5G certification scheme.
[1] //www.3gpp.org/technologies/5g-system-overview
Biography. David Rupprecht is a security researcher at the Ruhr University of Bochum in the field of mobile security. Since finishing his PhD in 2020, David has dedicated a significant amount of his attention to the development of official security requirements for the 5G network standards published by the 3GPP working group. In this context, David also works closely with the German Federal Office for Information Security (BSI) to prepare the rollout of the German national certification program for public 5G networks. In 2022, David founded Radix Security together with Katharina Kohls to pursue these efforts further with a dedicated team of like-minded individuals. As of 2025, their company has grown to the size of 12 people.
David Rupprecht
Sebastian Schinzel
(FH Münster) – Talk
Talk. LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale
Abstract. The Lightweight Directory Access Protocol (LDAP) is the standard technology to query information stored in directories. These directories can contain sensitive personal data such as usernames, email addresses, and passwords. LDAP is also used as a central, organization-wide storage of configuration data for other services. Hence, it is important to the security posture of many organizations, not least because it is also at the core of Microsoft's Active Directory, and other identity management and authentication services.
We report on a large-scale security analysis of deployed LDAP servers on the Internet. We developed LanDscAPe, a scanning tool that analyzes security-relevant misconfigurations of LDAP servers and the security of their TLS configurations. Our Internet-wide analysis revealed more than 10k servers that appear susceptible to a range of threats, including insecure configurations, deprecated software with known vulnerabilities, and insecure TLS setups. 4.9k LDAP servers host personal data, and 1.8k even leak passwords. We document, classify, and discuss these and briefly describe our notification campaign to address these concerning issues.
Biography. Prof. Dr. Schinzel teaches and researches applied cryptography, cyber security and medical IT security. He heads the research group of the Laboratory for IT Security and the “Applied Cryptography and Medical IT Security (ACM)” department at the Münster site of the Fraunhofer Institute for Secure Information Technology SIT. He is a founding member of the Institute for Society and Digitality (GUD) at the UAS. He is also a professorial member of the NRW doctoral college.
Sebastian Schinzel
Leon Trampert
(CISPA Helmholtz Center for Information Security) – Talk
Talk. Beauty at a Cost: Privacy Implications of CSS on the Web and in Emails
Abstract. Modern browsers are increasingly restricting traditional tracking methods like third-party cookies to enhance user privacy. However, browser fingerprinting remains a powerful tool for tracking users across websites, even in privacy-conscious scenarios. It is typically associated with JavaScript-based methods, which have been the primary focus of tracking and mitigation efforts.
This talk highlights how Cascading Style Sheets (CSS), often considered harmless and enabled by default in email clients, enable third-party profiling without cookies or JavaScript. Furthermore, modern browser engines facilitate these techniques in HTML emails, making email fingerprinting a capable vector for tracking, targeted phishing, and spam campaigns. These findings reveal gaps in current JavaScript-centric privacy protections and emphasize the need for broader mitigations.
Biography. Leon Trampert is a PhD student at Saarland University working for the CISPA Helmholtz Center for Information Security under the supervision of Dr. Michael Schwarz and Prof. Christian Rossow. He works on unintended security and privacy implications introduced by new Web technologies. As such, he regularly plays around with up-and-coming Web technologies such as WebAssembly, WebUSB, or new CSS features. Before his doctoral studies, he obtained his Bachelor's degree in Cybersecurity from Saarland University.
@LTrampert
leon.trampert.me
Daniel Weber
(CISPA Helmholtz Center for Information Security) – Talk
Talk. Beauty at a Cost: Privacy Implications of CSS on the Web and in Emails
Abstract. Modern browsers are increasingly restricting traditional tracking methods like third-party cookies to enhance user privacy. However, browser fingerprinting remains a powerful tool for tracking users across websites, even in privacy-conscious scenarios. It is typically associated with JavaScript-based methods, which have been the primary focus of tracking and mitigation efforts.
This talk highlights how Cascading Style Sheets (CSS), often considered harmless and enabled by default in email clients, enable third-party profiling without cookies or JavaScript. Furthermore, modern browser engines facilitate these techniques in HTML emails, making email fingerprinting a capable vector for tracking, targeted phishing, and spam campaigns. These findings reveal gaps in current JavaScript-centric privacy protections and emphasize the need for broader mitigations.
Biography. Daniel Weber is a PhD student researching in the field of microarchitectural attacks, such as side-channel and transient-execution attacks. His work focuses on improving the process of finding such attacks via automation. He is part of Michael Schwarz' research group at the CISPA Helmholtz Center for Information Security. Before that, he obtained a Bachelor's degree in Cybersecurity from Saarland University. In his free time, Daniel regularly participates in Capture the Flag competitions as part of the team saarsec.
@weber_daniel
roots.ec
More talks coming soon ...