Dec 10, 2009

BruCON 2010 - Save the date 24 & 25 Sept

Mark it in your calendar: BruCON 2010 will be on 24 & 25 September 2010!! Pass the word!!

Subscribe to our announcement mailinglist if you want to be notified of the latest news. This event is organized by a group of security enthusiasts and volunteers. Join our volunteer mailinglist if you want to help out.

Oct 16, 2009

Watch the #brucon videos online in our vimeo channel

Do you want to watch a video during a break and don't want to download 100+ MB? You can now watch the videos online in our vimeo channel as well.

Our videos are available under a Creative Commons attribution license.

Sep 25, 2009

Download the #brucon videos and presentations

You can download our 13 videos from the following mirrors:

We want to thank all these people for hosting our videos. If you have some bandwidth and space to spare, add your own mirror.

The latest slides have also been added to

Thanks for Hackerspace Brussels for making the videos and the volunteers for seeding and spreading the files yesterday. You can now broadcast this!! Thank you!!!

Sep 23, 2009

First series of #BruCON presentations are online

You can get the first #brucon presentations from our website. More will follow.

Sep 21, 2009

Ending Brucon 2009, the first edition

BruCON edition 2009: Hacking for b33r has ended. It was better then we could had ever imagined for a first edition. There are few things we can improve on, but the feedback was very positive over the whole line, from speakers, volunteers and visitors alike. If you still want to provide us some feedback, send a note to feedback atsiggn (@)

We have to thank all the volunteers who worked their butts off during the conference and we hope to see many of them back for the 2010 edition. Yes, I think it's safe to say that there will be a next edition, so keep yourself subscribed to our RSS feed or Announcement mailinglist to stay informed.

For those who missed it, we will put the presentations and videos online as soon as we can, as well as a few other announcements.

Sep 17, 2009

Download the electronic schedule (for your PDA or Smartphone)

Some volunteers made an electronic version of our schedule, so you'll have the latest version close at hand. Have a look at our Schedule page for details.

Sep 15, 2009

BruCON Official Communication and Press contact

Yesterday we noticed some Belgian Security Blogs making statements on behalf of the BruCON organization. We are not denying or confirming anything published but we are only stating that those blog(s) contain inaccurate information and that we have no affiliation them.

Please follow our blog for correct and official information about BruCON. The official contact for press for BruCON is press (at) and nobody else.

Further updates will be posted in the coming hours.

Sep 14, 2009

Bonus presentation: Announcing the new Belgian

Last week, several newswebsites reported on the upcoming national For years, Belgium had to rely on the small CERT team of BELNET only. We are happy to see that BELNET got the opportunity to expand the team to a more national and bigger team.

Much details were not available in the press so we are happy that Lionel Ferette, coordinator of the CERT will give a short introduction during BruCON. Due to our full schedule and due to the fact that the CERT is still in full development, it will be restricted to a short presentation of 15 minutes.

Keep track on the lastest BruCON updates on our mailinglist and blog.

Sep 11, 2009

Update of the BruCON Schedule

Some small changes were made to the schedule. Unfortunately, Christofer Hoff had a scheduling conflict and will be replaced by Craig Balding.

Craig founded where he blogs about Cloud Computing and Security. Together with Christofer, he is the host of the Cloud Security podcast and has presented at Black Hat Europe, eCrime London and the World Cloud Computing Summit.

As a bonus, Jean-Luc Allard and Alain De Greve will join us to give an update on the Belgian Information Security Initiative (BISI).

More information has been added for the workshops, speakers and schedule.

Check our wiki for more information:

Visit our website or blog in the coming days for up-to-date information about the conference.

Register for the BruCON workshops

Since there are limited seats for the workshops, you can pre-register a seat in an attempt to keep it organized.

Go to for details.

Sep 10, 2009

The HEX Factor prices during BruCON

From The Hex Factor Team:

"In the last months, you had the chance to get a sneak preview on some of the typical challenges (PDF Challenge & WifiPuzzle) that will be included in The Hex Factor during BruCON. Today, we are happy to announce that

1. Everything is on schedule (read: we are still alive, we still have girlfriends ... at least some of us do, systems are running) and the challenges are ready to torture any gray cells in your haxx0rzzbrainzz.

2. The Hex Factor will run from 9am on day one, until 7pm on day two. During the first evening, after the conference venue closes, you can continue playing from HackerSpace Brussels until they kick you out (or Club Mate runs out) :-)

3. We have prices! Yes, thanks to some generous sponsors (CompuCity Hasselt, Offensive Security and the BruCON organizers), we have the following prices available:
  • First price: showroom model of the Asus EEE PC 900 White Azerty
  • Everyone who ends up in the Top 10: there are three Extra Large and two Large t-shirts of the following designs
  • One Offensive Security - Pentesting with BackTrack will be randomly given to a participant. Initially, this was our first price ... but then again, when you manage to score so much points, I do not think you need any additional training, do you?
We will be located in the Lounge during the whole conference and if you want to try any social engineering on us ... (hint: beers++ or coins-for-beers++) we will all be wearing one of the The Hex Factor t-shirts that you can order yourself from our webshop.

If you do not want to know how far the rabbit hole goes (Justin's talk in #track 1), but instead want to create the rabbit hole yourself ... you can join us on day one at 10am in Track 2 for an introduction on how to start playing! "

Sep 8, 2009

BruCON afterparty: Bring a friend action and happy hour

Thanks to our sponsor F5, there will be a great afterparty at BruCON. We are launching the Bring-a-friend action. Each registered BruCON attendee can invite one friend for the BruCON afterpart starting Saturday at 20:00 as long as the max. capacity of 400 hasn't been reached. Send your name and the name of your guest to party (atsign)

At 20:00 and 01:00 there will be a happy hour where you can get two draft beers for the price of one.

Bring a friend to party with the crew, speakers and participants on Saturday!

Sep 7, 2009

BruCON trainer Shreeraj Shah will be at the next OWASP-BE Chapter Meeting


Tuesday, September 15th, 2009 (18h00pm-21h00pm)


Location is sponsored by Isabel <>

Isabel S.A./NV
Putterijstraat 22 Rue de la Putterie,
1000 Brussels


* 18h00 - 18h30: Welcome & Refreshments
* 18h30 - 18h45: *OWASP Update* (by Sebastien Deleersnyder,
Telindus, OWASP Board)
* 18h45 - 19h30: *CSRF: the nightmare becomes reality* (by Lieven
Desmet, DistriNet KU Leuven)
* 19h30 - 20h45: *Hacking Web 2.0 Streams - Cross Domain Injection
and Exploits* (by Shreeraj Shah, founder of Blueinfy)

More information can be found at .

Shreeraj is in town for the BruCON conference <>
where he will be giving the "Web 2.0 Hacking - Attacks and Defense
<>" training. There are still
a few seats left.

*WHO should attend?*

Anyone interested in Web Application Security (management, security
professionals, developers, students, etc). OWASP Belgium chapter
membership is free. All meetings are free. There are never vendor
pitches or sales presentations! at OWASP meetings.

Check our chapter page on
meeting details, sign up to the chapter mailing list and introduce


There are *only 60 seats available* (first register, first serve)!

Please send a mail to 'belgium at' if you plan to attend,
so we can size the venue appropriately and keep you updated on
last-minute changes.

Sep 1, 2009

BruCON Podcast ep4: Eric Adrien Filiol - Cryptography and Cyberattacks

The podcast begins with some interesting details on the progress of the event.

Our guest today is Mr. Eric Filiol, another one of our presenters with his presentation How to coordinate and conduct a cyber attack. Eric is a French cryptanalyst and information security specialist with some interesting points on cryptology and the state of information security.

Interesting links for this episode :

Music of the podcast with permission of Dave Lewis (a.k.a. gattaca) who makes us Sweat with another track from his Mescaline project.

Aug 31, 2009

Last day of BruCON discount tickets.

Starting from September 1st, ticket prices will go up slightly. If you want to buy a discount BruCON ticket, register before 1st of September and complete your registration. If you know people who are interested in the event, please inform them.

A few seats are still available for the BruCON training sessions, have a look at

Aug 27, 2009

BruCON wifi puzzle winner & the solution

Of all the submissions, we received 5 correct answers. Out of those, Tyler H. is the winner.

Other persons to submit a correct answer were:
  • Jo B.
  • Pascal R.
  • Phil A.
  • Patrick H. (from Redteam Pentesting who was also the winner of the first challenge)
Here is the solution of the wifi puzzle provided by Didier Stevens. A big thanks to him for all his hard work and dedication! All participants expressed they had loads of fun with this challenge. For more puzzles, join the Hex Challenge at BruCON.


Here's one way to solve the Brucon WiFi Puzzle: open the capture file with Wireshark.

The capture file contains one beacon frame for the brucon09wifi network. If you're a bit familiar with beacon frames, one tag will stand out: the vendor specific tag which Wireshark can't interpret because it's from a vendor it doesn't know.


The hidden data is inside the vendor specific tag. Select it and export the selected bytes:


How do you decode this data? You can try all types of encoding and encryption schemes, but to prevent you from wasting time trying countless possibilities, I've given you a hint in the name of the vendor: XortecOy. The data is XOR-encrypted. And the key is tecOy. ;-)

Open the saved bytes with Cryptool:


And apply XOR-decryption with key tecOy:


Et voilĂ !

Aug 26, 2009

BruCON Podcast ep3: Didier Stevens and The BruCON Hex Challenge

This time Wim is joined by Didier Stevens, pdf wizard extraordinaire and co-conspirator of The Hex Factor. He explains the idea behind the game that will keep us audience captivated during the conference, how they started and what you can expect from it.

Didier will also be giving a workshop on digital ID during BruCON and a lightning talk about his home automation system. There are still free slots available to register your own lightning talk.

You can download it through this XML feed or get it through iTunes.

Interesting links for this episode :

Podcast music by and with permission from Sah Ril. Sah Ril gets us hyper once again, this time with the great song F**k Me Famous from his album Wet.Plug.Trip.

There are still a few hours left to join the challenge from yesterday for some BruCON discounts.

Aug 25, 2009

Hex Challenge #2: Win a 10% discount on a BruCON training and a conference ticket

Want to win a 10% discount on a conference ticket and a BruCON training of choice? We'll even throw in some BruCON stickers as a bonus. Here is another sample of the Hex Challenge that will be running at BruCON.

Located in this file, is a hidden message. Send your answer to contest {removethisbyATsign} brucon (dot) org by Wednesday 26th of August by 16:00 GMT+1 at the latest. We will select a winner from all the correct answers randomly. We will announce the winner and post the answer on Thursday.

Good luck!

Aug 24, 2009

7 days of discount #brucon tickets available and last training seats

Brucon is getting nearer, it looks like it is going to be an awesome event.
  • Internet access will be native ipv6 and we'll have a gigabit uplink
  • The lounge will be filled with fun stuff to do and see (amonst others the Hex challenge). It will have an arcade / space invaders theme.
  • A great selection of Belgian beers will be available and let's not forget Club Mate
  • There are some dinners and guided tours available for those arriving early. Check the wiki for more information
  • Last but not least the BruCON afterparty.
Don't forget that our discount tickets end at the 31th of August. That leaves you with 7 days to complete your registration before prices will increase.

There are also some seats left for the BruCON training courses. Don't miss this chance to follow a course from one of these renowned trainers.
  • Crash course in Penetration Testing (By Joe McCray, and Chris Gates)
  • Web 2.0 Hacking – Attacks and Defense (By Shreeraj Shah)
  • Social Engineering testing for IT Security professionals (By Sharon Conheady)
Go to the training page for more information.

Aug 20, 2009

BruCON Podcast ep2: Jayson E Street about Cyberwarfare

Those who subscribed to the iTunes channel already noticed the release of episode 2. You can download it through this XML feed or get it through iTunes.

Episode 2 shownotes:

Getting our groove on with a good beat, this time contributed by Dave Lewis (@gattaca on twitter) of . Much to our amazement this dude laces the tracks with heavy basses that grab you by the throat in this track named 'Crisis' (the title seems appropriate to an infosec podcast) by his music project Mescaline.

On with the show. We got into a good discussion about information security, cyberwarfare and privacy with Jayson E. Street. Jayson will be speaking at the Brucon conference in September (don't tell me you have yet to book your ticket, right?) and was awarded the prize for the longest title. Apart from being an extremely likable guy, he's very knowledgeable on the subject and he's a published author. If we are not misinformed, his book "Dissecting the hack" (Syngress '09) was launched in Vegas last week. Have a look at it.

Interesting links for this episode :

We will release episode 3 real soon. Keep watching the blog because there will be another contest in the next week.

Jul 23, 2009

BruCON Podcast ep1: Introduction and Hackerspaces Talk with astera

What started as a joke while drinking beers, has become a real experiment. Some of the crew thought it would be fun to do a BruCON podcast. With only basic equipment, they will be interviewing some of the speakers to give you a better view of the contents of the BruCON talks. We will also do some podcast interviews during the conference to give a feeling of the atmosphere there.

The first edition gives a view about how BruCON started and is followed by an interview with astera about the hackerspaces movement.

For the second episode, we will interview Jayson E. Street about Cyberwarfare.

You can download it through this XML feed or get it through iTunes.

If you want us to interview certain people or cover specific parts of the event, you can send your feedback to podcast atsign

(Photo under creative commons from Josh Bancroft's photostream)

Jul 20, 2009

BruCON auction for EFF and Hackerspaces

Some volunteers are organizing an auction for the benefit of some organizations and projects like the EFF (Electronic Frontier Foundation) and some of the local Hackerspaces. We are still looking for some items to sell at the auction. Do you still have items that are worth selling (hardware, books, etc...)? Please add it to the list and bring it to the conference.

Jul 14, 2009

Announcing the early bird ticket winner

Mr. Erik Vanderhasselt is the lucky winner of the Offensive Security course. We congratulate him and will send him further details soon.

In addition, we want to thank Offensive Security for offering the course.

You still have a chance to subscribe to one of the three security courses organized by BruCON.

Two day trainings are available before the conference by some industry experts:
  • Crash course in Penetration Testing (By Joe McCray, and Chris Gates)
Chris Gates is the founder of Full Scope Security performing full scope penetration testing and security engineering. Previous jobs includes full scope penetration tester for one of the DoD Red Teams and Army Signal Officer spending gobs of time in layer 2 and layer 3 land. columnist and security blogger. Former speaker at SOURCE Boston 09, NotACon ,Toorcon X and ChicagoCon. He is scheduled to speak BlackHat USA 2009 and Defcon 17.

Joe McCray has 8 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught the CISSP, CEH, CHFI, Security+, and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country
  • Web 2.0 Hacking – Attacks and Defense (By Shreeraj Shah)
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.
  • Social Engineering testing for IT Security professionals (By Sharon Conheady)
Sharon Conheady is a social engineer/penetration tester at First Defence Information Security in the UK. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Former speaker at Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe and more.
Go to the training page for more information.

Jul 9, 2009

Club Mate available @ BruCON

Due to popular demand, we will serve Club Mate at BruCON. Club Mate is a caffeinated carbonated Mate-extract beverage. For more info on the beverage, click here.

Jun 30, 2009

A small contest: win a discount and some free stickers (updated)

To give our visitors a small sample of "The Hex Factor", we are doing a little contest. Here is a file from the reverse engineering track. There is a hidden message within the file. The first person that posts the message in the comment of this post, gets a 10% ticket discount1 and some BruCON and "PDF - Penetration Document Format" + "How is my Hacking(.com)" stickers donated by Didier Stevens.

UPDATE: Comment settings were a bit strict because of initial blog spam. We changed settings but comments still will be moderated. It seems the challenge was easy but it wasn't our purpose to make it hard (this time). Kasperle from Aachen, please contact us at info attsign for your contact details and we will ship you your prize. We will post the solution of the challenge in a few days. Feel free to give it a try on how to find the answer.

1 Discount does not apply in combination with other promotions

Jun 26, 2009

Closing early bird tickets and a few days extensions

Since some of our mailings only went out at the last moment, we are extending the early bird tickets with a few days. To be eligible for early bird fees, you have to register on the 3rd of July at the latest and we must have received your payment on the 6th of July at the latest.

After this point, it will not be possible anymore and you won't have a chance to win the Offensive Security (Backtrack) course.

(Photo under creative commons from Hryck.'s photostream)

Jun 23, 2009

Two weekly Volunteer meeting

Just a reminder for the volunteers that tomorrow (Wednesday evening) 18:30 is our two-weekly meeting. All the dates and location or other information is available on the volunteer part of the wiki.

Our gathering point for meetings is:

Brasserie (Hotel) Le Dome
Boulevard du Jardin Botanique 9
1000 Bruxelles

Thank you in advance for coming!

Jun 19, 2009

The Hex Factor - win a prize during #BruCON

What do you do when you are between presentations, or if the talk doesn't interest you that much? There are a lot of other activities during the conference, join one of the hackerspaces or instructors in a free workshop. Give a lightning talk. Still can't find something interesting to do? Sit down in our cool hacklounge and join a little challenge!!!

Well, there is nothing better than sitting behind your laptop and playing a Capture-The-Flag game, oh wait, no ... BruCon does not have that ... or a Hacking Challenge ... or a Elite Contest ... or ... what the hell. Who cares about the name? We introduce you "The Hex Factor"

During the whole conference, The Hex Factor will be available for those who want to test their skills. You don't have to be a security expert to participate. It is intended for everyone and for all levels of expertise, ranging from basic level (Padawans) to the more experience people amongst us. Network administrators, programmers, students, everyone can introduce themselves into several security aspects that can be useful in their daily tasks.

A group of local people, including Didier Stevens (PDF trickery), Pieter Danhieux (Pentesting instructor at SANS Institute), Hillar Leoste (ShadowServer/Zone-H) and some other brave souls (Benoit , Frederic, Koen, Daan and Erik) have worked for a few months to setup an infrastructure where you can play around, learn new skills, show your knowledge and experience in different domains:

  • Once upon a time (level 100 and 200): The history and culture of hacking. Who do you know about important history and security attacks from the past?
  • Pwned (level 100, 200 and 300): Penetration testing where you need brains. Ok, you know about vulnerabilities ... but how are they actually abused by attackers?
  • Binary Fu (level 100, 200 and 300): Reverse Engineering taken to the top.
  • Pure leetness (level 100, 200 and 300): Do you have what it takes to become a succesful researcher? Do you like brain-teasers and crunching on numbers? This is the level where the chaotic hacker will beat the structured pentester ...

There will be prices for the winners of the challenge ranging from a free security course, to some cool hardware like a pre-installed pentesting netbook ...Follow the wiki for details.

Try The Hex Factor and show us your Foo.

Jun 16, 2009

The BruCON volunteers organized

The Brucon volunteers are getting organized. We launched a mailinglist both for visitors and the volunteers to keep updated on the latest news in addition to our RSS feed and LinkedIN group. We defined several areas of responsibilities on the Volunteer page to get things into motion as well as the next meeting dates. There are still a lot of empty functions so please have a look at it.

For example, we are still looking for people with video equipment to record the talks which would be really cool to have!

Even if you can not come to the meetings, use the mailinglist and wiki to participate. Additionaly, you can even use some of our propaganda material to spread the word. All small things help.

Thank you!

(Photo under creative commons from Lallyna's photostream)

15 days of early bird #brucon ticket prices remaining

Time goes by quickly and we want to remind you that our early bird fee ends on the 1st of July. So you have only 15 days left before our prices go up! For students, this means prices as low as 5o euro if you complete your registration now.

On top of that, as an early bird you have the chance to win a "Offensive Security" Backtrack course valued at 550$.

Jun 5, 2009

The hackerspace challenge

People from various hackerspaces around Europe (or beyond) will be present at BruCON. We gave Randomdata a challenge inspired by the sandwich robot of Bre Pettis. We sent them this movie:

Now we are challenging the other spaces to pick up our gauntlet as well to make a cool (arduino) project. Be creative, don't be limited by our suggestion and have fun. Let the contest begin!!!

There will be arduino parts on sales during BruCON so everyone can join in a workshop to make their own little project.

If you don't know what a hackerspace is, visit or have a look at this video documentary.

(XKCD comic under Creative commons)

Jun 3, 2009

The Full BruCON Program

Two weeks ago, we announced the first part of the #brucon speaker track. You can now look at the entire set of presentations on our website.

A lot more updates will follow so keep following us. Only 28 days of early bird registrations left. Join us for 2 days of presentations, workshops, lightning talks in a great atmosphere.

(Photo under creative commons from ganatronic's photostream)

May 29, 2009

Ticket sales and Brucon Training are available

So we silently launched our wiki (beta) to start our ticket sales. You can register as of this week. The wiki is far from finished and hopefully will find its own shape and individuality over time with your help.

We are happy to announce some training from some renowned trainers. What's the difference with workshops? Workshops are only 1-2 hour introduction courses into certain subject matters and are part of the conference. These trainings are full 2-day courses and are scheduled for 16 & 17 September. The prices for any of these courses are 900 euro (VAT excluded). We are providing the following three:
  • Crash course in Penetration Testing by Joe McCray, and Chris Gates
  • Web 2.0 Hacking – Attacks and Defense by Shreeraj Shah
  • Social Engineering testing for IT Security professionals by Sharon Conheady
More information about the courses and the trainers is available on our wiki.

Related posts:
(Photo under creative commons from CellPhoneSusie's photostream)

May 22, 2009

Ticket prices for BruCON

Everybody knows where and when BruCON will be. But we have been getting questions about the entrance fee. We are still in the process of finishing our new website which will include the ticket registration system.

We wanted to make BruCON as accessible as possible for everyone and tried to keep our prices as low as possible. The website should go live by next week but we can already announce our prices.

Ticket prices for BruCON are:

  • 180 Euro early bird (prior to July 1st 2009)
  • 250 Euro 1/7/2009 - 31/8/2009
  • 300 Euro afterwards and at doors

Students (full time):

  • 50 Euro early bird (prior to July 1st 2009)
  • 90 Euro afterwards and at doors
So we start with an early bird option and prices go up over time. In addition to getting a low price, early birds also have a chance to win a security course: "Pentesting with BackTrack".
"Pentesting with BackTrack" (previously known as Offensive Security 101) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. The course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.

This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet.

"Pentesting with BackTrack" qualifies you for 40 ISC2 CPE Credits. This applies to students who submit their exercise documentation at the end of the course, or pass the certification challenge.
We will announce the lucky winner in the first week of July, so be sure to register&pay before July 1st!! We also made a deal with some hotels in Brussels to give discount prices to conference attendees. More info will follow next week. Mark 18 & 19 September in your calendar!!! See you in Brussels!

Related posts:
(Photo under creative commons from Tom Loth's photostream)

May 21, 2009

New Brucon media partner: Help Net Security and (IN)SECURE MAGAZINE

We are happy to announce our media partnership with Help Net Security and (IN)SECURE MAGAZINE.

Publication: Help Net Security

Help Net Security has been a prime resource for information security news since 1998. The site is updated daily with fresh content including quality articles, new product releases and latest industry news.

Publication: (IN)SECURE Magazine

(IN)SECURE Magazine is a free digital magazine published in a PDF format. It features articles written by some of the most prominent security experts. The magazine is released on a bi-monthly basis and averages 25,000 readers per issue.

May 15, 2009

BruCON is looking for crew members

As the first stages of organizing the conference are done, there is still a lot of work to be done. As BruCON is a non-profit organization, we still depend on volunteers to help with the conference. Here is a small overview of skills we are looking for:
  • BruCON CPU: organizational skills, coordination of activities and communication with external parties. Do you have people management skills, become a CPU!
  • BruCON Hologram: graphical design (posters, brochures, logos,...), web design, marketing skills, SEO, web 2.0 and social media skills,.. Got any of these skills, then you are perfect to become a BruCON hologram!
  • Brucon BOFH: maintain the webserver, set up the BruCON conference network, become a BruCON wiki admin, help program the CTF competition,.....
  • BruCON Sonic Screwdriver: be our hands and ears during the event. Help us set up the rooms, help the visitors, physical security, entrance checks, etc....
Are you enthusiastic about BruCON and want to help us out? Dedicated crew members get free entrance, an exclusive BruCON Tshirt and free lunch. Limited seats are available.

Come to the next Crew meeting on May Friday the 29th at 18:30 in Cafee Le Dome (Kruidtuinlaan 12, Brussels) or email us at volunteers (email$ign) brucon dot org. Don't forget to mark our meeting in your calendar!

(Photo under creative commons from dearbarbie's photostream)

May 13, 2009

Announcing the first part of the #brucon speaker track

Brucon is proud to announce the first part of the main speaker track:
  • Christofer Hoff - Cloudifornication - Indiscriminate Information Intercourse Involving Internet Infrastructure
  • Vincent Rijmen - Trusted Cryptography
  • Chris Nickerson - Red and Tiger Team
  • Chris Gates - Open Source Information Gathering
  • Jayson E. Street - “I am walking through a city made of glass and I have a bag full of rocks” (Dispelling the myths and discussing the facts of Global Cyber-Warfare)
  • Paul James Craig - Rage Against The Kiosk
  • Eric Vyncke - Transition to IPv6 on the Internet: Threats and Mitigation Techniques
  • Eric Adrien Filiol - How to prepare, coordinate and conduct a cyber attack
  • Esther Schneeweisz - Building Hackerspaces Everywhere
  • Brian Honan - Knowing Me Knowing You (The dangers of social networks)
  • Mario Heiderich - Malicious Markup - I thought you were my friend - cycle 3
The full program with more details of the presentations and ticket sales will soon be available. We are starting with an early bird pricing in addition to the chance to win a first class security course for the 50 first payments!!! Stay tuned for more news!! Follow through the RSS feed or email updates (right side panel).

Related posts:
(Photo under creative commons from givepeasachance's photostream)

May 8, 2009

Brucon Workshop #4: VOIP workshop

As we are finishing our main speaker track, expect some exciting news in the coming days. We'll begin with announcing another workshop!

Joffrey Czarny and Sandro Gauci will be giving a workshop about VOIP security.

Content of the Workshop:

The Goal of this workshop is to learn the risks and the weaknesses of default deployments of VoIP and the threaths posed by the misconfiguration of some telephony features. The workshop will provide specific guidelines and advice on how to build a secured VoIP architecture. An example of this is the use of SRTP combined to DIA/ARP guard as one of the ways to block wiretapping... Several of such features will be presented and discussed during the workshop.

Some comparative information will be presented about the security aspects of different voice vendors like Alcatel, Nortel, Cisco and Asterisk.

  • Identification of the VoIP Product
  • VLAN hopping, accessing the voice VLAN from the data VLAN
  • VoIP accounts enumeration
  • Communication wiretapping and injection of sound during a call
  • Spoofing of phone profiles and identity spoofing
  • UNISTM attack on Cisco IP phones
  • Bypass of call restrictions and voice gateway abuse
  • Grab of SIP or IAX credentials
  • Denial of Service on VoIP servers and IP phones
Joffrey CZARNY (France), working for Devoteam Security Business Unit
(FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at 2005, VoIP at 2007/2008 and ITunderground 2008/2009). On his site,, he maintains the Elsenot project ("") and posts video tutorials and tools on several security aspects.

Sandro Gauci is the owner and Founder of EnableSecurity ( where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes.
Sandro is the author of the free VoIP security scanning suite SIPVicious ( and VOIPPACK for CANVAS.
Other workshops:
(Photo under creative commons from bowbrick's photostream)

Apr 19, 2009

Reviewing the Call for Papers

After a small Easter break, the Brucon crew is reviewing all the submitted proposals. We want to thank everyone who submitted a presentation, workshop or training and we are very happy with the result.

We are doing our best to review everything and respond to everyone in the next 2 weeks.

The Crew.

(Photo under creative commons from sutti.'s photostream)

Mar 27, 2009

Brucon Workshop #3: Wireless auditing

We all know that WEP encryption is not much better then no encryption at all. But how strong is WPA encryption today? Should you move to WPA2? How secure is your wireless network against rainbowtables? Find out how to audit your own network during our wireless workshop and how to secure it.
Thomas d'Otreppe, creator of aircrack-ng, is a graduate of
the Haute Ecole de Bruxelles (informatics high school in in Brussels). He has
also designed WiFu, a proactive wireless security course, with Mati

During this workshop, I'll tackle different scenarios that could happen during an audit of WiFi networks (Open, WEP and WPA). Including the use of CUDA and FPGA to accelerate bruteforcing. Aircrack-ng is not only meant for auditing wireless networks, it can also be used for site surveys and different tools based on it will be presented:- Airgraph-ng, graphing wireless networks and its integration in Maltego.- GISKismet, representing wireless networks in Google earth.- And more...

There will also be a contest. More details will follow
(Photo under creative commons from's photostream)

Mar 26, 2009

Announcing Vincent Rijmen, co-designer of AES as our second keynote speaker

We are proud to announce Vincent Rijmen as our second keynote speaker. He will provide a keynote on the current state of security and cryptography.

Vincent Rijmen is a Belgian cryptographer and one of the designers of the Rijndael, the Advanced Encryption Standard (AES). Rijmen is also the co-designer of the WHIRLPOOL cryptographic hash function, and the block ciphers Anubis, KHAZAD, Square, NOEKEON and SHARK.

Since 1 August 2001, Rijmen has been working as chief cryptographer with Cryptomathic. From 2001–2003, Rijmen was a visiting professor at the Institute for Applied Information Processing and Communications at Graz University of Technology (Austria), and a full professor there from 2004–2007. Since October 2007, Rijmen is an associate professor (hoofddocent) at K.U.Leuven, working once again with the COSIC lab.

Mar 23, 2009

Toool will be present at Brucon

The dutch wing of Toool will be present at Brucon. Toool is the The Open Organisation Of Lockpickers, a growing group of enthusiasts interested in locks, keys and ways of opening locks without keys.

The Open Organization of Lockpickers (TOOOL) was founded in Amsterdam. Meanwhile, we have groups in Eindhoven (Netherlands) and the USA as well. We regularly meet to practice lockpicking and discuss techniques used in locks. Every year, championships are being held in lockpicking, safe lock manipulation and impressioning.

Our knowledge about locks is also used to inform the general audience. This helps them in making informed decisions when buying locks. Also, we strive to have open communication with the lock industry and help them eliminate weaknesses in locks before they hit the market.

Toool will give a presentation and demonstration about the weaknesses and strengths of common locks. This will help visitors choose better and more secure locks for their homes or enterprises.

Toool was featured in a Dutch television program "Nova" (link) where they warned about the dangers of bump keys. If you want to know how to mitigate this technique, come and visit us at Brucon.

Mar 17, 2009

Hakin9 joins Brucon as media sponsor

Brucon is proud to announce Hakin9 as our first media partner.

Hakin9 is a bimonthly magazine about IT security and hacking techniques. It presents methods of breaking into computer systems, defence and protection methods. Their magazine is useful for all those interested in hacking - both professionals (IT Security officers, system administrators, security specialists) and hobbyists.

CCCure is known as one of the world's best education resource. As such we are VERY selective in our partnership. We are proud to be associated with Hakin9, it is the only magazine that cover security from both an offensive and defensive point of view. It is great to know about the latest vulnerabilities but it is a lot better if you fully understand how they can be used against you and how your assets could be exploited and taken advantage of. Hakin9 is a must read for any security professionals who wish to have a broad view of their environment threats and the desire to proactively defend it by knowing the secrets that are usually only shared between crackers. A subcription to Hakin9 is money very well invested. I strongly recommend the magazine to all.

Clement Dupuis, CD
President, Founder, and Security Evangelist

Hakin9 offers an in-depth look at both attack and defense techniques and concentrates on complex technical and highly practical issues. The Hakin9 magazine is published in other countries and language versions:

    • in English (in the USA, Australia, Holland, Singapore);
    • in German (in Germany, Austria, Switzerland, Luxembourg and Belgium);
    • in French (in France, Canada, Luxembourg, Belgium, Marocco);
    • in Polish (in Poland).

The official Hakin9 website:

Mar 10, 2009

Didier Stevens will give a Digital ID workshop during Brucon

We are happy to announce that Belgian Security Researcher and Blogger Didier Stevens will provide a Digital ID workshop. Didier Stevens (CISSP, GSSP-C, MCSE/Security, ...) is an IT Security Consultant for Contraste Europe currently working at a large Belgian financial corporation and maintains a security blog at If Didier is not playing with Google adwords, he is playing with pdf readers, twitter controlled xmas trees or playing with RFID tags.
This is just one example of the many things we have in store for you during the Brucon conference. If you would like to submit a workshop yourself, please contact us.

Abstract Digital ID workshop:

This workshop will show you how to read your digital identification documents you're carrying with you. Think of your bankcard, credit card, Belgian Electronic ID card, SIS, Proton, hotel room keycard, RFID passport, RFID access badge,SIM card, train ticket...

You'll learn the basic principles of magnetic stripe cards, smartcards and RFID tags. Bring your laptop with a Windows XP install (virtualized is OK too, provided USB is supported) and a smart card reader if you have one. Didier will provide you with several Python and C programs to read your IDs on your machine (you don't want somebody else to read your credit card on their machine, right?). The workshop will also show you how to program a simple smart card for your own digital ID applications.

Keep following our updates on our blog for more upcoming talks and workshops.

(Photo under creative commons from Uwe Hermann's photostream)

Brucon Volunteers meetup

In the next weeks, there will be two meetups between the Brucon crew and potential volunteers. Questions can be asked, ideas can be exchanged and proposals can be made. You don't have to be shy. Everybody can probably contribute to the event in his own way.

We will be available on the 13th and 20th of March. If you cannot make one, feel free to drop by on the second date.

Location: Café Le dome
Bd. du Jardin Botanique 12-13
1000 Brussels
(Google maps)

It's just in front of the Underground Parking Rogierplein and a few minutes walk from the Brussels North Trainstation.

Please drop a message on this Doodle poll if you intend to come or leave a message.

(Photo under creative commons from deSKOLtrolado's photostream)

Mar 1, 2009

30 days remaining for the Brucon Call for Papers

We got some great submissions and more are on the way. This is a gentle reminder that we have entered the month of March and that you have 30 days to enter an abstract of your presentation. We have decided to end the first phase of our CFP on the 30th of March. See our CFP policy for more information.

Follow our RSS feed to stay up to date on the latest news.

Related posts:
(Photo under creative commons from ToniVC's photostream)

Announcing the Brucon Keynote speaker

Lifting a tip of the curtain. The Brucon Crew is proud to announce Christofer Hoff as it's first speaker.

Christofer Hoff has over 15 years of experience in network and information security architecture, engineering, and operations. Hoff's expertise is focused on developing strategies for innovation in the area of information assurance, resilience, and rational risk management.

He is a prolific blogger (, a featured speaker at numerous information security conferences, holds several security credentials and is an accomplished and accredited instructor in multiple security disciplines.

Cloudifornication - Indiscriminate Information Intercourse Involving Internet Infrastructure

What was in is now out.

This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out thanks to Cloud computing and virtualization.

One of the really scary things happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect.

Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services -- and by whom and using whose infrastructure -- yields significant concerns related to security, privacy, compliance and survivability.

Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on Cloud IaaS providers which rely on Cloud network providers. It's a house of, well, turtles.

This "infrastructure intercourse" where your resources and data can be located anywhere makes it very interesting to try and secure your assets when you don't own the infrastructure and in most cases can't control the level of security.

We will show multiple cascading levels of failure associated with relying on cloud on cloud infrastructure and services including exposing flawed assumptions and untested theories as it relates to security, privacy and confidentiality in the Cloud with some unique attack vectors.

The Call for papers is still open. If you are interested to do a training or a presentation at BruCON, please submit an abstract.

Feb 23, 2009

Calling volunteers for our hacking challenge

During the conference, a Hacker's Challenge will be running. The main organizer of the challenge is looking for skilled people who can help him set up stuff.

The main tasks would be to "invent" easy-to-difficult challenges on different domains (for example):
  • Hacker Trivia
  • Malware analysis
  • Web Application Hacking
  • Forensics
  • etc.....
This is a temporary list and is not exhaustive and might be subject to change. The challenge is meant to learn participants some practical skills in the different domains of security. Wether you're a novice network admin or a l33t packet ninja, the purpose is to learn some skills that might be useful by way of a fun and hands on contest.

So the purpose of this 'hacking challenge' is *not* to learn
  • how to hack into your girlfriend's hotmail account
  • hack into the pentagon network in search for UFO evidence
  • write banking trojans and become a member of the RBN
  • become a l33t haxxor to impress your friends
I hope that this explanation is crystal clear to some of the people that asked for more explanation about the "hacking" challenges of our conference.

Drop us an email or reply on Linkedin if interested. For those who are not volunteering, start reading up on all those books or ebooks lying around, the challenge will feature a very cool price !!!

(Photo under creative commons from Spiff_27)

Feb 22, 2009

Picking up pace: Announcing our first sponsors and partners

The Brucon Conference is picking up pace. We're announcing our first sponsors and supporters. We will keep a complete list of sponsors and supporters on the "Organizers and Partners" page of our website. More sponsors and supporters are in the pipeline and will be added soon.

The lists starts with our Diamond Sponsor: Belgacom and our first supporters: Owasp Belgium, LSEC and

If you want to support the event as a sponsor or supporting organization, please contact us here.

(Photo under creative commons from NathanFromDeVryEET 's photostream)

Feb 8, 2009

Sponsors for Brucon

To keep prices fair and affordable for everyone, we are looking for sponsors. We want everybody to be able to attend this event. Consultants, freelancers, engineers, administrators, programmers, students, officers, artists.... everyone with an interest in technology and its creative use is welcome.

We can offer great visibility to a very large and wide range of IT (security) professionals. If you know interested parties to sponsor this event, please contact us for additional information.

(Photo under creative commons from kpishdadi's photostream)

Fixing the RSS Feed and an update on the event.

Due to a small DNS update, our RSS feed broke. This should be solved now. Our apologies for the inconvenience.

A small update on the event. We had a lot of positive reactions after the announcement. A lot of people have volunteered themselves and it's immensely appreciated. We already have some cool abstracts and are looking forward for new submissions. In the next weeks, we might publish some sneak previews on possible talks and workshops. So keep submitting them!!!

For now, let more people know about the event!!! Forward the CFP, mention the website, follow the RSS feed or on twitter, join the LinkedIN group,.....

(Photo under creative commons from hapticflapjack's photostream)

Jan 25, 2009

Using hashtag #brucon on Twitter

For the twitter users among us, let's announce the hashtag #brucon for related tweets.

(Photo under creative commons from mfilej's photostream)

BruCON 2009 Call for Papers

Our website will now accept abstracts for the submission of presentations. Our goal is to have both international and local speakers. There will also be room for small lightning talks so everyone can have a say at this event about his tool, website or cool project. Pass the message !!!

Call for Papers BruCon.v1 2009: Hacking for B33r

This is a call for papers and participation for BruCon, an International Security Conference,
organized in Brussels!

Brucon aims to become the best and most fun hacking (*) and security event in Belgium
and W. Europe offering a high quality line up of speakers, opportunities of networking with
peers, hacking challenges and workshops. Brucon is an open-minded gathering of
people discussing computer security, privacy, information technology and it's
cultural/technical implications on society. The conference creates bridges between the
various actors active in computer security world, included but not limited to hackers(*),
security professionals, security communities, non-profit organizations, CERTs, students,
law enforcement agencies, etc.....

The conference will be held in Brussels in September 2009 (18 & 19.09.2009) at The Surfhouse

Papers are to be submitted in English as the conference language
is English.

(*)Hackers are "persons who delight in having an intimate understanding of the internal workings of a system,
computers and computer networks in particular." People who engage in illegal activities like unauthorized entry
into computer systems are called crackers and don't have anything to do with hacking. Brucon doesn't promote
any illegal activities and behavior.
Many hackers today are employed by the security industry and test security software and systems to improve the
security of our networks and applications. In addition, for the younger generations, we want to create some
awareness and interest in IT students to learn more about IT Security.


Topics of interest include, but are not limited to :

* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Web Application and Web Services Security
* Lockpicking & physical security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Electronic Voting
* Free Software and Security
* Standards for Information Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Network security
* Security aspects in SCADA, industrial environments and "obscure" networks
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities
* Information warfare and industrial espionage
* ...


The following dates are important if you want to participate in the CfP

Abstract submission: no later than 15 30th of March 2009
Notification date: around end of March April 2009
Full paper submission: no later than 1st July 2009

Submissions can be entered at

For further information and questions please feel free to contact cfp at_sign

Submission Guideline (for standard paper track)

Authors should submit a paper in English with up to 5.000 words and/or
presentation slides, using a non-proprietary and open electronic format.

The program committee will review all papers and the author of each
paper will be notified of the result, by electronic means.

Abstract is up to 400 words. Submissions must be sent via
You can contact us if any errors or issues occur.

Submissions should also include the following:

1. Presenter, and geographical location (country of origin/passport) and
contact info.
2. Employer and/or affiliations.
3. Brief biography, list of publications or papers.
4. Any significant presentation and/or educational experience/background.
5. Reason why this material is innovative or significant or an important
6. Optionally, any samples of prepared material or outlines ready.
7. Information about if yes or no the submission has already been
presented and where.

The information will be used only for the sole purpose of the BruCon
conference including the information on the public website.

If you want to remain anonymous, you have the right to use a nickname.

Additional Speakers Info

Brucon is a non-profit oriented event by and for the security and hacking community
and speakers are not paid. But speakers get a bottle of "Real Beer (TM)" for giving a talk.
However, financial help on travel expenses and accommodation is possible. It needs
to be agreed upon after acceptance of the submission, though. Feel free to state
your requirements in the application when submitting your lecture with a cost estimate
and we'll work something out!

Lectures should not exceed 45 minutes plus up to 10 minutes for questions and answers.
The spoken language of a lecture will be English.

Publication and Rights

Authors keep the full rights on their publication/papers but give an
right to redistribute their papers for the Brucon conference
and its related electronic/paper publication under a CC-BY-NC-be license.

Sponsoring and Donations

If you want to support the initiative,
please contact us by writing an e-mail to sponsors at_sign

Online Presence


Lightning Sessions and Workshops

During the conference, several spaces will be made available for
lightning talks and workshops.

A lightning talk is a very short presentation of about 4 minutes to present
an idea, a concept, a program or a cool website. About 12 persons can present
during one hour.

Everyone is very welcome to participate to submit small ideas, presentations
or workshops. The review process is simplified and open to anyone willing
to take an active role during the conference. Participants don't have to
submit a full paper.

Submissions are done via workshops at_sign

Call for Volunteers

As we want this to be a true community event, we are still looking for volunteers
to help us organize this event.
If you are interest to contribute, please send a mail to volunteers at_sign
with some information on how you can contribute to our event.
(Photo under creative commons from andyp uk's photostream)

BruCON website officially launched

After a few days of beta testing. The BruCON website has been officially launched !!! Although word of mouth has already resulted in some blogposts (rootshell), this can be considered as the official launch of the event.

France has HACKFR. The Netherlands have HAR (Hacking at Random). Luxemburg has HACKLU. Germany has the Chaos Computer Congress. Now finally, Belgium has BruCON!! The spirit of the congress is an event organized by and for the hacker(*) and computer security community. Spread the word !!

(*)Hackers are "persons who delight in having an intimate understanding of the internal workings of a system, computers and computer networks in particular." People who engage in illegal activities like unauthorized entry into computer systems are called crackers and don't have anything to do with hacking. BruCON doesn't promote any illegal activities and behavior. Many hackers today are employed by the security industry and test security software and systems to improve the security of our networks and applications. In addition, for the younger generations, we want to create some awareness and interest in IT students to learn more about IT Security.

You can stay in touch with the event through one of the following sources:
More news to follow soon!!

(Photo under creative commons from Monica's Dad's photostream)