Security PWNing Conference 2018 | Instytut PWN
Security IT in practice

Security PWNing Conference 2018

Time left to conference:

Take care of security of information systems and data in your company!

Apply to participate in the Security PWNing Conference 2018!

The conference participants will get to know current IT security threats and the latest methods of protecting business assets. They will learn, among others, what current threats entails connecting different types of devices to their computers and how to counteract them.

Top experts will present the latest research results and advise on how to improve the security of operating systems and applications. There will also be news on technical IT security and carrying out safety tests.

The conference participants will receive not only a huge dose of knowledge, but also the opportunity to develop their business contacts.

 – – – – – – – – – – – – – – – – – – – – – – – – -Gynvael-zdj_C4_99cie

On behalf of Gynvael Coldwind (Chairman of the Scientific Committee) and the Institute of PWN (Publishing House in Poland). As The PWN Group we not only manage the publishing process, but also provide the educational training, including conferences and symposia. We would like to invite you to attend „Security PWNing Conference 2018″. The meeting will take place on 19-20 November 2018 in Warsaw (Warsaw Plaza Hotel), Poland. The conference program is aimed at professionals who practice in the field of computer security. This is the third edition of the Security PWNing Conference.


Scientific Program


Simultaneous translation into English will be provided!


November 19
Gynvael Coldwind
Hardware RE: how to hack a hotel door lock's firmware and... write a better one yourself

If people write custom firmware for routers, why not do it for a hotel door lock? We will present reverse engineering techniques suited for undocummented hardware and possibilities for independent adjustment of software. Moreover, we will also show some exploits for these kinds of locks.

Coffee break
PentHertz - the use of radio attacks in red team and penetration tests
Sebastian Dudek

Red team tests consist of multiple cases scenarios where penetration testers are given free rein to produce realistic attacks against a targeted company. To intrude a company, attackers may try to find flaws in exposed services or send malicious emails. But when this company has a low level exposure and because the development of undetected malicious mails is time consuming, physical intrusions are, to the contrary, more difficult to prevent.

Coffee break
Hacking JWT (JSON Web Token) - real life cases
Coffee break
Funny Bugs in Big Companies
Millennium Bank
Tomasz Bukowski, Marcin Grzesiak

A short presentation of selected vulnerabilities that we have come across while working in our institution.

Getting the most from Cyber Security Assessments
Paweł Krzywicki

Red teaming, pentesting, white box testing – many definitions and even more ways to conduct these tests, but how they help in the ultimate decision if the product requires additional investments? This paper will deep dive into a real attack executed by a red team against a multi-layer product.

Coffee break
End of Security vs. Development quarrels?
Beata Szturemska, Paweł Krzywicki

A short story about the way security researchers and development teams cooperate to focus on doing the right and meaningful things, give developers a chance to grow and have time to hack their own code (when we get tired of playing ping pong).

Coffee break
Low level debugging with Pwndbg
Dominik Czarnota

This talk will present a plugin for GDB called Pwndbg, useful for debugging of assembly code, reverse engineering and exploit development.

Coffee break
Hackingdept: New dimention of education
STM Solutions
Grzegorz Wróbel

The online training courses available quickly become obsolete? Are you interested in current aspects of attacks, including hardwar attacks? Do you need a solution for recruitment processes, education and promotion of your team in one? Don’t necessarily want to share your team’s knowledge with external training providers? Would you like to learn from members of the best CTF teams in Poland and  in the world ? Come and listen about Hackingdept.

Technical break
How Polish people lose their money in Internet? Overview of the most popular Polish scammers
Piotr Konieczny

Every day in internet Polish people are victims of the sophisticated criminals or… their naivety and stupidity. The effect of this two cases are the same – losing money. The lecture will try to illustrate how the „cybercriminals” have evolved over the last few months and indicate who they are and how much they earn.

Coffee break
USB, SATA, SCSI and hardware disk encryption
Kacper Kulczycki

Briefly talk about complications induced by hardware encryption of disks with the integrated USB connector and methods applied in data recovery and digital investigations.

Technical Break
Social engineering wizards - the most interesting criminals' tricks
Adam Haertle

During the presentation I will provide an overview of the most interesting cases of the use of social engineering in attacks on Polish Internet users in recent years and some victims’ reactions.

Coffee break
From Shellsort to " Shellsort" like a MacGyver style

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any traces behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain? 

Closing remarks
Gynvael Coldwind
After Party
After party

After an intense conference day, we invite you to the after party in Warsaw Plaza Hotel (in the foyer of the conference room). During this informal meeting, you will be able to not only relax, but also talk with other participants and speakers and make new contacts.

During the meeting, we will provide dinner in the form of a buffet and drinks. We will also give you vouchers for free beer and wine which you can pick up during the after party

START: 19 th November 19, 8 pm

Have fun!

November 20
Gynvael Coldwind
Programmer as a key to the company - GIT servers exploitation
Kacper Szurek

Almost each IT company has a GIT server. We treat it like something obvious, but are we aware that it can be a tidbit for the attackers? The security of a few GIT servers was put under examination and this presentation shows the results of the research that ended with discovery of vulnerabilities allowing for remote code execution.

Coffee Break
Dangerous adventures during binary analysis - Tales about bugs in analytical tools and more

The talk will cover bugs and security vulnerabilities in all sorts of binary analysis tools, support tools and libraries, useful in dealing with malware – at every stage of the analysis: network, binary and detection stage.

Many vulnerabilities mostly are basic coding errors, which, probably only with the help of cosmic rays, have been placed in the source code. I have not suspected their creators of such things so far ;-)

Coffee break
Good old mmap – mmap exploitation in Linux kernel drivers
Mateusz Fruba

Memory mapping issues in Linux kernel drivers were discovered years ago. Despite the discovery of this category of issues, a number of vulnerable device drivers were developed for various platforms such as mobile devices, TV, routers, servers and many more types of embedded devices. It is believed that the primary reason for this is due to the lack of public guidelines about secure kernel development practices. Each developer has to learn it by himself. Often, they will only learn about the pitfalls, when a public exploit is created for their driver and the security team is expected to resolve it. This presentation aims to show the process of creating a fully weaponized exploit for faulty mmap implementation in Linux kernel drivers.

Coffee Break
Teledildonics - technical, ethical and legal aspects of security of connected sex toys
Maciej Chmielarz

In a time when connecting consumer electronics to the web is cheap and easy, makers of all kinds of devices urge to add this functionality to their products. If only something has a battery, typically it also has wireless interface, mobile app, service in the cloud and broad attack surface associated with all these. Oftentimes it does not bring customers actual value, despite the cost of increased risk.

Lightning talks
Coffee break
How do the car-sharing companies implement GDPR in practice
Tomasz Zieliński

GDPR states that a „data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. However, does an Excel file with embedded ActiveX controls meet such requirements? Also, what happens when the e-mail address of a data protection officer has a typo? I will present the outcome of my experiment, in which I tried to use GDPR while corresponding with ten Polish car and scooter-sharing companies.

Coffee break
C/C++ vs Security!
Gynvael Coldwind
Coffee breaks
CTF security competitions results
Closing remarks
Gynvael Coldwind


SECURITY PWNing CONFERENCE 2018 – III edycji przeszła do historii

W dniach 19-20 listopada w Warszawie odbyła się trzecia edycja konferencji „SECURITY PWNing”, która zgromadziła rekordową ilość, ponad 400 osób, zainteresowanych tematyką bezpieczeństwa komputerowego w praktyce. Z naszej strony dołożyliśmy wszelkich starań, aby dobór tematów i prelegentów sprostały oczekiwaniom grona specjalistów oraz by konferencja ta weszła na stałe do kalendarza najważniejszych wydarzeń IT w Polsce.

Wzorem ubiegłorocznej edycji konferencję otworzył Przewodniczący Rady Programowej, Gynvael Coldwind, odpowiedzialny za merytoryczną stronę spotkania. Zaproszeni Prelegenci, którym towarzyszyli eksperci wyłonienie w ramach Call for Papers, podzielili się swoją wiedzą, praktyką i bogatym doświadczeniem.  Uczestnicy mogli zapoznać się między innymi ze sposobami hakowania firmware zamków hotelowych, przeprowadzania ataków na sieci bezprzewodowe podczas Red Teamingu oraz otrzymali solidną dawkę informacji na temat tokenów JWT. Nie zabrakło też wiedzy na temat poszukiwania błędów w bankowości elektronicznej, kosztów Red Teamingu, oraz niebezpieczeństw czyhających na statystycznego użytkownika internetu. Ze względu na udział gości z zagranicy wszystkie wystąpienia były tłumaczone symultanicznie na język angielski.

Ponadto, podczas tegorocznej edycji „Security PWNing” uczestnicy mogli wziąć udział w zawodach liczonych do klasyfikacji generalnej CTFTime. Konkurs został zorganizowany przez zespół Dragon Sector - jedną z najlepszych drużyn CTF na świecie. Zwycięskie drużyny, które najsprawniej rozwiązały zadania z zakresu inżynierii wstecznej, eksploitacji niskopoziomowej, kryptografii oraz bezpieczeństwa aplikacji webowych otrzymały nagrody pieniężne. Jeszcze raz gratulujemy wszystkim, którzy wzięli udział w zaciętej rywalizacji.

Po solidnej dawce technicznych informacji uczestnicy konferencji mogli odpocząć, grając w kultowe gry na sprzęcie sprzed kilkunastu–kilkudziesięciu lat, przygotowanym przez Fundację Dawnych Komputerów i Gier. Goście korzystali także z jednego z najbardziej zaawansowanych technologicznie zestawów VR, który przenosił spragnionych dodatkowych wrażeń w obszary rozszerzonej rzeczywistości.

Rozmowy w kuluarach i wspólnie spędzony czas na after party były znakomitą okazją do networkingu, i dalszego zgłębiania interesujących zagadnień. Wierzmy, że były to dwa owocne dni w gronie ludzi, których łączy wspólna pasja do tematów związanych z bezpieczeństwem IT. Już teraz zapraszamy Was do udziału w Security PWNing 2019 – do zobaczenia za rok!


Video 2017


Dominik Czarnota
Security Engineer at Trail of Bits. Contributor to Pwndbg and Manticore open source projects. Plays CTF contests focusing on re/pwn/web cate... more
Sebastian Dudek
Information security expert working for the Synacktiv company. For over 7 years he has been particularly passionate about flaws in radiocomm... more
Adam Haertle Creator and main editor one of the most popular security websites. Security expert with passion, conference spea... more
Jarosław Jedynak
Fascinated by programming since grade school. Changed his career path to become a malware analyst in CERT Polska, where he used to work on r... more
Marek Klimowicz
Automation and Robotics Engineer from Bialystok University of Technology. Self-taught programmer and electronical engineer. He creates robot... more
Piotr Konieczny
Chief Information Security Officer,
Michał Leszczyński
From April 2018 a member of the CERT Polska team, where he creates various tools and systems. Sometimes he happens to analyze some malware (... more
Michał Sajdak
The founder and creator of website, an IT security consultant in Securitum, trainer. He has over ten years of experience in issue... more
Tomasz Bukowski
Physicist by education. He deals with difficult (security) IT problems at Bank Millennium. Proud member of DragonSector.
Maciej Chmielarz
Maciej Chmielarz has been working in the IT sector since 2008. His experience comes from leading Polish and global technology companies that... more
Kamil Frankowicz
The big fan of fuzzing and new methods of causing software failures. On a daily basis, he defends the security of the Polish Internet by wor... more
Marcin Grzesiak
IT engineer with passion for software development. Became software security engineer in Bank Millennium on early 2017. Every day deals with ... more
Mateusz Fruba
Security consultant working for MWR InfoSecurity. Privately, he is a security enthusiast with a passion for spoiling full platforms, from we... more
Kacper Kulczycki
Peer of 5150 IBM PC. Studied in Faculty of Physics University of Warsaw, crucial place for the coming into existence of the Polish Internet.... more
Paweł Krzywicki
Paweł Krzywicki works as a Security Researcher & a Red Teamer at Intel. During last 20 years he sometimes played a role of a Project Ma... more
IT security professional. MSc graduated from Gdansk University of Technology, IT Department. His professional career in IT started over 20 y... more
Beata Szturemska
A developer in Platform Security Department at Intel. She is not devoted to any particular technology or programming language, which gives h... more
Kacper Szurek
Kacper is a Detection Engineer at ESET. He owns a YouTube channel (KacperSzurek) where he talks about pentester work and other related topic... more
Tomasz Zieliński
Developer, mobile team leader at PGS Software. During his several-year career he worked on maintaining financial software for the NBP, he pa... more
Grzegorz Wróbel
The founder of STM Solutions Sp. z o. o. Sp. k. Long-term specialist in the field of information protection . Since 2005 he has been involve... more

Program Council

Chairman of the Program Council


The programmer-enthusiast with passion to the IT security and low-level aspects of the IT, also the author of numerous articles, publications, podcasts and speeches devoted to these topics. In 2013 he was awarded in Las Vegas (together with Mateusz Jurczyk) Pwnie Award in the category „The most innovative scientific research” in the field of the IT security. The captain and co-founder of Dragon Sector, one of the best CTF teams in the world. Since 2010 he has been living in Zurich where he works for Google company as Senior Engineer/Information Security Engineer. The author of the books published by PWN: „Understanding Programming”, „Practical Reverse Engineering”.

Program Council

 Gynvael Coldwind –
Piotr Duczyński –
Mateusz Jurczyk –
Mateusz Kocielski – http://www.akat1.pl
Borys Łącki –


Our conference will host the Dragon CTF organized by the Dragon Sector team.

The CTF will count towards the general classification and will be held in the Jeopardy 4-players-per-team formula, with task categories including reverse engineering, low level exploitation, cryptography and web application security.

The total prize pool is 17 000 PLN.

In addition, an online CTF teaser will be run on the 29th-30th of September. The prizes for top teams in the online teaser include reimbursement of accommodation and travel expenses for the main competition. For details, please see

We invite all conference participants and the top 10 teams from the teaser to participate in the Dragon CTF.









We invite you to play together in virtual reality! VR Project has prepared many attractions for you!

In the VR zone you will be able to try one of the most technologically advanced VR sets – Oculus Rift with Touch controllers. The system allowes you to track the motion and full interaction with the virtual environment. Thanks to that, we guarantee the WOW effect and unforgettable impressions. It will be possible to explore the depths of the ocean, shoot drones somewhere in space, try rock climbing without belaying.

SRODEK_Strona_02 — kopia

The zone will be available on 19th November from 10 am to 6 pm

Sponsor of the relaxation zone

VR project LOGO



„Dawne Komputery i Gry” Fundation organized a zone for you, in which you will find computer equipment from a dozen or so dozens of years ago.

The exhibition is fully interactive – so you can not only watch the equipment, but also play computer games from years ago!


And on what and what will you be able to play?

PONG, Atari 2600, Atari 65XE, Amiga 600, NES, SNES, Nintendo 64, Commodore 64, Nintendo GameCube, Sega Master System II, Sega Mega Drive II and many more.

 The exhibition will be available on 19th November, from 10 am to hours 11 pm and on 20th  November to 6 pm.

Place and date

NOVEMBER 19-20, Warsaw
Warsaw Plaza Hotel
ul. Łączyny 5
tel.:22 431 08 00​

Gold Sponsor:             —–


Silver Sponsor:      -


Sponsors:                    —-


Sponsor of the relaxation zone: VR project LOGO


We’d like to invite you to co-create the Security PWNing Conference 2018!

If you are interested in cooperation or delegating their employees to participate in the conference, please contact Natalia Popiel (

We will be very glad if your company join to our team!