PUBLICATIONS

I try to put my publications online as soon as they are available, either in PDF or in HTML format. Most of them are in French. I will keep this page up to date. By now, you can find below: Conferences and Presentations Articles Books Trainings and Courses Committees Security Advisories Conferences and Presentations Marcus Evans 2009 Marcus Evans organizes an annual conference on IT Architecture and Urbanisation. This year, I gave the Web Services Security talk: Download the presentation slides (PDF format). JSSI 2008 The JSSI is a French technical conference about IT Security organized by the OSSIR (Observatoire de la Sécurité des Systèmes d'Information et des Réseaux). Protection des données personnelles et de la vie privée chez un opérateur de téléphonie mobile: aspects juridiques et techniques (may 2008) Download the presentation slides (PDF format). NetFocus 2008 NetFocus is a closed community of senior IT security executives and CISO's. No journalist is allowed to publish the content of the presentations. In 2008, the annual conference took place in Lyon (France). Web 2.0 Security in theory and in practice (apr 2008) Bars des Sciences The "Bars des Sciences" organize informal talks about scientific subjects for the general public. The audience is generally very diversified. Alerte aux virus (feb 2008) See the summary of the roundtable. Tables rondes EBG EBG (Electronic Business Group) is an international business network which purpose is to boost innovation, new technologies, Internet and digital medias. Obligations juridiques des Systèmes d'Information et implémentation technique (may 2007) See the summary of the roundtable. EUROSEC 2007 EUROSEC is a European conference for professionnal experts interested in the latest developments as well as the future prospects for IT security (technical and legal issues). Créer un tableau de bord de Sécurité SI en 4 fois sans frais (may 2007) Download the presentation slides (PDF format). EUROSEC 2006 EUROSEC is a European conference for professionnal experts interested in the latest developments as well as the future prospects for IT security (technical and legal issues). Démarche de sécurité dans les projets: théorie et réalité (avr 2006) Download the presentation slides (PDF format). Journées de la Sécurité des Systèmes d'Information du CELAR 2005 The CELAR JSSI (alias CESAR: Computer & Electronics Security Applications Rendez-vous) is a security conference organized by the CELAR, the French military center for electronics and computer science. GIMLI: a hybrid simulator for IT Security (oct 2005) GIMLI, like a flight simulator, is designed to train learners how to defend their own network against attacks. EUROSEC 2005 EUROSEC is a European conference for professionnal experts interested in the latest developments as well as the future prospects for IT security (technical and legal issues). Google hacking: quand Google devient un outil d'attaque (mar 2005) Download the presentation slides (PDF format). Conference ANAJ - IHEDN You can find a description of this conference organized by the ANAJ - IHEDN (Institut des Hautes Etudes de Défense Nationale) here. Cyber-terrorism: myth or reality ? (sep 2004) Download the presentation slides (PDF format). BlackHat USA 2004 (USA) BlackHat is the most reknown international congress of security professionals. It takes place in Las Vegas. Managing MSIE security in corporate networks by creating custom Security Zones (jul 2004) Download the presentation slides from BlackHat Web site (PDF format). Google hacking or how to use Google as a pen-test tool (jul 2004) Download the presentation slides from BlackHat Web site (PDF format). Ph-neutral (Germany) Ph-neutral is an invitation-only party in which people interested in computer security can share ideas/codes/success. It takes place in Berlin. Information leakage in proprietary documents (may 2004) Download the presentation slides (PDF format). BlackHat Europe 2004 (Holland) BlackHat is one of the most reknown international congresses of security professionals. It takes place in Amsterdam. Security Patches Management on a Windows Infrastructure (may 2004) Download the presentation slides from BlackHat Web site (PDF format). EUROSEC 2004 EUROSEC is a European conference for professionnal experts interested in the latest developments as well as the future prospects for IT security (technical and legal issues). La gestion des correctifs de sécurité dans un parc Windows (mar 2004) Download the presentation slides (PDF format). JIP 2004 (Tunisia) JIP (Journées d'Informatique Pratique) is a Tunisian congress of IT professionals coming from several countries. In 2004, it took place in Rades, and the main theme was security. Conference: La sécurité des réseaux sans fil Conference: Emergence des applications intranet Solutions Linux 2004 Solutions Linux is a French congress about Linux and free software solutions. Fuite d'informations et Spyware dans Office et Windows (feb 2004) Download the presentation slides (PDF format). SPIRAL 2003 (Luxembourg) SPIRAL is a European series of conferences for IT professionals. They take place in Luxembourg. Exemple de scenario catastrophe technologique pour une entreprise (jun 2003) Download the presentation slides (PDF format). JIA 2003 (Tunisia) JIA (Journées d'Informatique Appliquée) is a Tunisian congress of IT professionals coming from several countries. In 2003, it took place in Sousse, and the main theme was security. Workshop: Securing Windows 2000 Server Conference: Web Applications Security Workshop: Security techniques in an intranet EUROSEC 2003 EUROSEC is a European conference for professionnal experts interested in the latest developments as well as the future prospects for IT security (technical and legal issues). La sécurité des applications Web - Pourquoi les firewalls sont impuissants (mar 2003) The presentation is about the common vulnerabilities of Web applications and describes some solutions to secure them. Download the presentation slides (Powerpoint format) from EUROSEC Web site (not available any more). SPIRAL 2003 (Luxembourg) SPIRAL is a European series of conferences for IT professionals. They take place in Luxembourg. Vulnérabilités et sécurisation des applications Web (feb 2003) Download the presentation slides (PDF format). INFOSEC 2002 INFOSEC is a European congress of security professionals. Attaques et sécurisation des applications Web (may 2002) The presentation is about the new attacks against Web applications and the solutions to protect them. Download the presentation text (Word format) Le salon de la sécurité informatique 2000 Le salon de la sécurité informatique (INFOSECURITY) is an European congress of security professionals. Sécurisation d'un réseau exploité sous Windows 2000 (nov 2000) The presentation is about Windows 2000 network security and about a vulnerability database for Windows 2000. Download the PDF OSSIR OSSIR (Observatoire de la Sécurité des Systèmes d'Information et des Réseaux) is a French association of security professionals. La fuite d'informations dans les documents propriétaires (oct 2003) Download the PDF Scénario catastrophe à l'échelle d'une entreprise (jul 2003) Download the PDF Vulnérabilités, attaques et sécurisation des applications Web (sep 2002) Download the PDF Les mécanismes de sécurité d'ISA Server (sep 2001) Download the PDF Sécurisation d'un serveur Windows 2000 (oct 2000) Download the PDF La sécurité avec Windows 2000 (mar 2000) Download the PDF Le Service Pack 4 de Windows NT 4.0 et la sécurité (jan 1999) Download the PDF The presentations are usually put online on the OSSIR Web site: http://www.ossir.org/ftp/supports Articles MISC MISC (Multi-system & Internet Security Cookbook) is a new French newspaper specifically aimed at information security. The subjects are mostly technical ones. Security patch management process (MISC No 22, nov 2005) VoIP Security (MISC No 16, nov 2004) Pen tests (MISC No 11, jan 2004) IPSec on Windows (MISC No 10, nov 2003) Information leakage in proprietary documents (MISC No 7, may 2003) Cyber-terrorism (MISC No 6, mar 2003) How to secure Windows 2000 (MISC No 2, apr 2002) Vulnerabilities and security of Internet Information Server (MISC No 1, jan 2002) Hardening Internet Explorer and Outlook Express (MISC No 1, jan 2002) Confidentiel Sécurité Confidentiel Sécurité is a French newspaper about information security (both organisational and technical) and corporate risks. Mise en oeuvre de la gestion des correctifs de sécurité (Part 2) (No 122, may 2005) Mise en oeuvre de la gestion des correctifs de sécurité (Part 1) (No 121, apr 2005) Vulnérabilités et solutions de sécurisation des applications Web (Part 2) (No 105, oct 2003) Vulnérabilités et solutions de sécurisation des applications Web (Part 1) (No 104, sep 2003) Information Security Bulletin (ISB) ISB is an international journal for IT security and information assurance professionals. Security patch management on a Windows infrastructure: from technical solutions to real world implementations (Vol. 9, Issue 8, oct 2004) Linux Magazine Linux Mag is a French newspaper written by Linux aficionados. Some special issues deal with security. Firewalls and Web applications: architecture and security (nov 2002) Internet Professionnel Internet Professionnel is a French monthly newspaper and is basically targeted to Internet professionals. Etablissez une stratégie IPSec entre vos serveurs Windows 2000 (avr 2001) Read online Une MMC personnalisée pour réinitialiser les mots de passe (mar 2001) Read online Sécuriser Windows 2000 sur Internet (2ème partie) (fev 2001) Read online Sécuriser Windows 2000 sur un Intranet (1ère partie) (jan 2001) Read online Sécurisation d'un serveur Web avec le Security Configuration Tool Set (mar 2000) Read online Développez un outil de sécurité NT avec ADSI et WSH (sep 1999) Download the PDF Authentification par certificats X.509 avec IIS (mar 1999) Download the PDF 10 mesures pour améliorer l'efficacité de Microsoft Proxy Server 2.0 (dec 1998) Download the PDF Administrez vos comptes utilisateurs NT à distance avec ASP et ADSI (nov 1998) Download the PDF Programmez ! Programmez ! is a French monthly newspaper dedicated to development. A special issue was dealing with security, so I published a series of 3 articles about Windows NT 4.0 and Windows 2000 security: Windows NT 4.0 and Windows 2000 Security, part 1 (dec 2000) Download the PDF Windows NT 4.0 and Windows 2000 Security, part 2 (jan 2001) Download the PDF Windows NT 4.0 and Windows 2000 Security, part 3 (feb 2001) Download the PDF Online Some articles (both on the same subjects as above and on new ones) have been published online on the Edelweb Web site: Hardening Windows 2000 (French) The Microsoft Security Configuration Tool Set (MCTS) (French) Books Windows 2000 Security: Step-by-Step (English, 2001) This book was published by the SANS Institute and is the result of a collaborative work with some security experts. The SANS Institute (System Administration, Networking, and Security) is a cooperative research and education organization through which a great number of system administrators, security professionals, and network administrators share the lessons they are learning and find solutions to the challenges they face. I cannot make this book available online, but you can buy it and download a PDF version on the SANS Store Web site (note that I do not get any money for it). ResEdit (French, 1996) This book presents the principles and the advantages of Macintosh resources, then shows a great numbers of hacks made possible by ResEdit, the most powerful tool to play with resources. Writen in 1995, it still remains useful since the Macintosh System still uses the kind of resources that are studied in this book. You may be able to download a PDF version of this book manuscript here one day or the other. Trainings and Courses Some of the security trainings I gave (CELAR, Forum des Compétences, ...) cannot be made public. Some other courses (DESS Sécurité de l'Information de Limoges, ENSIMAG de Grenoble, ENST, ...) could be made available. Check also the CEA summer school 2004. Committees Member of the Organization Committee of JIP 2004 (Journées d’Informatique Pratique) in Tunisia. Member of the Program Committee of SSTIC (IT and Communications Security Symposium) in 2003 and 2004 in France. Security advisories I stopped to publish security advisories for the moment (lack of time... and new laws !). Here is an old one that is still worth reading, because the vulnerability has not been patched by Microsoft yet: - IIS vulnerability: IIS 4.0 and 5.x metabase can reveal plaintext passwords