Simon Petitjean

This lightning talk will develop the context and reasons that led to the discovery and disclosure of vulnerabilities in an Electric Vehicle Smart Charging Point (CVE-2024-5313 and CVE-2024-8070).
We will discover a specific product, how it works, how it is supposed to be provisioned and some mistakes that were made that enabled the speaker to elevate his privileges.

Considérées par le législateur européen comme critiques ou hautement critiques par les services qu’elles rendent, les entités publiques devront prochainement se conformer à la directive NIS2 sur la sécurité des réseaux et des systèmes d’information. De plus en plus régulièrement victimes d’actions malveillantes, elles traitent pourtant la cybersécurité en parent pauvre de leur transformation digitale. Maxime Pallez et Simon Petitjean, Cybersecurity Directors chez PwC Luxembourg, décortiquent la… Voir plus

Considérées par le législateur européen comme critiques ou hautement critiques par les services qu’elles rendent, les entités publiques devront prochainement se conformer à la directive NIS2 sur la sécurité des réseaux et des systèmes d’information. De plus en plus régulièrement victimes d’actions malveillantes, elles traitent pourtant la cybersécurité en parent pauvre de leur transformation digitale. Maxime Pallez et Simon Petitjean, Cybersecurity Directors chez PwC Luxembourg, décortiquent la situation et leur livrent quelques conseils pour renforcer leurs défenses. Voir moins

Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary.
Impacts EVlink Home Smart (All versions prior to 2.0.6.0.0) and Schneider Charge (All versions prior to 1.13.4).

CVSS v3.1 Base Score 8.5 | High

Vulnerability implied by the existence of a non-disabled SSH interface in its EVlink Home Smart charging station (EV charging stations for the residential market).

Impacts EVlink Home Smart (v2.0.4.1.2_131, v2.0.3.8.2_128)

Risk to expose an SSH network interface on the local area network of the homeowner, which could result in
increasing the exposure to potential network scanning or reconnaissance activities from malicious users.

CVSS v3.1 Base Score 6.5 | Medium

As the 2024 PwC Cybersecurity & Privacy Day approaches, the focus on the AI paradox takes center stage. In an exclusive interview, Simon Petitjean, Cybersecurity Director at PwC Luxembourg, delves into the theme of the event and unravels the intricate balance between innovation and security in the realm of cybersecurity.

Chief Data Officers (CDO) and Chief Information Security Officers (CISO), it's time to join forces! Discover the value of the collaboration of these two roles for your business and why you should have a robust data governance framework.

Launched in 2019 by the European Commission, the European Cybersecurity Certification Scheme (EUCS) for Cloud Services will apply to all cloud services: IaaS, PaaS, SaaS, XaaS. Scheduled for 2024, the scheme still raises uncertainties and questions. Will organisations be able to comply in time?

For Simon Petitjean (Cybersecurity Director, Offensive Security & Red Team Leader) and Xavier Roch Lhotellier (Consulting Director & Customer Transformation Leader), awareness of the importance of… Voir plus

Launched in 2019 by the European Commission, the European Cybersecurity Certification Scheme (EUCS) for Cloud Services will apply to all cloud services: IaaS, PaaS, SaaS, XaaS. Scheduled for 2024, the scheme still raises uncertainties and questions. Will organisations be able to comply in time?

For Simon Petitjean (Cybersecurity Director, Offensive Security & Red Team Leader) and Xavier Roch Lhotellier (Consulting Director & Customer Transformation Leader), awareness of the importance of the sovereign cloud is gradually emerging among enterprises, but there is still a lot of work to be done to raise awareness.

“This would accelerate the momentum on this sensitive issue and offer a new horizon, that of a sovereign digital ecosystem, to European hosting companies in the face of the strong domination of American hyperscalers,” they explain. Voir moins

In this episode, we talk about cloud security with Quentin Bechoux, Cloud Transformation Manager, and Simon Petitjean, Cybersecurity Director, at PwC Luxembourg.

More precisely, we dive into the European Cybersecurity Certification Scheme for Cloud Services (EUCS), how to manage the security aspect of the cloud adoption journey, and how to ensure the security of data in the public cloud.

We begin a new season of TechTalk with a series of episodes about Critical Infrastructure protection —a hot topic that should be on the minds of each one of us.
The regrettable events we are living through, particularly the war in Ukraine, as well as recent high-profile cyber-attacks on the energy industry, are putting critical infrastructure security in the spotlight.

To give us the details about this timely matter, we invited Simon Petitjean, Cybersecurity Director and Offensive… Voir plus

We begin a new season of TechTalk with a series of episodes about Critical Infrastructure protection —a hot topic that should be on the minds of each one of us.
The regrettable events we are living through, particularly the war in Ukraine, as well as recent high-profile cyber-attacks on the energy industry, are putting critical infrastructure security in the spotlight.

To give us the details about this timely matter, we invited Simon Petitjean, Cybersecurity Director and Offensive Security & Red Team Leader, and Maxime Pallez, Cybersecurity Senior Manager, who focuses on security governance at PwC Luxembourg. Voir moins

How will DORA facilitate information and intelligence sharing?

This session is intended for Executive Management concerned about their organisation’s ICT and cyber risk exposure, and individuals working in Risk, Compliance, Internal Audit, Information Security, Operations, as well as other professionals responsible for responding to and managing incidents or who form part of the ICT and/or cyber security function.

Very often, we hear on the news about a cyber-attack, where malicious hackers worked to disable a security system to either take it down or to steal information, usually to get a ransom.

But hacking isn't only about illegal activities. In this episode of TechTalk, Luis and Carla talk with Simon Petitjean, Offensive Security & Red Team Leader at PwC Luxembourg, about "the good type of hacking" - the ethical one. And who’s better placed to tell us about it than an ethical hacker himself?

Virtual Desktop Infrastructure hosts users’ desktop environments on remote servers which are accessed over a network using a remote display protocol from specific client software or hardware such as Thin-client or Zero-client. We encountered such solutions during pentests in high-security networks. Moreover, we had the opportunity to study one specific commercial implementation: we identified and exploited several flaws that allow taking over the whole infrastructure. We’ve had some fun hacking… Voir plus

Virtual Desktop Infrastructure hosts users’ desktop environments on remote servers which are accessed over a network using a remote display protocol from specific client software or hardware such as Thin-client or Zero-client. We encountered such solutions during pentests in high-security networks. Moreover, we had the opportunity to study one specific commercial implementation: we identified and exploited several flaws that allow taking over the whole infrastructure. We’ve had some fun hacking this technology so we would like to share our experience by explaining our findings and giving tips to mitigate the critical vulnerabilities we found. Voir moins

After few Google queries, it’s not a big deal to find a lot of conferences or talks dealing with SAP security. In the same way, finding tools to exploit the known vulnerabilities has become easier. My approach is different: as a professional security consultant, the first questions you should ask yourself when you arrive at a client is:
• Are there some SAP servers somewhere? If yes, where?
• Can we get their exact configuration? How to gather information?
• What vulnerability can we… Voir plus

After few Google queries, it’s not a big deal to find a lot of conferences or talks dealing with SAP security. In the same way, finding tools to exploit the known vulnerabilities has become easier. My approach is different: as a professional security consultant, the first questions you should ask yourself when you arrive at a client is:
• Are there some SAP servers somewhere? If yes, where?
• Can we get their exact configuration? How to gather information?
• What vulnerability can we exploit to do this fast and efficiently?
These questions must be answered correctly, quickly and with the less efforts possible. I proposed my own approach and gave some examples with a “handmade” tiny but efficient tool.
A vulnerability in one of SAP’s components was explained and demonstrated. Voir moins