Eugen Saraci

  • Penetration Tester
  • Vicenza, Italy
  • Click To Reveal

Summary

As a Penetration Tester and Cybersecurity Consultant, my work revolves around diving deep into the world of security, exploring everything from web and network penetration testing to assessing cloud environments. What really sets me apart is my knack for breaking down complex security findings into understandable insights, making sure everyone from tech teams to top execs gets the full picture.

Experience

Security Researcher

  • Equixly
  • |
  • April 2024 - Present

Security Researcher: Coming soon!

Penetration Tester, Cybersecurity Consultant

  • Spike Reply
  • |
  • April 2021 - April 2024

Penetration Tester: I perform penetration tests on web applications and infrastructures, and I handle tasks such as configuration reviews and firewall rule analysis. I have the chance to attack a different target every week, which has allowed me to see several kinds of targets and technologies, continuosly extending my knowledge. I have also done security assessmentes on cloud environements and I have also had the opportunity to write the security guidelines for Docker and Kubernetes for a big client of ours. Less often, I have carried out penetration tests activities on Android applications.

Senior Cybersecurity Consultant: I work as a consultant for enterprise clients in the telco, banking, insurance, and automotive industries. My work is mostly technical, but at the end of each pentest activity, I write a technical report that is aimed both at developers and exec-level staff; this sometimes includes a presentation where I explain the results using simple but clear slideshows. Occasionally, I handle the initial part of the engagement, having meetings with the stakeholders and making sure that everything is set and ready before the penetration tests start.

Extra: I am a member of the Keen Minds team, the group of people that designs and manages the Reply Cybersecurity Challenge. In the last two editions of the challenge, I designed the CRYPTO500 and WEB400 challenges.

Backend Software Engineer

  • ISNG S.r.l.
  • |
  • October 2020 - March 2021

    • Backend Software Engineer: I developed from scratch the backend of a web application that is currently deployed in RFID-powered SelfCheck systems in libraries around Italy. The backend acts as a central dispatcher for communication among multiple actors: the frontend (RESTful API and websockets), the RFID reader (SOAP), the SIP2 server (TCP sockets), and the printer (OS library).

    I also developed SipTo, a Python client for SIP2 servers that is now being used internally by ISNG S.r.l.

    Skills

    Certifications

    Languages

    • Italian (Native)
    • English (Advanced)

    Technical Skills

    • Network Security Advanced
      • Proficient in identifying and exploiting vulnerabilities in network infrastructures, using tools like Nmap, Nessus, and Wireshark.
    • Web Application Security Advanced
      • In-depth knowledge of common web application vulnerabilities (e.g., SQLi, XSS, CSRF), with skills in manual and automated testing using Burp Suite.
    • Operating Systems Intermediate
      • Proficient in Windows and Unix environments with the ability to exploit privilege escalation vulnerabilities specific to each operating system.
    • Cloud Configuration Reviews Intermediate
      • Experience in reviewing and securing cloud configurations in AWS and GCP, following CIS benchmarks for cloud security.
    • Wi-Fi Security Intermediate
      • Understanding of Wi-Fi security protocols, attack vectors, and practical experience in securing wireless networks using suites like Aircrack-ng for assessments.
    • Active Directory Security Intermediate
      • In-depth understanding of Active Directory architecture, components, and proficient in exploiting and securing environments using tools like BloodHound and Mimikatz
    • Mobile Security Beginner
      • Basic understanding of mobile application security (exclusively Android), employing tools such as MobSF or Frida for testing.
    • DevSecOps Beginner
        Exploring and studying DevSecOps practices with a foundation in security principles. Acquiring knowledge of integrating security into the development and operations lifecycle.
    • Reverse Engineering and Binary Exploitation Beginner
      • Novice-level understanding of binary exploitation techniques and reverse engineering, exploring tools like GDB, Binary Ninja, Ghidra, and dnSpy.

    Management Skills

    • Presentation, Communication, and Security Reporting Advanced
      • Skilled in delivering presentations to diverse audiences and communicating findings, risks, and recommendations effectively. Expertise in preparing detailed penetration testing reports.
    • Project Management Beginner
      • Proficient in project management for penetration testing engagements, ensuring all requirements are met, timelines are adhered to, and resources are efficiently utilized.

    Soft Skills

    As a full remote penetration tester, I possess a blend of interpersonal skills vital for effective remote collaboration and security analysis.

    • Autonomy: Proficient in working independently without the need for constant supervision.
    • Effective Communication: Skilled in articulating complex security concepts to diverse audiences.
    • Creative Problem-Solving: Persistent and innovative in overcoming security challenges.
    • Team Collaboration: Proficient at working with global teams and sharing knowledge.
    • Adaptability: Agile in adapting to new tools and cybersecurity trends.
    • Attention to Detail: Meticulous in identifying subtle vulnerabilities in complex systems.
    • Client Focus: Committed to understanding and fulfilling client security needs.

    Education

    Master's Degree in Computer Science

    Università degli Studi di Padova | October 2017 - September 2020

    I attended mostly courses from the areas of Artificial Intelligence and Reliable Systems, where I focused on courses about AI, ML, Deep Learning, Information Retrieval, Computer Vision, Data Mining, Digital Forensics, Real-Time Systems, Distributed Systems, and Computer and Network Security.

    Thesis: PIN Inference on a Covered Hand Scenario: a Computer Vision Approach
    Abstract: A novel attack that exploits the power of Convolutional Neural Networks (CNNs) to retrieve the victims' PIN just by looking at the movements of their covered hand when typing on an ATM pinpad, with a success rate of 1 PIN out of 3, in a user-independent scenario, when given only 3 attempts.
    Extra: A significant extension of this work was later published on USENIX Security 22, and an article was written on Wired! Italia.

    Download Thesis PDF (English - 8,297 KB)

    Bachelor's Degree in Computer Science

    Università degli Studi di Padova | October 2013 - July 2017

    Thesis: Project Projector: Never Mind the Bullets
    Summary: A timing side-channel attack that exploits the power of machine learning to predict consecutive keys based on inter-keystroke timing. The timing information is extracted from videos where the password characters are obfuscated (e.g., by using a masking charachter such as •). With respect to the bruteforce approach, this technique reduces the number of attempts needed to find a password by 6 orders of magnitude.
    Extra: A significant extension of this work was later published on ESORICS 18.

    Download Thesis PDF (Italian - 1,572 KB)

    Publications

    Academic Papers

    [P3][arXiv] Cardaioli, Matteo, et al. "Hand Me Your {PIN}! Inferring {ATM}{PINs} of Users Typing with a Covered Hand." 31st USENIX Security Symposium (USENIX Security 22). 2022.

    [P2][arXiv] Balagani, Kiran, et al. "Pilot: Password and pin information leakage from obfuscated typing videos." Journal of Computer Security 27.4 (2019): 405-425.

    [P1] Balagani, Kiran S., et al. "Silk-tv: Secret information leakage from keystroke timing videos." European Symposium on Research in Computer Security. Springer, Cham, 2018.