AppSec Israel 2014 Presentations - Revision history

Avi Douglen at 22:43, 16 September 2014

2014-09-16T22:43:37Z

Avi Douglen at 00:03, 12 September 2014

2014-09-12T00:03:12Z

Avi Douglen at 23:48, 9 September 2014

2014-09-09T23:48:57Z

Avi Douglen: Added most presentations

2014-09-09T08:12:59Z

Added most presentations

Avi Douglen at 10:39, 4 September 2014

2014-09-04T10:39:19Z

Avi Douglen: Swapped Lacoon speakers

2014-08-31T21:52:27Z

Swapped Lacoon speakers

Avi Douglen: updated Tomer's title

2014-08-28T09:35:18Z

updated Tomer's title

Avi Douglen at 09:44, 27 August 2014

2014-08-27T09:44:00Z

Avi Douglen: Keynotes

2014-08-27T09:22:00Z

Keynotes

Avi Douglen at 22:55, 26 August 2014

2014-08-26T22:55:57Z

@@ Line 253: / Line 253: @@
 === Manipulating the Manipulator: Destroying browser-based memory corruption exploits ===
-''''' Tomer Teller, Security Innovations Research Manager, Check Point '''''
+''''' Tomer Teller, Security Innovations Research Manager, Check Point '''''     <br />
 Browser exploitation is the leading cause for the spread of malware across the web. As a result, endpoint-based exploit mitigation technologies were developed to increase the difficulty in these types of exploitations.

@@ Line 26: / Line 26: @@
 === InfoSec Natural Selection - Measuring the VALUE of Security Products ===
-''''' Shay Chen, Researcher, Consultant and Analyst  '''''
+''''' Shay Chen, Researcher, Consultant and Analyst  '''''    <br />
 It should have been easier to make intelligent choices in 2014, deciding what's right and what's wrong, weeding out the useless from the useful.
@@ Line 85: / Line 86: @@
 === Warning Ahead: Security Storms are Brewing in Your JavaScript  ===
-''''' Maty Siman, CTO and Founder, Checkmarx  '''''
+''''' Maty Siman, CTO and Founder, Checkmarx  '''''        <br />
 JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?
@@ Line 299: / Line 301: @@
 Our research proposes a way to combine both techniques and improve the analysis results. This work was my M.Sc. thesis at the IDC under the supervision of Dr. David Movshovitz.
 <br>

@@ Line 126: / Line 126: @@
 === Passwords, Rehashed All Over Again  ===
-''''' Avi Douglen, Security Research Lead, SourceClear  '''''
+''''' Avi Douglen, Security Research Lead, SourceClear  '''''      <br />
 Passwords suck.

@@ Line 3: / Line 3: @@
 === Opening Keynote: Steering a Battleship to a Secure Path – Bringing the product security message to HP Software ===
-''''' Tomer Gershoni, Chief Products Security Officer, HP Software '''''
+''''' Tomer Gershoni, Chief Products Security Officer, HP Software '''''      <br />
 Can we actually make a security mindset change in an enterprise company where business comes first?
@@ Line 56: / Line 57: @@
 = Track 1 (Ivcher Auditorium) =
 === My Preciousss… Holding on to Your Sensitive Data  ===
-''''' Ofer Maor, CTO, Quotium  '''''
+''''' Ofer Maor, CTO, Quotium  '''''      <br />
 Everybody's spending a lot of energy on application security, and yet every once and then someone gets hacked. It's not easy to stay ahead. Applications need to be ultra-secure from a long line of suspicious malware and marauding hackers, yet hackers only need to find one way in. But Hackers are now looking for profit, they do not care about code security or how many vulnerabilities there are (or got fixed). Their aim is to steal sensitive user data, and if this data would be secured, other vulnerabilities may become a lot less worrying.
@@ Line 106: / Line 107: @@
 === A Journey To Protect Points-of-Sale  ===
-''''' Nir Valtman, Enterprise Security Architect, NCR  '''''
+''''' Nir Valtman, Enterprise Security Architect, NCR  '''''      <br />
-Many point-of-sale breaches occurred in the past year and many organizations are still vulnerable against the simplest exploits. In this presentation, I explain about how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. One of the most common threats is memory scraping, which is a difficult issue to solve. Hence, I would like to share with you a demonstration of how it works and what can be done in order to minimize this threat. During this presentation, I will explain the long journey took me to understand how to mitigate it, while walking through the concepts (not exposing vendor names) that don’t work.
+Link to the memory scraping tool used in the demonstration: http://securitytools.github.io/MemoryScraper/
 <br>
@@ Line 149: / Line 153: @@
 === Getting New Actionable Insights by Analyzing WAF Triggers  ===
-''''' Or Katz, Principal Security Researcher, Akamai  '''''
+''''' Or Katz, Principal Security Researcher, Akamai  '''''      <br />
 In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of this post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations. The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).
@@ Line 165: / Line 170: @@
 === The Bank Job - Mobile Edition. Remote Exploitation of the Cordova Framework for Android  ===
 ''''' David Kaplan, Security Researcher, IBM Security Systems  ''''' <br/>
-''''' Roee Hay, Application Security Research Team Leader, IBM Security Systems  ''''' <br/>
+''''' Roee Hay, Application Security Research Team Leader, IBM Security Systems  '''''   <br />
 Apache Cordova is a popular cross-platform framework for mobile development. In this talk we present a series of vulnerabilities which we found in the framework for Android. These vulnerabilities enable a remote drive-by download attack against many Cordova-based applications and, as the framework is used in over 10% of all finance applications on the Android platform, your bank could be at risk!
@@ Line 204: / Line 210: @@
 === Dynamic Analysis of Android Apps: Attacking Apps From The Inside ===
-''''' Erez Metula, Application Security Expert. Author of the book "Managed Code Rootkits". Founder, AppSec Labs  '''''
+''''' Erez Metula, Application Security Expert. Author of the book "Managed Code Rootkits". Founder, AppSec Labs  '''''      <br />
 Dynamic analysis of android apps is all about analyzing apps in real time, for the purpose of detecting application level vulnerabilities and for the sake of manipulating applications while they execute.  It is often used as a last resort due to its complexity, when other pentesting techniques mainly focused on static analysis are not enough.  Common usages of dynamic analysis are extraction of sensitive data from application memory variables, stealing encryption keys, manipulating signature mechanisms and so on.
@@ Line 222: / Line 229: @@
 === Mobile Security Attacks: A Glimpse From the Trenches  ===
 ''''' Yair Amit, CTO & Co-Founder, Skycure  '''''    <br/>
-''''' Adi Sharabani, CEO & Co-Founder, Skycure  '''''    <br/>
+''''' Adi Sharabani, CEO & Co-Founder, Skycure  '''''    <br />
 Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will describe and demonstrate emerging mobile security threats: from physical, through network and up to application level. Hold on to your seats as we expose examples, statistics and insights about real-world attacks on mobile-devices around the world.
@@ Line 266: / Line 274: @@
 === The (In)Security of AngularJS and MongoDB ===
-''''' Israel Chorzevski, Tech Leader, AppSec Labs  '''''
+''''' Israel Chorzevski, Tech Leader, AppSec Labs  '''''      <br />
 AngularJS and MongoDB are new technologies which are becoming common in more and more websites. During the lecture we will briefly review the technology, we will learn about new vulnerabilities which are relevant for them, we’ll see how a secure website becomes insecure simply by including an AngularJS library, and how to perform SQL Injection in No SQL database.
@@ Line 282: / Line 291: @@
 === Static Analysis Improved Fuzzing  ===
-''''' Moti Cohen, IDC  '''''
+''''' Moti Cohen, IDC  '''''      <br />
 <br>
 <u>Speaker Bio</u>
-years programmer and team leader at IDF
+Moti is a graduate of the IDC's M.Sc. in Computer Science program. In addition, he has a rich background in cyber security and software engineering.
 <br>

@@ Line 144: / Line 144: @@
 <br>
-<u>Technical Level:</u> Intermediate / Advanced
+<u>Technical Level:</u> Intermediate
 <br>

@@ Line 186: / Line 186: @@
 === Practical Attacks against MDM Solutions  ===
-''''' Ohad Bobrov, CTO, Lacoon Mobile Security  '''''
+''''' Shai Yanovski, Security Product Manager, Lacoon Mobile Security  '''''
 Mobile Remote Access Trojans (mRATs) are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications– mainly phone fraud applications distributed through common application channels - target the typical consumer, mRATs are the tool for the dedicated attacker. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.
@@ Line 194: / Line 194: @@
 <u>Speaker Bio</u>
-Ohad Bobrov is CTO and co-founder of Lacoon Mobile Security. With more than 15 years of experience in the mobile and networking industries, Ohad passionately leads the research, engineering, technology and product development of the company. Prior to Lacoon, Ohad founded and led the mobile mass networking solution department at NICE Systems, receiving multiple Excellence awards for his work. Prior to NICE, he spent seven years in the Israeli Defense Force. Ohad holds a BSc, magna cum laude, from the Open University of Israel in Computer Sciences and an MBA from Tel-Aviv University.
+Shai is the security product manager in Lacoon Mobile security.
 <br>

@@ Line 7: / Line 7: @@
 Can we actually make a security mindset change in an enterprise company where business comes first?
-What is the efficient way to establish a product security team in a de-centralized organization, scattered around the globe with thousands of employees.
+What is the efficient way to establish a product security team in a de-centralized organization, scattered around the globe with thousands of employees?
 Where to start, who to work with? How to measure success and what is the management really interested in?
@@ Line 13: / Line 13: @@
 The Security & Trust office was established 18 months ago in HP SW. a new concept of product security was established with never ending challenges.
-In the session ill describe the journey we embarked on and focus on how security success is measured in a multi-billion company and how can we achieve real security revenue.
+In the session I will describe the journey we embarked on, and focus on how security success is measured in a multi-billion dollar company - and how can we achieve real security revenue.
 <br>

@@ Line 1: / Line 1: @@
 = Track 1 (Ivcher Auditorium) =
@@ Line 242: / Line 297: @@
 <br>
 <u>Technical Level:</u> Advanced
 <br>

@@ Line 251: / Line 251: @@
 It should have been easier to make intelligent choices in 2014, deciding what's right and what's wrong, weeding out the useless from the useful.
 However, in reality, the storm of marketing claims, the endless list of trends, and the sheer number of choices caused the exact opposite.
 Would you buy a car you can't drive? Would you pay an ISP that doesn't provide you any internet services?  Many of us do just that when choosing infosec products.
 Furthermore, during infosec product evaluations, the evaluating entity often ignores key aspects that can get him into a WHOLE LOT OF TROUBLE, whether he'll be a CISO, system operator, integrator or pen-tester.
 Some aspects may simply prevent the products from working, while some features in these products, if improperly implemented by the vendor or misused by the user, can cause severe damage to the target organizations, and as a consequence, make the user / vendor accountable, and may even lead to lawsuits.
 The presentation will focus on key aspects that the consumer/user should assess prior to selecting information security products (IDS/IPS, WAF, Monitoring Products) or security assessment products (Scanners, Source Code Analysis Tools, Exploitation Suites).
@@ Line 261: / Line 266: @@
 Shay Chen is a researcher, consultant and analyst, focused on evaluating products and services in the information security industry.
 He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.
 As the author of the ""WAVSEP"" he was involved in the publication of several large-scale researches in the field of automated security scanners, including multiple benchmarks published throughout 2010-2014.
 Shay is an experienced speaker, has been instructing a variety of information security courses for the past 9 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.