This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AppSec Israel 2015 Presentations"

From OWASP
Jump to: navigation, search
m
(Cross-Site Search Attacks)
 
(27 intermediate revisions by the same user not shown)
Line 1: Line 1:
  
=== Certifi-gate - Front Door Access to Pwning hundreds of Millions of Androids Devices - the aftermath. ===
+
Here are the full descriptions of the talks at [[AppSec_Israel_2015|AppSec Israel 2015]], and the biographies for each of the speakers. 
''''' Yanovski Shai, Security Product Manager @ Check Point '''''   <br />
+
 
Hundreds of millions of Android devices, including those running Lollipop, the latest and most secure version of Android OS, can be hijacked. A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack.
+
The [https://appsecil2015.sched.org/ full schedule can be found and subscribed here].
 +
 
 +
 
 +
= Keynote - Main Auditorium =
 +
 
 +
=== Keynote: The Rebellious Teenage Years: 15 years of Web Security  ===
 +
''''' Jeremiah Grossman, Founder, WhiteHat Security '''''     <br />  
 +
([[Media:AppSecIL2015_Keynote_Jeremiah_Grossman.pptx|download presentation]])
  
These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice.
+
It's been 15 years of Web Security. Jeremiah will discuss where we’ve been, where we are, and where we’re going.  
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
TBD
+
Innovator. Inventor. Protector of the Web. Jeremiah Grossman is the founder of WhiteHat Security. 
  
 +
Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion to lead WhiteHat into the future. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium and the mind behind Aviator, WhiteHat’s next generation secure web browser. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate / Advanced
+
<br/><u>Language:</u> English
<br/><u>Language:</u> Hebrew
+
<br/>
 +
 
 +
= Track 1 - Main Auditorium =
 +
 
 +
=== Internet of Things (IOT) Insecurity ===
 +
''''' Erez Metula, Application Security Expert and Chairman, AppSec Labs '''''    <br />
 +
''''' Israel Chorzevski, CTO, AppSec Labs '''''    <br />
 +
([[Media:AppSecIL2015_IoT-Insecurity_ErezMetula-IsraelChorzevski.pdf|download presentation]])
 +
 
 +
During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of  IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.
 +
 
 +
If you'd ever heard the IOT buzzword, and you want to know what it's all about, this talk is for you.
 +
 
 
<br>
 
<br>
 +
<u>Speaker Bio</u>
  
=== Creating the Right Process to Manage Open Source in the Post-Heartbleed Era ===
+
Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.
''יצירת התהליך הנכון לניהול קוד פתוח בעידן פוסט-Heartbleed'' <br/>
+
He is the author of the book Managed Code Rootkits, and is a world renowned application security expert.
''''' Jeff Luszcz, Palamida, Founder and CTO '''''    <br />
+
Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to fortune 500 organizations.
''''' Greg Kelton, MD, Palamida EMEA '''''    <br />
+
Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.
Most software projects are composed of at least 50% Open Source Software (OSS) – with as much as 99% undocumented – leaving your applications vulnerable to security risks. With vulnerabilities such as Heartbleed, Shellshock and POODLE affecting millions, implementing an Open Source Management Strategy has never been more crucial.
+
Erez holds an MSc in computer science and he is CISSP.
  
Attaining more visibility into your company’s OSS portfolio to quickly identify what OSS components you have and where they are in your code, may effectively eliminate potential vulnerabilities. Not sure where to start? No worries, we’ll discuss best practices for developing and implementing an Open Source Management Strategy, and how to get developer buy-in.
+
<br>
 +
<u>Speaker Bio</u>
  
Key Topics Discussed:
+
There are people that do security research for a living, and there are people who do it on their own time. Israel Chorzevski does both... he is publically known for his lectures and professional trainings. 
  
* Heartbleed demonstrated that the typical software company does not know what open source it is using and where it is found
+
In addition to research, he is involved in a number of hacking projects, such as AppUse (Android Testing Platform) and other tools which have and are being developed in AppSec Labs as a part of his position as CTO of the company.
  
* Open Source appears in many forms from source to binary in a codebase
+
<br>
 +
<u>Technical Level:</u> Introduction
 +
<br/><u>Language:</u> Hebrew
 +
<br>
  
* Why traditional static analysis tools are not sufficient for finding or managing vulnerabilities related to open source component usage
+
=== The Node.js Highway: Attacks are at Full Throttle  ===
 +
''''' Helen Bravo, Product Management Director at Checkmarx '''''    <br />
 +
([[Media:AppSecIL2015_NodeJS-Attacks_HelenBravo.pptx|download presentation]])
 +
 
 +
The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language.
 +
But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language. 
  
* Companies are not doing enough to educate the developers and managers about open source.
+
We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience. 
 +
 
 +
Attacks include: 
 +
 
 +
* Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
 +
* Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
 +
* Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.
 +
This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.  
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Jeff Luszcz is the Founder and CTO of Palamida, a leading provider of Open Source discovery and vulnerability management tools. Since starting Palamida in 2004 he has helped hundreds of software companies understand how to best use open source while complying with their license obligations and keeping on top of security issues.
+
Helen has more than eighteen years of experience in software development, IT security and source-code analysis.
 +
Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer and product manager for security matters.
 +
Helen holds a B.A. in Economics and Business Administration from the Israeli University of Haifa and started her development career at the age of 11.  
  
He leads the professional services team responsible for open source compliance and security audits. His team has performed reviews for some of the largest mergers and acquisitions in the technology industry.
+
<br>
 +
<u>Technical Level:</u> Intermediate
 +
<br/><u>Language:</u> English
 +
<br>
  
He spent six years as a software engineer at NASA Ames Research Center where he implemented software for simulation and visualization of flat panel display technology and their related human factors. Throughout his career, he has been active in the Java, Macintosh and Open Source software communities. Jeff is also the author of several well-known Macintosh software utilities and has served as a technical editor for Wrox Press. He received his B.S. from Cornell University School of Operations Research and Industrial Engineering.
+
=== Security Automation in the Agile SDLC - Real World Cases ===
 +
''''' Ofer Maor, Director of Security Strategy, Synopsys '''''    <br />
 +
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.
  
<br>  
+
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Greg Kelton leads Palamida’s efforts in EMEA with customers including Software AG, Airbus, Rovio, Jaguar Land Rover. Previously, Greg launched several European software divisions including Coremetrics (now IBM), Optimost (now HP), Backbase and ClickTale. Prior to his European efforts, Greg held leadership roles in several US startups with successful exits including Scopus (now Oracle), OEC (Co-founder, now Borland), ATG (now Oracle), and Octane (now Infor). Greg earned his Bachelor of Science degree in Computer Science from Northeastern University and his MBA from Georgetown University.
+
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development
 +
 
 +
As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015.
 +
 
 +
Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.  
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate / Advanced
+
<u>Technical Level:</u> Advanced
<br/><u>Language:</u> English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
  
=== Cross-Site Search Attacks ===
+
=== The Spy in the Sandbox: Practical Cache Attacks in Javascript and their Implications ===
''''' Hemi Leibowitz, Cyber Security Researcher at Bar Ilan University and a lecturer at the College of Management '''''    <br />
+
'''המרגל בארגז החול: התקפות מטמון ב-Javascript, וההשלכות שלהן''' <br/>
Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using
+
''''' Yossi Oren, Senior Lecturer at the Department of Information Systems Engineering, Ben Gurion University '''''    <br />
the time it takes for the browser to receive responses to search queries.
+
([[Media:AppSecIL2015_SpyInTheSandbox_YossiOren.pptx|download presentation]])
This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search attacks; however, we show that the use of better tools facilitates effective XS-search attacks, exposing information efficiently and precisely.
+
 
 +
Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.
  
We present and evaluate three types of tools: (1) appropriate statistical tests, (2) amplification of the timing side-channel, by `inflating' communication or computation, and (3) optimized, tailored divide-and-conquer algorithms, to identify terms from large `dictionaries'.
+
In this work, we challenge this limiting assumption by presenting a successful side-channel attack that assumes a far more relaxed and practical attacker model. In our model, the victim merely has to *access a website* owned by the attacker using his personal computer. Despite this minimal model, we show how the attacker can still launch a side-channel attack in a practical time frame and extract meaningful information from the system under attack. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.
These techniques may be applicable in other scenarios.
 
  
We implemented and evaluated the attacks against the popular Gmail and Bing services, in several environments and ethical experiments, taking careful, IRB-approved measures to avoid exposure of personal information.
+
Joint work with Vasileios P. Kemerlis, Angelos D. Keromytis and Simha Sethumadhavan.
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Lecturer at the College of Management. Research member of the cyber research at Bar Ilan University. Main interest fields are the security of communication networks and designing robust anonymous communication systems against strong attackers.
+
Yossi Oren is a senior lecturer at the Department of Information Systems Engineering in Ben Gurion University, and a member of BGU's Cyber Security Research Center. Prior to joining BGU, Yossi was a Post-Doctoral Research Scientist in the Network Security Lab at Columbia University in the City of New York and a member of the security lab at Samsung Research Israel. He holds a Ph.D. in Electrical Engineering from Tel-Aviv University, and an M.Sc. in Computer Science from the Weizmann Institute of Science.
 +
 
 +
His research interests include secure hardware (power analysis and other hardware attacks and countermeasures; low-resource cryptographic constructions for lightweight computer) and cryptography in the real world (consumer and voter privacy in the digital era; web application security). He has been an attendee of OWASP IL since 2007.
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate
+
<u>Technical Level:</u> Intermediate / Advanced
<br/><u>Language:</u> Hebrew
+
<br/><u>Language:</u> English
 
<br>
 
<br>
  
  
=== From zero to secure in 1 minute ===
+
=== Man in the Cloud Attack  ===
''''' Moshe Ferber, Chairman, Cloud Security Alliance Israel '''''    <br />
+
''' התקפת הברנש בענן ''' <br/>
Companies moving to cloud infrastructure (IaaS) discover that they can do amazing things with the automation of infrastructure tasks. Companies can deploy environments in seconds and do production changes several times a day - but security still holds them down. Many of our security procedures have not adopted to cloud automation and still relay on traditional maintenance windows and manual tasks such as static / dynamic analysis, vulnerability scans, hardening and more. And this is a major obstacle in a world where cloud instance can be installed, configured moved to production and terminate within an hour. So security must to adopt to this new accelerated life cycle and change accordingly. In this presentation, we will demonstrate how to automate creation of instances, generating and safeguarding encryption keys, do configuration management and security scans and automatically process the results and take decisions accordingly. The result is cloud instances that are launched and configured with security requirements in automated way within minutes. Implementing the techniques and tools shown can help organizations to overcome security challenges and make sure that security is not the bottleneck on the way to faster applications deployments.  
+
''''' Sagie Dulce, ADC TL, Imperva '''''    <br />
 +
([[Media:AppSecIL2015_Man-In-The-Cloud_SagieDulce.pptx|download presentation]])
 +
 
 +
File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.
 +
 
 +
In our presentation we will examine how common cloud synchronization services can be used by hackers to steal private and corporate data, remain persistent on infected machines and avoid perimeter detection mechanisms. All of this could be done from the attacker’s laptop, without any exploits and without writing server side code.  
 +
 
 +
Objective: Understand risks & mitigations of MitC attacks
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Moshe Ferber is world known cloud security industry expert. Involved in shaping the foundations of responsible cloud adoption. He is a major contributor and instructor for the CCSK & CCSP cloud security certifications and involved in many of the working groups that define tomorrow standards and best practices. Mr. Ferber is also a popular industry speaker with numerous appearances worldwide and serves as the chairman for the Israeli chapter of the Cloud Security Alliance.  
+
Security researcher at IDF 8200.  
 +
Researcher and now TL in Imperva's ADC research team.
 +
 
 +
I write in Imperva's security blog and at times respond to press security queries.  
  
 
<br>
 
<br>
Line 93: Line 153:
 
=== Game of Hacks: Play, Hack & Track ===
 
=== Game of Hacks: Play, Hack & Track ===
 
''''' Amit Ashbel, AppSec Strategist at Checkmarx '''''    <br />
 
''''' Amit Ashbel, AppSec Strategist at Checkmarx '''''    <br />
 +
([[Media:AppSecIL2015_Game_of_Hacks_AmitAshbel.pptx|download presentation]])
 +
 
We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot.  Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.  
 
We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot.  Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.  
  
Line 98: Line 160:
  
 
Join us to:
 
Join us to:
Play GoH against the audience in real time and get your claim for fame.
+
* Play GoH against the audience in real time and get your claim for fame.
Understand how vulnerabilities were planted within Game of Hacks.
+
* Understand how vulnerabilities were planted within Game of Hacks.
See real attack techniques  (some caught us off guard) and how we handled them.
+
* See real attack techniques  (some caught us off guard) and how we handled them.
Learn how to avoid vulnerabilities in your code and how to go about designing a secure application.
+
* Learn how to avoid vulnerabilities in your code and how to go about designing a secure application.
Hear what to watch out for on the ultra-popular node.js framework.
+
* Hear what to watch out for on the ultra-popular node.js framework.
  
 
<br>
 
<br>
Line 116: Line 178:
  
  
=== Internet of Things (IOT) Insecurity ===
+
=== One Class to Rule Them All: Deserialization Vulnerabilities in Android ===
''''' Erez Metula, Application Security Expert, Chairman of AppSec Labs '''''    <br />
+
''''' Roee Hay, Application Security Research Team Lead, IBM X-Force '''''    <br />
During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.
+
([[Media:AppSecIL2015_OneClassToRuleThemAll_RoeeHay.pdf|download presentation]])
 +
 
 +
We present high severity vulnerabilities in Android.
 +
 
 +
The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.
  
If you'd ever heard the IOT buzzword, and you want to know what it's all about, this talk is for you.
+
For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.
+
Roee leads the X-Force Application Security Research Team at IBM Security. His team focuses on discovering new vulnerabilities and attacks. In recent years, his team has discovered several high severity vulnerabilities in the Android Platform and SDKs.
He is the author of the book Managed Code Rootkits, and is a world renowned application security expert.
 
Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to fortune 500 organizations.  
 
Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security.
 
Erez holds an MSc in computer science and he is CISSP.
 
  
 
<br>
 
<br>
<u>Technical Level:</u> Introduction
+
<u>Technical Level:</u> Advanced
<br/><u>Language:</u> English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
 +
= Track 2 - Room 10 =
  
=== One Class to Rule Them All: Deserialization Vulnerabilities in Android ===
 
''''' Roee Hay, X-Force Application Security Research Team LEad '''''    <br />
 
We present high severity vulnerabilities in Android.
 
  
The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.
+
=== 0x3E9 Ways to DIE ===
 +
''' מת לחיות 0x3E9 ''' <br/>
 +
''''' Yaniv Balmas, Security Researcher, Check Point Software Technologies '''''    <br />
 +
([[Media:AppSecIL2015_0x3E9WaysToDIE_YanivBalmas.pdf|download presentation]])
 +
 
 +
Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.
 +
 
 +
For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers.  
 +
 
 +
This was the main motivation in creating DIE.  
 +
 
 +
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen.  
  
For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.
+
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.  
 +
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen.  
  
<br>
+
Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA.
<u>Speaker Bio</u>
 
  
Roee leads the X-Force Application Security Research Team at IBM Security. His team focuses on discovering new vulnerabilities and attacks. In recent years, his team has discovered several high severity vulnerabilities in the Android Platform and SDKs.
+
DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit.  
  
<br>
+
DIE was first introduced to the public at RECON-2015 and received amazing feedbacks. Today, we will introduce its secrets to the respected Israeli research community.   
<u>Technical Level:</u> Intermediate
 
<br/><u>Language:</u> English
 
<br>
 
  
 +
During this talk I will explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. 
  
=== Security Automation in the Agile SDLC - Real World Cases ===
+
The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
''''' Ofer Maor, Director of Security Strategy, Synopsys '''''    <br />
 
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.
 
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development
+
Yaniv is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday.  
 
 
As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015.
 
  
Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.  
+
As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently leading the malware research team at Check Point Software Technologies where he deals mainly with analyzing malware and researching vulnerabilities.
  
 
<br>
 
<br>
<u>Technical Level:</u> Advanced
+
<u>Technical Level:</u> Advanced  
<br/><u>Language:</u> Hebrew
+
<br/><u>Language:</u> English
 
<br>
 
<br>
  
  
=== Do one thing every day that scares you. Encryption. ===
+
=== From zero to secure in 1 minute ===
''''' Irene Abezgauz, VP Product, Dyadic Security '''''    <br />
+
''''' Moshe Ferber, Chairman, Cloud Security Alliance Israel '''''    <br />
Although the math is constantly challenged, encryption’s weakest link remains the human factor of implementing it.
+
([[Media:AppSecIL2015_From_zero_to_secure_in_1_minute_MosheFerber.pdf|download presentation]])
From using a single key for all communications to the Ashley Madison MD5 fiasco.. Cryptography is damn hard to get right. Sometimes it seems the only ones getting it right are the ransomware guys.  
 
  
This talk will cover several examples of poorly implemented encryption, focusing mostly on what you shouldn’t do, and a bit on what you should.  
+
Companies moving to cloud infrastructure (IaaS) discover that they can do amazing things with the automation of infrastructure tasks. Companies can deploy environments in seconds and do production changes several times a day - but security still holds them down. Many of our security procedures have not adopted to cloud automation and still relay on traditional maintenance windows and manual tasks such as static / dynamic analysis, vulnerability scans, hardening and more. And this is a major obstacle in a world where cloud instance can be installed, configured moved to production and terminate within an hour. So security must to adopt to this new accelerated life cycle and change accordingly. In this presentation, we will demonstrate how to automate creation of instances, generating and safeguarding encryption keys, do configuration management and security scans and automatically process the results and take decisions accordingly. The result is cloud instances that are launched and configured with security requirements in automated way within minutes. Implementing the techniques and tools shown can help organizations to overcome security challenges and make sure that security is not the bottleneck on the way to faster applications deployments.  
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Irene is a cyber security professional with over 10 years of experience in penetration testing, secure systems design and security research. She has worked extensively with leading companies around the world, helping them build secure systems, and has years of industry experience of shaping world-leading enterprise security products.
+
Moshe Ferber is world known cloud security industry expert. Involved in shaping the foundations of responsible cloud adoption. He is a major contributor and instructor for the CCSK & CCSP cloud security certifications and involved in many of the working groups that define tomorrow standards and best practices. Mr. Ferber is also a popular industry speaker with numerous appearances worldwide and serves as the chairman for the Israeli chapter of the Cloud Security Alliance.  
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate / Advanced
+
<u>Technical Level:</u> Intermediate
<br/><u>Language:</u> Hebrew, English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
  
=== The Node.js Highway: Attacks are at Full Throttle  ===
+
=== Why Are Hackers Winning the Mobile Malware Battle ===
''''' Helen Bravo, Product Management Director at Checkmarx '''''    <br />
+
''''' Yair Amit, CTO & Co-Founder, Skycure '''''    <br />
The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language.
+
([[Media:AppSecIL2015_MobileMalwareBattle_YairAmit.pptx|download presentation]])
But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.  
+
 
We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.
+
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. In his presentation, Yair will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. In order to demonstrate the aforementioned, Yair will create on stage a malicious mobile app live, which can bypass signatures, static and dynamic analysis approaches.
Attacks include:
+
 
• Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
+
Audience will learn:
• Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
+
* The attack paths mobile hackers are taking
• Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.
+
* What actions organizations can take to mitigate malware risks
This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.
+
* How security vendors can change their paradigms to improve their defenses
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Helen has more than eighteen years of experience in software development, IT security and source-code analysis.  
+
Yair Amit is co-founder and CTO at Skycure, where he leads the company’s research, vision and its R&D center. He has been active in the security industry for more than a decade, his research regularly covered by media outlets and presented in security conferences around the world (Mr. Amit is a regular and top-rated speaker of RSA Conference). Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.
Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer and product manager for security matters.  
 
Helen holds a B.A. in Economics and Business Administration from the Israeli University of Haifa and started her development career at the age of 11.  
 
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate
+
<u>Technical Level:</u> Advanced
<br/><u>Language:</u> English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
  
=== The Spy in the Sandbox: Practical Cache Attacks in Javascript and their Implications ===
+
=== Too Big to Fail - Breaking WordPress Core ===
''המרגל בארגז החול: התקפות מטמון ב-Javascript, וההשלכות שלהן'' <br/>
+
''''' Netanel Rubin, Senior Vulnerability Researcher, PerimeterX '''''    <br />
''''' Yossi Oren, Senior Lecturer at the Department of Information Systems Engineering, Ben Gurion University '''''    <br />
+
([[Media:AppSecIL2015_Too_Big_to_Fail_-_Breaking_WordPress_Core_NetanelRubin.pdf|download presentation]])
Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.
 
  
In this work, we challenge this limiting assumption by presenting a successful side-channel attack that assumes a far more relaxed and practical attacker model. In our model, the victim merely has to *access a website* owned by the attacker using his personal computer. Despite this minimal model, we show how the attacker can still launch a side-channel attack in a practical time frame and extract meaningful information from the system under attack. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.
+
When attacking web applications, what do you do when there are no injection points? No false-assumptions? No logical errors?
 
+
Most of the times you just move on, perhaps look for bad code in a different component or third party plugin.
Joint work with Vasileios P. Kemerlis, Angelos D. Keromytis and Simha Sethumadhavan.
+
What if that target is just too important to give up on? What if your target is the most popular web platform in the world?
 +
 +
This talk will focus on the recent vulnerabilities found in WordPress core, one of the most securely written web apps in the world. We will begin with a carefully orchestrated race condition leading to Privilege Escalation, and all the way to SQL injection and persistent XSS attacks, in 20% of the top 1M sites on the Internet.
 +
We will dive deep into a system that seems un-penetrable, and analyze a chain of bugs no one thought exploitable, in order to describe one of the most interesting WebApp vulnerabilities in CMS history.
 +
 +
Join us for a journey through the eyes of one researcher who made it to core WordPress and lived, to get a glimpse of how one searches for vulnerabilities in massive code and how to catch oh-so-important developer misses.
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Yossi Oren is a senior lecturer at the Department of Information Systems Engineering in Ben Gurion University.
+
Netanel is a senior vulnerability researcher that has several significant findings under his belt.  
I‘m currently  I am a member of the, led by Prof. Angelos Keromytis, and the Computer Architecture and Security Technology Lab, led by Prof. Simha Sethumadhavan.
 
  
His research interests include secure hardware (power analysis and other hardware attacks and countermeasures; low-resource cryptographic constructions for lightweight computer) and cryptography in the real world (consumer and voter privacy in the digital era; web application security)
+
Starting his security career at the age of 16, Netanel performed security assessments for many international companies and organizations, including banks and government offices. 
  
Prior to joining BGU, Yossi was a Post-Doctoral Research Scientist in the Network Security Lab at Columbia University in the City of New York and a member of the security lab at Samsung Research Israel. He holds a Ph.D. in Electrical Engineering from Tel-Aviv University, and an M.Sc. in Computer Science from the Weizmann Institute of Science.
+
Following a meaningful military service in the IDF elite intelligence unit 8200, he joined Check Point Software Technologies, and later on PerimeterX. In the past few years, his work was presented in several international conferences such as DEF CON and CCC.
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate / Advanced
+
<u>Technical Level:</u> Advanced
<br/><u>Language:</u> Hebrew, English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
  
=== Theories of Agile, Fails of Security ===
+
=== Cross-Site Search Attacks ===
'' הצילו, אבטחת מידע אג'ילית! '' <br/>
+
''''' Hemi Leibowitz, Cyber Security Researcher at Bar Ilan University and a lecturer at the College of Management '''''
''''' Daniel Liber, R&D Security Leader @ CyberArk '''''   <br />
+
<br/>  
Format: Lecture
+
([[Media:AppSecIL2015_Cross-Site-Search-Attacks_HemiLeibowitz.pdf|download presentation]])
 +
 
 +
Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using
 +
the time it takes for the browser to receive responses to search queries.
 +
This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search attacks; however, we show that the use of better tools facilitates effective XS-search attacks, exposing information efficiently and precisely.
 +
 
 +
We present and evaluate three types of tools: (1) appropriate statistical tests, (2) amplification of the timing side-channel, by `inflating' communication or computation, and (3) optimized, tailored divide-and-conquer algorithms, to identify terms from large `dictionaries'.
 +
These techniques may be applicable in other scenarios.
  
Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.
+
We implemented and evaluated the attacks against the popular Gmail and Bing services, in several environments and ethical experiments, taking careful, IRB-approved measures to avoid exposure of personal information.
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Daniel Liber is the R&D security leader in CyberArk, a leader in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets. Previously he has worked as an application security consultant for Comsec Consulting, working with customers from industries such as banking, finance, telecom and governmental offices. Daniel also served as a principle security team leader at Bank Leumi (Israel) with focusing on building secure mobile and web applications. Daniel is enthusiastic about security communities, exchanging ideas for research and promoting security, step by step.
+
Lecturer at the College of Management. Research member of the cyber research at Bar Ilan University. Main interest fields are the security of communication networks and designing robust anonymous communication systems against strong attackers.
  
 
<br>
 
<br>
<u>Technical Level:</u> Intermediate / Advanced
+
<u>Technical Level:</u> Intermediate
<br/><u>Language:</u> Hebrew, English
+
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
 +
=== Certifi-gate - Front Door Access to Pwning hundreds of Millions of Androids Devices: The Aftermath. ===
 +
''''' Shai Yanovski, Security Analytics Product Manager, Check Point '''''    <br />
 +
Hundreds of millions of Android devices, including those running Lollipop, the latest and most secure version of Android OS, can be hijacked. A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack.
  
=== Too Big to Fail - Breaking WordPress Core ===
+
These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice.
''''' Netanel Rubin, Senior Vulnerability Researcher @ PerimeterX '''''    <br />
 
Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.
 
 
 
For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers.
 
 
 
This was the main motivation in creating DIE.
 
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen.
 
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
 
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen.
 
Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA.
 
 
 
DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit.  
 
DIE was first introduced to the public at RECON-2015 and received amazing feedbacks. Today, we will introduce its secrets to the respected Israeli research community.
 
During this talk I will explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process.
 
The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
 
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Netanel is a senior vulnerability researcher that has several significant findings under his belt.
+
Shai is responsible for turning Check Point’s cutting edge research in cyber threats, mobile technology and analysis algorithms into a world-class security solution providing organizations with protection from mobile threats. 
 +
 
 +
Shai has a proven track record of turning advanced research and technology into  products that solves complex problems. He brings more than 12 years of experience in cyber security, data analytics and product management to Check Point.  
  
Starting his security career at the age of 16, Netanel performed security assessments for many international companies and organizations, including banks and government offices.
+
Prior to Check Point, Shai collaborated with a range of private sector companies and government organizations on diverse projects such as nano-particles toxicology, military helicopter fault detection, terrorist activity detection in communications networks and cyber security, including an award winning project Shai lead while he served as an officer in the elite technology unit of the Israeli Intelligence Corp.
  
Following a meaningful military service in the IDF elite intelligence unit 8200, he joined Check Point Software Technologies. In the past few years, his work was presented in several international conferences such as DEF CON and CCC.
+
He received his BSc in Industrial Engineering and Management from Tel Aviv University where he was a member of the Applied Machine Learning Research Lab.
  
 
<br>
 
<br>
<u>Technical Level:</u> Advanced
+
<u>Technical Level:</u> Intermediate / Advanced
 
<br/><u>Language:</u> Hebrew
 
<br/><u>Language:</u> Hebrew
 
<br>
 
<br>
  
  
=== Why Are Hackers Winning the Mobile Malware Battle ===
+
=== Theories of Agile, Fails of Security ===
''''' Yair Amit, CTO & Co-Founder of Skycure '''''    <br />
+
''' הצילו, אבטחת מידע אג'ילית! ''' <br/>
When attacking web applications, what do you do when there are no injection points? No false-assumptions? No logical errors?
+
''''' Daniel Liber, R&D Security Leader, CyberArk '''''    <br />
Most of the times you just move on, perhaps look for bad code in a different component or third party plugin.
+
([[Media:AppSecIL2015_Theories_of_Agile_Fails_of_Security_DanielLiber.pptx|download presentation]])
What if that target is just too important to give up on? What if your target is the most popular web platform in the world?
+
 
+
Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.
This talk will focus on the recent vulnerabilities found in WordPress core, one of the most securely written web apps in the world. We will begin with a carefully orchestrated race condition leading to Privilege Escalation, and all the way to SQL injection and persistent XSS attacks, in 20% of the top 1M sites on the Internet.
 
We will dive deep into a system that seems un-penetrable, and analyze a chain of bugs no one thought exploitable, in order to describe one of the most interesting WebApp vulnerabilities in CMS history.
 
 
Join us for a journey through the eyes of one researcher who made it to core WordPress and lived, to get a glimpse of how one searches for vulnerabilities in massive code and how to catch oh-so-important developer misses.
 
  
 
<br>
 
<br>
 
<u>Speaker Bio</u>  
 
<u>Speaker Bio</u>  
  
Yair Amit is co-founder and CTO at Skycure, where he leads the company’s research, vision and its R&D center. He has been active in the security industry for more than a decade, his research regularly covered by media outlets and presented in security conferences around the world (Mr. Amit is a regular and top-rated speaker of RSA Conference). Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.
+
Daniel Liber is the R&D security leader in CyberArk, a leader in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets. Previously he has worked as an application security consultant for Comsec Consulting, working with customers from industries such as banking, finance, telecom and governmental offices. Daniel also served as a principle security team leader at Bank Leumi (Israel) with focusing on building secure mobile and web applications. Daniel is enthusiastic about security communities, exchanging ideas for research and promoting security, step by step.
  
 
<br>
 
<br>
<u>Technical Level:</u> Advanced
+
<u>Technical Level:</u> Intermediate / Advanced
<br/><u>Language:</u> Hebrew
+
<br/><u>Language:</u> English
 
<br>
 
<br>
  

Latest revision as of 02:11, 17 December 2015

Here are the full descriptions of the talks at AppSec Israel 2015, and the biographies for each of the speakers.

The full schedule can be found and subscribed here.


Keynote - Main Auditorium

Keynote: The Rebellious Teenage Years: 15 years of Web Security

Jeremiah Grossman, Founder, WhiteHat Security
(download presentation)

It's been 15 years of Web Security. Jeremiah will discuss where we’ve been, where we are, and where we’re going.


Speaker Bio

Innovator. Inventor. Protector of the Web. Jeremiah Grossman is the founder of WhiteHat Security.

Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion to lead WhiteHat into the future. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium and the mind behind Aviator, WhiteHat’s next generation secure web browser. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.

Language: English

Track 1 - Main Auditorium

Internet of Things (IOT) Insecurity

Erez Metula, Application Security Expert and Chairman, AppSec Labs
Israel Chorzevski, CTO, AppSec Labs
(download presentation)

During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.

If you'd ever heard the IOT buzzword, and you want to know what it's all about, this talk is for you.


Speaker Bio

Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security. He is the author of the book Managed Code Rootkits, and is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. Erez had helped companies from all sizes, from startups to fortune 500 organizations. Erez focuses on advanced application security topics and has performed extensive ground breaking research on mobile application security. Erez holds an MSc in computer science and he is CISSP.


Speaker Bio

There are people that do security research for a living, and there are people who do it on their own time. Israel Chorzevski does both... he is publically known for his lectures and professional trainings.

In addition to research, he is involved in a number of hacking projects, such as AppUse (Android Testing Platform) and other tools which have and are being developed in AppSec Labs as a part of his position as CTO of the company.


Technical Level: Introduction
Language: Hebrew

The Node.js Highway: Attacks are at Full Throttle

Helen Bravo, Product Management Director at Checkmarx
(download presentation)

The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.

Attacks include:

  • Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
  • Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
  • Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.

This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.


Speaker Bio

Helen has more than eighteen years of experience in software development, IT security and source-code analysis. Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer and product manager for security matters. Helen holds a B.A. in Economics and Business Administration from the Israeli University of Haifa and started her development career at the age of 11.


Technical Level: Intermediate
Language: English

Security Automation in the Agile SDLC - Real World Cases

Ofer Maor, Director of Security Strategy, Synopsys
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.


Speaker Bio

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development

As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Ofer joined Synopsys when it acquired Seeker in July 2015.

Prior to Seeker, Ofer was the Founder and CTO of Hacktics. He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.


Technical Level: Advanced
Language: Hebrew


The Spy in the Sandbox: Practical Cache Attacks in Javascript and their Implications

המרגל בארגז החול: התקפות מטמון ב-Javascript, וההשלכות שלהן
Yossi Oren, Senior Lecturer at the Department of Information Systems Engineering, Ben Gurion University
(download presentation)

Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.

In this work, we challenge this limiting assumption by presenting a successful side-channel attack that assumes a far more relaxed and practical attacker model. In our model, the victim merely has to *access a website* owned by the attacker using his personal computer. Despite this minimal model, we show how the attacker can still launch a side-channel attack in a practical time frame and extract meaningful information from the system under attack. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.

Joint work with Vasileios P. Kemerlis, Angelos D. Keromytis and Simha Sethumadhavan.


Speaker Bio

Yossi Oren is a senior lecturer at the Department of Information Systems Engineering in Ben Gurion University, and a member of BGU's Cyber Security Research Center. Prior to joining BGU, Yossi was a Post-Doctoral Research Scientist in the Network Security Lab at Columbia University in the City of New York and a member of the security lab at Samsung Research Israel. He holds a Ph.D. in Electrical Engineering from Tel-Aviv University, and an M.Sc. in Computer Science from the Weizmann Institute of Science.

His research interests include secure hardware (power analysis and other hardware attacks and countermeasures; low-resource cryptographic constructions for lightweight computer) and cryptography in the real world (consumer and voter privacy in the digital era; web application security). He has been an attendee of OWASP IL since 2007.


Technical Level: Intermediate / Advanced
Language: English


Man in the Cloud Attack

התקפת הברנש בענן
Sagie Dulce, ADC TL, Imperva
(download presentation)

File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.

In our presentation we will examine how common cloud synchronization services can be used by hackers to steal private and corporate data, remain persistent on infected machines and avoid perimeter detection mechanisms. All of this could be done from the attacker’s laptop, without any exploits and without writing server side code.

Objective: Understand risks & mitigations of MitC attacks


Speaker Bio

Security researcher at IDF 8200. Researcher and now TL in Imperva's ADC research team.

I write in Imperva's security blog and at times respond to press security queries.


Technical Level: Intermediate
Language: Hebrew


Game of Hacks: Play, Hack & Track

Amit Ashbel, AppSec Strategist at Checkmarx
(download presentation)

We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.

Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules.

Join us to:

  • Play GoH against the audience in real time and get your claim for fame.
  • Understand how vulnerabilities were planted within Game of Hacks.
  • See real attack techniques (some caught us off guard) and how we handled them.
  • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application.
  • Hear what to watch out for on the ultra-popular node.js framework.


Speaker Bio

Amit Ashbel joined Checkmarx from Trusteer (acquired by IBM). He has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities over the years, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats and the hi-tech security industry.


Technical Level: Intermediate / Advanced
Language: Hebrew


One Class to Rule Them All: Deserialization Vulnerabilities in Android

Roee Hay, Application Security Research Team Lead, IBM X-Force
(download presentation)

We present high severity vulnerabilities in Android.

The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.

For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.


Speaker Bio

Roee leads the X-Force Application Security Research Team at IBM Security. His team focuses on discovering new vulnerabilities and attacks. In recent years, his team has discovered several high severity vulnerabilities in the Android Platform and SDKs.


Technical Level: Advanced
Language: Hebrew

Track 2 - Room 10

0x3E9 Ways to DIE

מת לחיות 0x3E9
Yaniv Balmas, Security Researcher, Check Point Software Technologies
(download presentation)

Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.

For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers.

This was the main motivation in creating DIE.

DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen.

As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen.

Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA.

DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit.

DIE was first introduced to the public at RECON-2015 and received amazing feedbacks. Today, we will introduce its secrets to the respected Israeli research community.

During this talk I will explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process.

The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.


Speaker Bio

Yaniv is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday.

As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently leading the malware research team at Check Point Software Technologies where he deals mainly with analyzing malware and researching vulnerabilities.


Technical Level: Advanced
Language: English


From zero to secure in 1 minute

Moshe Ferber, Chairman, Cloud Security Alliance Israel
(download presentation)

Companies moving to cloud infrastructure (IaaS) discover that they can do amazing things with the automation of infrastructure tasks. Companies can deploy environments in seconds and do production changes several times a day - but security still holds them down. Many of our security procedures have not adopted to cloud automation and still relay on traditional maintenance windows and manual tasks such as static / dynamic analysis, vulnerability scans, hardening and more. And this is a major obstacle in a world where cloud instance can be installed, configured moved to production and terminate within an hour. So security must to adopt to this new accelerated life cycle and change accordingly. In this presentation, we will demonstrate how to automate creation of instances, generating and safeguarding encryption keys, do configuration management and security scans and automatically process the results and take decisions accordingly. The result is cloud instances that are launched and configured with security requirements in automated way within minutes. Implementing the techniques and tools shown can help organizations to overcome security challenges and make sure that security is not the bottleneck on the way to faster applications deployments.


Speaker Bio

Moshe Ferber is world known cloud security industry expert. Involved in shaping the foundations of responsible cloud adoption. He is a major contributor and instructor for the CCSK & CCSP cloud security certifications and involved in many of the working groups that define tomorrow standards and best practices. Mr. Ferber is also a popular industry speaker with numerous appearances worldwide and serves as the chairman for the Israeli chapter of the Cloud Security Alliance.


Technical Level: Intermediate
Language: Hebrew


Why Are Hackers Winning the Mobile Malware Battle

Yair Amit, CTO & Co-Founder, Skycure
(download presentation)

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. In his presentation, Yair will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. In order to demonstrate the aforementioned, Yair will create on stage a malicious mobile app live, which can bypass signatures, static and dynamic analysis approaches.

Audience will learn:

  • The attack paths mobile hackers are taking
  • What actions organizations can take to mitigate malware risks
  • How security vendors can change their paradigms to improve their defenses


Speaker Bio

Yair Amit is co-founder and CTO at Skycure, where he leads the company’s research, vision and its R&D center. He has been active in the security industry for more than a decade, his research regularly covered by media outlets and presented in security conferences around the world (Mr. Amit is a regular and top-rated speaker of RSA Conference). Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair led the research and implementation of IBM’s next-generation application security technology. Yair holds a BSc, summa cum laude, from Tel Aviv University in bioinformatics.


Technical Level: Advanced
Language: Hebrew


Too Big to Fail - Breaking WordPress Core

Netanel Rubin, Senior Vulnerability Researcher, PerimeterX
(download presentation)

When attacking web applications, what do you do when there are no injection points? No false-assumptions? No logical errors? Most of the times you just move on, perhaps look for bad code in a different component or third party plugin. What if that target is just too important to give up on? What if your target is the most popular web platform in the world?

This talk will focus on the recent vulnerabilities found in WordPress core, one of the most securely written web apps in the world. We will begin with a carefully orchestrated race condition leading to Privilege Escalation, and all the way to SQL injection and persistent XSS attacks, in 20% of the top 1M sites on the Internet. We will dive deep into a system that seems un-penetrable, and analyze a chain of bugs no one thought exploitable, in order to describe one of the most interesting WebApp vulnerabilities in CMS history.

Join us for a journey through the eyes of one researcher who made it to core WordPress and lived, to get a glimpse of how one searches for vulnerabilities in massive code and how to catch oh-so-important developer misses.


Speaker Bio

Netanel is a senior vulnerability researcher that has several significant findings under his belt.

Starting his security career at the age of 16, Netanel performed security assessments for many international companies and organizations, including banks and government offices.

Following a meaningful military service in the IDF elite intelligence unit 8200, he joined Check Point Software Technologies, and later on PerimeterX. In the past few years, his work was presented in several international conferences such as DEF CON and CCC.


Technical Level: Advanced
Language: Hebrew


Cross-Site Search Attacks

Hemi Leibowitz, Cyber Security Researcher at Bar Ilan University and a lecturer at the College of Management
(download presentation)

Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using the time it takes for the browser to receive responses to search queries. This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search attacks; however, we show that the use of better tools facilitates effective XS-search attacks, exposing information efficiently and precisely.

We present and evaluate three types of tools: (1) appropriate statistical tests, (2) amplification of the timing side-channel, by `inflating' communication or computation, and (3) optimized, tailored divide-and-conquer algorithms, to identify terms from large `dictionaries'. These techniques may be applicable in other scenarios.

We implemented and evaluated the attacks against the popular Gmail and Bing services, in several environments and ethical experiments, taking careful, IRB-approved measures to avoid exposure of personal information.


Speaker Bio

Lecturer at the College of Management. Research member of the cyber research at Bar Ilan University. Main interest fields are the security of communication networks and designing robust anonymous communication systems against strong attackers.


Technical Level: Intermediate
Language: Hebrew

Certifi-gate - Front Door Access to Pwning hundreds of Millions of Androids Devices: The Aftermath.

Shai Yanovski, Security Analytics Product Manager, Check Point
Hundreds of millions of Android devices, including those running Lollipop, the latest and most secure version of Android OS, can be hijacked. A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack.

These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice.


Speaker Bio

Shai is responsible for turning Check Point’s cutting edge research in cyber threats, mobile technology and analysis algorithms into a world-class security solution providing organizations with protection from mobile threats.

Shai has a proven track record of turning advanced research and technology into products that solves complex problems. He brings more than 12 years of experience in cyber security, data analytics and product management to Check Point.

Prior to Check Point, Shai collaborated with a range of private sector companies and government organizations on diverse projects such as nano-particles toxicology, military helicopter fault detection, terrorist activity detection in communications networks and cyber security, including an award winning project Shai lead while he served as an officer in the elite technology unit of the Israeli Intelligence Corp.

He received his BSc in Industrial Engineering and Management from Tel Aviv University where he was a member of the Applied Machine Learning Research Lab.


Technical Level: Intermediate / Advanced
Language: Hebrew


Theories of Agile, Fails of Security

הצילו, אבטחת מידע אג'ילית!
Daniel Liber, R&D Security Leader, CyberArk
(download presentation)

Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.


Speaker Bio

Daniel Liber is the R&D security leader in CyberArk, a leader in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets. Previously he has worked as an application security consultant for Comsec Consulting, working with customers from industries such as banking, finance, telecom and governmental offices. Daniel also served as a principle security team leader at Bank Leumi (Israel) with focusing on building secure mobile and web applications. Daniel is enthusiastic about security communities, exchanging ideas for research and promoting security, step by step.


Technical Level: Intermediate / Advanced
Language: English


The presentations at AppSecIL were selected through an open Call for Presentations, and everyone was invited to submit a proposal for a presentation.