OWASP Israel 2013 Presentations

= Keynote =

= Plenary Sessions =

Evolution of online banking attack techniques
Amit Klein, CTO, Imperva

I will survey the evolution of attack techniques against online banking since the mid-2000s till today. This starts with keylogging malware, moves over to screenshooting malware, and finally gets to HTML injection malware (the “Man in the Browser” concept). I will then show several examples of the power of MitB attacks, especially when combined with social engineering, and how this can overcome many security measures such as two-factor authentication and transaction verification.

Speaker Bio

As Trusteer’s CTO, Amit Klein manages the company’s security research. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics. Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

Technical Level: Intermediate

Live Demo: Your mobile device in the service of the malicious hacker
 Adi Sharabani, CEO, Skycure 

We all developed natural instincts when it comes to protecting our physical space. We all know to look to the sides before crossing the road, and we all have some capabilities to assess current risks and make decisions accordingly. However, when it comes to using our mobile devices in the cyber era, these instincts have not yet evolved. People and organizations are at risk, and do not have an understanding how to assess or mitigate them. On top of that, current protection solutions provide inadequate protection against these threats. The organizational need to support mobile devices for business related activity created a huge gap in securing the organization. Adi Sharabani's keynote will highlight some of these threats via a live demonstration of a mobile hacking activity. The audience will be able to opt in for the demo, reflecting how easy it is for a hacker to hack into remote devices.

Speaker Bio

Mr. Adi Sharabani is a world-class security expert and the CEO of Skycure, a start-up that focuses on providing firewall solutions for mobile devices. Formerly, Adi led the security of IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. Among his roles, Adi built and led the Watchfire’s security group. Adi has written many patents in the security space, and his works have been presented in many known conferences such as BlackHat, RSA, OWASP, Innovate, Herzliya Conference and many more; his presentations and keynotes are constantly being ranked as best presentations of most conferences he presents at. Adi is also a fellow at Prof. Yuval Ne’eman’s workshop. In his spare time, Adi teaches at Ohel-Shem high school, and is a part of the vision and implementation of the cyber-defense curriculum for high school students, a vision that is now being implemented in Israel.

Technical Level: Introduction

= Track A =

Get Ready for the Next Big Wave of Attacks: Hacking of Leading CMS Systems
Maty Siman, CTO, Checkmarx

The flow of this talk is given by – you! Before this talk, we emailed the audience to provide us with their favorite WordPress plugins that they would like to test for security. In a live demo, we assess the security of the requested plugins. Previous similar trials that we performed on WordPress showed that 30% of the top 50 most downloaded plugins were vulnerable to common Web attacks. What will be the results of this experiment? As we’ll continue to show, assessing the security posture of a plugin is only the hacker’s first step in mass attacks. As opposed to past mass SQL Injection attacks which leveraged tools such as SQLMap, these next wave of attacks do not focus on the site’s platform or customized development code. Rather, these attacks leverage on the increasing popularity of CMS platforms such as WordPress and Joomla. The maturity, prevalence and market penetration of CMS platforms allow any marketing, sales or HR individual to easily set up their own fully-operational site. Accordingly, CMS apps are flourishing – and so are the vulnerabilities in these apps.

Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israeli Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center.

Technical Level: Intermediate

Utilizing Popular Websites for Malicious Purposes Using RDI
Daniel Chechik, Security Researcher, Trustwave SpiderLabs Anat Davidi, Security Researcher, Trustwave SpiderLabs

Reflected DOM Injection is a new attack vector first presented at the DefCon 21 conference in July. We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites. For those of you who are interested in RDI but couldn’t make it to DefCon, we are bringing the talk to you!

The introduction of this session will briefly review the struggle between malicious websites and security products. We will explain the issues of hosting a malicious website and the techniques security vendors use in order to block them. We will then present our new technique to avoid detection and proceed to explain all parts of it in-depth. A full demo of the attack from beginning to end will be included. common and known services published by popular websites will be used in order to dynamically construct an attack hosted for us by these services. Finally, we will add a layer of defense to our attack, and generate malicious code which will become practically invisible to dynamic analysis engines and thus evade most of today's security engines and technologies.

Speaker Bio

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product. Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products. Daniel, among other things, has spoken at the RSA conference, DefCon, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'. Anat Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product. Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference, DefCon.

Technical Level: Intermediate

Invisibility Purge - Manipulating Properties Of Invisible & Dormant Asp.Net Controls
Shay Chen, CTO, Ernst & Young (Hacktics)

Server-Side Web Controls became popular components in modern web application frameworks. In addition to the development benefits of these components provide, they are also protected using a variety of security mechanisms, including digital signatures, content access restrictions and even invisibility. However, developers that use these components improperly can expose the application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms. The presentation will demonstrate several new methods that attackers can harness to bypass security mechanism, manipulate server control properties and identify, enumerate and activate events of dormant server web controls, in popular platforms such as ASP.Net, JSF and Mono.

Speaker Bio

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors. He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects. As the co-author of the platforms "Diviner", "SCIP" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners. Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

Technical Level: Advanced

The ReFrameworker Android runtime manipulator – pentesting Android apps like a king
Erez Metula, AppSec Labs

ReFrameworker is a new exiting addition to the AppUse pentest VM which we just released at recent BlackHat USA, targeting Android applications. With ReFrameworker, we can manipulate Android applications to make our life as pentesters a lot more easier. Does the app you test insists to be used only for a particular IMEI or phone number? Or does it break on invalidated certificates when you try to SSL MitM it using a proxy? No problem! With ReFrameworker, you can just give a new behavior to any runtime method you'd like, like disabling verifications, controlling return values, and so on. Snooping on local SQL queries or encryption keys? ReFrameworker gives you a proxy for local variables so you can changes important or sensitive values on the fly. The idea is that we'd built a new Android ROM for the sole purpose of pentesting Android apps, loaded with hooks at important places inside the Dalvik runtime. During this talk we'll witness the power of ReFrameworker, we'll learn how to use it, how it was implemented and how it can be extended.

Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

Technical Level: Advanced

A Game of Pwns: Pwning iPhone application security assessment using the iNalyzer framework
Chilik Tamir, Chief Scientist, AppSec Labs

iNalyzer is an open-source free to use pen-testing framework I  have recently updated for BlackHat USA, targeting iPhone applications. In the following presentation I will present my latest research on a new approach to performing security assessments of iOS applications utilizing the iNalyzer. The presentation will include live demonstration of using iNalyzer to transform a tedious black-box penetration testing into an exciting gray-box effort. The talk will cover some of the problems with testing iOS applications, and present a wider picture of the testing process for different applications using iNalyzer, from the point of view of the tester, and how to handle the difficulties that may ensue.
 * You will learn how to utilize iNalyzer to bind the power of regular web vulnerability scanner - such as Zap, Burp or AppScan into the exciting world of iOS penetration testing.
 * You will learn how to fill in the gaps and use iNalyzer in your IDA reversing effort when testing.
 * You will learn how to manipulate iPhone applications to make our life as pen-testers a lot easier using iNalyzer.

Speaker Bio

Chilik Tamir is an information security expert with over two decades of experience in training, research, development, testing and consulting in the field of applicative information security for clients in the fields of finance, security, government offices and corporations. His latest research - the iOS iNalyzer is an open-source iOS application Penetration Testing Dashboard. Among his previous publications you will find AppUse – a testing environment for Android applications developed together with Erez Metula; Belch – an automatic tool for analysis and testing of binary protocols such as Flex and Java-Serialization; Chilik is an experienced security trainer and speaker with previous talks and training in security conferences such as BlackHat USA, HITB Amsterdam, OWASP Israel as well as training in cooperations such as Intel, HP, Cisco, Amdocs, Verint, RedBend and others. He is the Chief Scientist at AppSec Labs, where he acts as head of R&D and innovation. Chilik holds an Biomedical Engineering B.Sc. degree.

Technical Level: Advanced

Automatic trust based segregation for content providers on mobile devices
Oren Poleg, IDC

In this work we have designed and developed a modification to the Android Content Providers that allows us to impose access restrictions on the sensitive data items they contain (such as contacts, calendar events). We have developed lightweight solution that is compatible with the current Android design (so it can be easily integrated with the current Android implementation) that creates separation between different types of sensitive data, also separating them from the non-sensitive information in Android content providers. We allow the device owner to view the data in a unified manner, while 3rd party applications will be allowed access only to content created by them or that they were granted permission to view. User interaction is not required for the security decisions. Instead, we are defining trust relationship between the data and the applications, in which the owner of the data can delegate access permissions to the applications. This approach will enable organization to store sensitive information on the device content providers, allow the user to easily access it from the organizational applications as well as from system applications while preventing its leakage through other 3rd party applications While developed for Android, the concept can be implemented on other mobile devices, such as iPhone and Windows Phone.

Speaker Bio

Oren Poleg is a mobile platforms expert, with more than 10 years in the mobile platforms space. As a team leader in (the Former) Sun Microsystems, Oren was responsible to the integration of Java VM into mobile devices, later to be followed with and research of smart phone infrastructures Currently Oren is a working as a Consultant, dealing with Android Devices, Smart TVs and Network Security.

Technical Level: Intermediate/Advanced

= Track B =

Web Application Forensics
Renana Friedlich, Forensic Department Leader, Ernst and Young (Hacktics)

Most organizations are not aware of successful application-level attacks, until it's too late. Application penetration tests don't provide information on attacks that ALREADY occurred, on attacks are CURRENTLY in progress, on failed attempts, or even on the actual impact. Organizations usually rely on security products such as WAF and IDS to locate hacking incidents, but what about attacks that slipped pass the WAF? What about attacks with a pattern that the IDS did not recognize? What about organizations that implemented these products too late, or not at all? That's where Web Application Proactive Forensics comes in - A collection of detailed methodologies for locating evidence of attacks that were performed and/or exploited, including attacks listed in OWASP testing guide, WASC and CWE.

Speaker Bio

Renana Friedlich is the Forensic Department Leader at Hacktics, an advanced security center of EY. Renana specializes in forensic investigations, developing incident response, malware assessments, and escorting start-up companies in implementing forensic methodologies into their products. Prior to working at Hacktics, she served at the intelligence corps for seven years, and has over nine years of experience in the information security field. In recent years, Renana was a frequent speaker in the government sector and had multiple appearances in public conferences, including OWASP, annual risk management conferences, and universities. She also regularly instructs forensic and incident response courses in universities and clients from various industries.

Technical Level: Intermediate

STDD - The protection you REALLY need
 Nir Valtman, R&D CSO, Retalix   Lior Israel, Software Architect, Retalix 

Today in the agile world, many streams based on Acceptance Test Driven Development (ATDD). In this presentation we are going to demonstrate how to reuse this concept in context of security. In addition, this presentation includes common scenarios from attacker's point of view as well as the defender should think. Needless to mention, we have many demos...

Speaker Bio

Nir is employed in Retalix as R&D CSO. Before this position he worked as chief security architect, senior technology consultant, application security consultant, system security consultant and a technological trainer. As part of his positions, Nir didn't only consulting, but also performed hands-on activities in various fields, e.g. hardening, penetration testing and development for personal\internal applications. Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities. Blog: http://www.valtman.org

Lior is a highly experienced Software and Hardware developer, designer and System Architect. Lior started his studies of electronics on the early 1990's and have a degree in computer science. Lior have a practical formal experience of over 18 years with software and hardware development, design and more. Currently working as a software architect of large scale IT applications with cutting edge technologies. Blog: http://blogs.microsoft.co.il/blogs/lior_israel/

Technical Level: Intermediate / Advanced

Spam, Death Threats, and Other Abuses of Online Communities
Avi Douglen, Security Architect, Independant

Many contemporary websites are based on so-called “User Generated Content” (aka UGC). Furthermore, many sites oriented around a community of users enable users to interact with each other, via the site. Sites like Wikipedia and StackOverflow allow users to freely edit pages visible to all users, popular discussion forums are based on continuous postings of content by users, and social networks such as Facebook encourage users to constantly add their own rich data to the site for others’ consumption.

Aside from the usual web attacks common to all user input on websites, such as XSS and SQL Injection, there are some forms of attacks or abuse that are specific to sites such as these. Some of them are purely technical, some of them are social in nature and just take advantage of the available technology. These are often exacerbated by the scope and huge amount of traffic to these sites, and take advantage of the network effect.

The talk will be based in a large part on the speaker’s experience on the Stack Exchange network of sites, but will also compare to the models prevalent on other popular sites. We will discuss some of the aspects particular to these platforms, and show how even the more “boring” of these attacks can sometimes be interesting depending on the situation. We will also see some of the stranger happenings that occur on a large site. Finally, we will discuss and compare some of the different models that these huge websites use to limit the damage. We will of course focus on what is both these sites’ biggest weakness, and greatest strength - the community.

Speaker Bio

Avi Douglen had a CISSP before it was popular, but he is not a hipster. Avi is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for over 15 years. Avi is also a Community Moderator (volunteer basis) on Stack Exchange’s fantastic Information Security site (http://security.stackexchange.com), sister site to Stack Overflow. As a moderator, and as an active user on several other Stack Exchange sites, he has spent a lot of time handling these types of attacks, and has had the opportunity to see up close, what works, what doesn’t, and what can scale to millions of users.

Technical Level: Introductory

Delivering Security in Continuous Delivery Environment
 Yaniv Simsolo, Senior Consultant, Comsec Consulting

Moving from traditional development environment to Agile environment, creates many a challenge to the security of the organization and developed system. Moving from Agile development environment towards Continuous Delivery environment ups the stakes. We will venture in to the challenges of delivering security in Continuous Delivery environment, and test whether in-depth security is achievable. Relying on industry evidences, a unique approach to the evolvement of security under Continuous Delivery development environment will be presented.

Speaker Bio

Yaniv Simsolo, CISSP, Senior IT Security Professional. A consultant in application security from 2004, and an expert of security of compound and enterprise scale systems.

Technical Level: Intermediate

Designing a national defense strategy for DDoS applications and volume attacks
Mirit Kagarlitsky, Head of System Analysis, Israeli National Cyber Bureau 

DDoS attacks exploit vulnerabilities in different protocol stack layers, from the application layer and downward. These attacks undermine the availability of various services, some of which transcend the local interest of the compromised organization, bearing broader consequences. Designing a national defense strategy for DDoS attacks has advantages, since the state has both the interest and the capacity to devise large-scale technological solutions of security from targeted attacks on critical services as well as from cumulative damage in this realm. The problem is that there is a wide spectrum of solutions and possible network locations for state intervention: services entry point, ISPs, cloud-based approaches and more; every solution should be analyzed from a national standpoint. Our work examines when and where should the state take action in the realm, ranging from the individual organization to the ISP level. We also suggest how its accumulated benefit should be assessed in order to evaluate the overall effectiveness of the national strategy.

Speaker Bio

Mirit Kagarlitsky holds a B.Sc. in physics and mathematics ("Talpiot" elite program) from the Hebrew University in Jerusalem and in the process of completion M.A in Statistics from Tel Aviv University. She has a vast experience with operation research and system analysis in various fields, as an analyst and as a team leader. Today she work as the head of system analysis in the Israeli National Cyber Bureau.

Technical Level: Introduction

Enhancing Web Application Defense Using Big Data
 Or Katz, Principal Security Researcher, Akamai Technologies 

In recent years Big Data has become a commonly used technology in many products, in this presentation I will unveil practical examples on how we can improve web application defenses by using Big Data. Using Big Data enables us to combine web application filter triggers from multiple data sources. Big data analysis contributes to the improvement and enhances defense tactics. In this presentation I will show some examples such as:
 * SQLi – detecting malicious users and their level of maliciousness
 * Web Scraping – expose scrapers that fly under the radar and what is their target information
 * False positives reduction – using Big Data in order to learn how to tune your configuration

Speaker Bio

Or Katz has vast expertise in Web Application Firewall technology, working in market leading web application firewall vendors as a web application security researcher. Mr. Katz is a board member in OWASP Israel chapter, frequent speaker in the chapter conferences and he was also responsible for leading the OWASP Top 10 Hebrew translation project. Mr. Katz also published several innovative white papers on web applications defensive techniques.

Technical Level: Intermediate

From Obscurity to Pop Culture - Evolution of Application Security
 Irene Abezgauz, Product Manager, Quotium

In 1998 the New York Times website was hacked. According to various news sources, the site underwent a thorough security test just two years before and at that point it became clear that 'it might not be sufficient'. Fifteen years later, application security trends talk about APTs, Agile SDLCs and Security Products being commoditized. In this lecture we review the evolution of application security in the past decade and a half. Examining technology and aspects of security management from the early days of OWASP foundation to present day mobile application security testing as part of the development lifecycle.

Speaker Bio

Irene has ten years of experience in information and application security. Focused on application security penetration testing and research she is a builder and breaker of things. She is the Product Manager of Seeker™, the new generation of automatic application security testing, and head of security research activities at Seeker Security (Quotium). Ms. Abezgauz has discovered numerous vulnerabilities and published advisories related to products of leading vendors.

Technical Level: Introduction