AppSec Israel 2014 Presentations

Manipulating the Manipulator: Breaking browser based memory corruption vulnerabilities
 Tomer Teller, Security Innovations Research Manager, Check Point 

Browser exploitation is the leading cause for the spread of malware across the web. As a result, endpoint-based exploit mitigation technologies were developed to increase the difficulty in these types of exploitations. While these tools have been proven to work in the field, the endpoint-based technologies are difficult to 1) manage, 2) configure, and 3) deploy, particularly in large organizations due to their invasive nature.

In this session, we will unveil an innovative JavaScript library that overloads key functions/structures in order to subvert client-side memory layout. Once injected to a session, the library will manipulate the heap layout in a way that breaks memory corruption vulnerabilities (including Flash-based exploits). This is done by making them less reliable while not breaking the user-experience/performance.

We will release the library during the talk, discuss its implementation, and demonstrate it against the latest obfuscated browser exploits.

The sessions will conclude with lessons learned during development of the library as well as the future direction of this research.

Speaker Bio

Tomer Teller is the security innovations research manager and corporate technical spokesperson at Check Point. His day-to-day includes brainstorming and developing innovative POCs that span multiple disciplines, including malware analysis, exploit mitigations and digital forensics in the effort to improve Check Point’s threat prevention product line detection rates. He has been an active speaker at industry conferences and presented at Black Hat, RSA, TCE, CPX and Bloomberg CyberSecurity. Teller holds a B.Sc. in computer science and is a proud owner of multiple patents in the field of exploit mitigations.

Technical Level: Intermediate / Advanced

A journey to protect points-of-sale
 Nir Valtman, Enterprise Security Architect, NCR 

Many point-of-sale breaches occurred in the past year and many organizations are still vulnerable against the simplest exploits. In this presentation, I explain about how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. One of the most common threats is memory scraping, which is a difficult issue to solve. Hence, I would like to share with you a demonstration of how it works and what can be done in order to minimize this threat. During this presentation, I will explain the long journey took me to understand how to mitigate it, while walking through the concepts (not exposing vendor names) that don’t work.

Speaker Bio

Nir is employed in NCR Corporation as Enterprise Security Architect of NCR Retail. Before the acquisition of Retalix by NCR, Nir lead the security of the R&D in the company. As part of his previous positions in the last decade, he was working as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. During these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing and development for personal\internal applications. In addition, Nir released few open source tools, e.g. AntiDef, Secure TDD and Memory Scraper. Nir has a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Technical Level: Intermediate / Advanced

Static Analysis Improved Fuzzing
 Moti Cohen, IDC 

We have performed a research on static analysis techniques as a method to improve web application fuzzing. We have seen possible improvements in fuzzing performance. The research was conducted in the IDC, and my supervisor was Dr. David Movshovitz.

Speaker Bio

6 years programmer and team leader at IDF programmer at Elbit Systems

B.sc. Computer Science from TAU M.sc. Computer Science from IDC

Technical Level: Advanced

The (In)Security of AngularJS and MongoDB
 Israel Chorzevski, Tech Leader, AppSec Labs 

AngularJS and MongoDB are new technologies which are becoming common in more and more websites. During the lecture we will briefly review the technology, we will learn about new vulnerabilities which are relevant for them, we’ll see how a secure website becomes insecure simply by including an AngularJS library, and how to perform SQL Injection in No SQL database. This lecture is also relevant to popular development environments such as Java, .NET etc...

Speaker Bio

There are people that do security research for a living, and there are people who do it on their own time. Israel Chorzevski has been doing it in both for almost ten years… he is publically known for his lectures and professional trainings. In addition to research, he is involved in a number of hacking projects, such as AppUse (Android Testing Platform) and other tools which have and are being developed in AppSec Labs as a part of his position as Tech Leader of the company.

Technical Level: Intermediate

Warning Ahead: Security Storms are Brewing in Your JavaScript
 Maty Siman, CTO and Founder, Checkmarx 

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. In this talk we explore the vulnerabilities behind Javascript, including: - A new class of vulnerabilities unique only to JavaScript - Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code - HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

Speaker Bio

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. An authoritative figure in application security, Maty is regularly interviewed by the media on security-breaking news and frequently speaks at various IT security conferences. Prior to founding Checkmarx, Maty worked at the Israeli Prime Minister’s Office as a senior IT security expert and project manager.

Technical Level: Intermediate / Advanced

Dynamic Analysis of Android Apps
' Erez Metula, Application Security Expert. Author of the book "Managed Code Rootkits". Founder, AppSec Labs '

Dynamic analysis of android apps is all about analyzing apps in real time, for the purpose of detecting application level vulnerabilities and for the sake of manipulating applications while they execute. It is often used as a last resort due to its complexity, when other pentesting techniques mainly focused on static analysis are not enough. Common usages of dynamic analysis are extraction of sensitive data from application memory variables, stealing encryption keys, manipulating signature mechanisms and so on. During this talk we will focus on memory dumps, remote debugging, smali debugging, native debugging, usage of ReFrameworker platform and other interesting things. This talk is based on a similar chapter as part of the Android application hacking course given by Erez at recent BlackHat USA 2014 (https://www.blackhat.com/us-14/training/android-application-hacking-pentesting-mobile-apps.html)

Speaker Bio

Erez Metula Author of the book "Managed Code Rootkits", is a world renowned application security expert. Erez has extensive hands-on experience performing security assessments, code reviews and secure development trainings for worldwide organizations, and had previously talked at international security conferences such as BlackHat, Defcon, OWASP, RSA, SOURCE, CanSecWest and more. He is the founder of AppSec Labs, where he focuses on advanced application security topics. Erez holds an MSc in computer science and he is CISSP.

Technical Level: Advanced

Passwords, Rehashed All Over Again
 Avi Douglen, Security Research, SourceClear  Passwords suck.

It’s no secret – passwords are boring, passwords are weak, passwords are STOOPID. We all hate using them, we all hate building systems for them, we all hate breaking them, we all just hate dealing with them. Nevertheless, passwords are here to stay as the most common authentication mechanism. At least, passwords are a simple mechanism, and we all understand how to protect them well enough.

Then how come we keep getting them wrong?

Wait, whaaaat??

Not only are password protected sites usually flawed; not only are millions of passwords stolen more often than stupid cat pictures are posted to Facebook; not only does your mother reuse the same simple password everywhere – we, the security industry, keep giving bad password advice!

This talk will discuss popular misconceptions regarding how to secure passwords, even amongst security experts. We will also show some practical attacks against the common recommendations in this area. Finally, I will share the simple solutions that we *should* be recommending, and prove mathematically that they are correct.

Speaker Bio

Avi always denies being a hipster, even while building the Code Security Research team at a hip young Silicon Valley startup. That said, when it comes to password misuse he is a downright cranky neckbeard.

During his many years as a developer, security lead, and consultant, he has been party to some pretty poor password practices (Pretty poor password practice parties are not as fun as you might think). Now, he is attempting to atone for that, and throws a hissy fit every time he uses a site with counter-productive password practices. Stay on his good side and do what's right.

Technical Level: Intermediate / Advanced

Mobile Security Attacks: A Glimpse From the Trenches
 Yair Amit, CTO & Co-Founder, Skycure   Adi Sharabani, CEO & Co-Founder, Skycure 

Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will describe and demonstrate emerging mobile security threats: from physical, through network and up to application level. Hold on to your seats as we expose examples, statistics and insights about real-world attacks on mobile-devices around the world.

This presentation aims at providing a technical overview of the most prominent attack techniques on mobile devices by hackers today, along with a glimpse to emerging threats. The presentation will be conducted via a two-presenters model and shall include a live demo and audience participation.

Speaker Bio

Yair Amit has been active in the security world for more than a decade. His research is being regularly covered by media-outlets and presented in security conferences around the world. Prior to founding Skycure, Yair managed the Application Security & Research Group at IBM, to which he joined through the acquisition Watchfire, a startup that was a pioneer in the field of web-application security.

Adi Sharabani is a world-class security expert and the CEO of Skycure. Formerly, Sharabani led the security of all IBM software products. He came to IBM through the Watchfire acquisition, a start-up company which was a pioneer in the field of application security. His works have been presented in many known conferences such as BlackHat, RSA, OWASP and Innovate.

Technical Level: Intermediate / Advanced

My Preciousss… Holding on to Your Sensitive Data
 Ofer Maor, CTO, Quotium 

Everybody's spending a lot of energy on application security, and yet every once and then someone gets hacked. It's not easy to stay ahead. Applications need to be ultra-secure from a long line of suspicious malware and marauding hackers, yet hackers only need to find one way in. But Hackers are now looking for profit, they do not care about code security or how many vulnerabilities there are (or got fixed). Their aim is to steal sensitive user data, and if this data would be secured, other vulnerabilities may become a lot less worrying.

So we all know we need to encrypt our sensitive data, hash our passwords, drop our CVVs after we use them, but do all our developers know it? And even if they do, does every component they use know that too?

Hold on to your Preciousss sensitive data! We have the solution!

In this talk we will introduce a new freeware tool, based on state of the art runtime code analysis technology, for identifying whenever sensitive data is insecurely handled by your application. We will discuss different types of common developer mistakes and how they can cause data leakage, such as writing to a log file, sending to 3rd party service, etc, and we will demonstrate how this tool can be used as part of ongoing testing for identifying such issues.

Speaker Bio

Ofer Maor has twenty years of experience in information and application security.He has been involved in leading research initiatives, has published numerous papers, regularly appears at leading conferences and is the pioneer of IAST (Interactive Application Security Testing) - the newest approach for automated application security testing.

In his current role as founder and CTO of Quotium, Mr. Maor is leading Seeker® -the new generation of application security, allowing organizations to effectively protect their business and data from application threats. He was previously the Founder and CTO of Hacktics™, where he helped create a world-class leading professional security services group, later acquired by Ernst & Young to become a global excellence center. During this time he has also served as the Chairman of OWASP Israel and was part of the OWASP Global Membership Committee.

Before founding Hacktics, Mr. Maor led Imperva's Application Defense Center, a research group focused on application security services and education, where he advanced research activities and was responsible for all the application security services conducted by the company. He was previously a Senior Security Consultant at eDvice, an application security consulting firm, and served for three years as an Information Security Officer in the Israeli Defense Forces.

Technical Level: Intermediate

Getting New Actionable Insights by Analyzing WAF Triggers
 Or Katz, Principal Security Researcher, Akamai 

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of this post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations. The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Speaker Bio

Or is an application security veteran, with years of experience at industry leading vendors such as Trustwave and F5 Networks. Or currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA and OWASP.

Technical Level: Intermediate / Advanced

The Bank Job - Mobile Edition. Remote Exploitation of the Cordova Framework for Android
 David Kaplan, Security Researcher, IBM Security Systems 

Apache Cordova is a popular cross-platform framework for mobile development. In this talk we present a series of vulnerabilities which we found in the framework for Android. These vulnerabilities enable a remote drive-by download attack against many Cordova-based applications and, as the framework is used in over 10% of all finance applications on the Android platform, your bank could be at risk! The talk will include a live demonstration of the attack.

Speaker Bio

David Kaplan is a Security Researcher with IBM Security Systems. The IBM Security Systems Research Team is responsible for cutting edge Application Security research and has published numerous vulnerabilities and whitepapers.

Prior to his work at IBM, David spent a number of years working on next generation security products at Intel and was formerly part of the Red Team at NDS/Cisco.

Technical Level: Intermediate

Practical Attacks against MDM Solutions
 Ohad Bobrov, CTO, Lacoon Mobile Security 

Mobile Remote Access Trojans (mRATs) are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications– mainly phone fraud applications distributed through common application channels - target the typical consumer, mRATs are the tool for the dedicated attacker. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings. How are these mobile cyber-espionage attacks carried out? In this engaging session, we demonstrate attack techniques which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

Speaker Bio

Ohad Bobrov is CTO and co-founder of Lacoon Mobile Security. With more than 15 years of experience in the mobile and networking industries, Ohad passionately leads the research, engineering, technology and product development of the company. Prior to Lacoon, Ohad founded and led the mobile mass networking solution department at NICE Systems, receiving multiple Excellence awards for his work. Prior to NICE, he spent seven years in the Israeli Defense Force. Ohad holds a BSc, magna cum laude, from the Open University of Israel in Computer Sciences and an MBA from Tel-Aviv University.

Technical Level: Intermediate / Advanced

Infosec Natural Selection – What SHOULD Be Evaluated FIRST
 Shay Chen, Researcher, Consultant and Analyst 

It should have been easier to make intelligent choices in 2014, deciding what's right and what's wrong, weeding out the useless from the useful. However, in reality, the storm of marketing claims, the endless list of trends, and the sheer number of choices caused the exact opposite. Would you buy a car you can't drive? Would you pay to an ISP that doesn't provide you any internet services? Many of us do just that when choosing infosec products. Furthermore, during infosec product evaluations, the evaluating entity often ignores key aspects that can get him into a WHOLE LOT OF TROUBLE, whether he'll be a CISO, system operator, integrator or pen-tester. Some aspects may simply prevent the products from working, while some features in these products, if improperly implemented by the vendor or misused by the user, can cause severe damage to the target organizations, and as a consequence, make the user / vendor accountable, and may even lead to lawsuits. The presentation will focus on key aspects that the consumer/user should assess prior to selecting information security products (IDS/IPS, WAF, Monitoring Products) or security assessment products (Scanners, Source Code Analysis Tools, Exploitation Suites).

Speaker Bio

Shay Chen is a researcher, consultant and analyst, focused on evaluating products and services in the information security industry. He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects. As the author of the ""WAVSEP"" he was involved in the publication of several large-scale researches in the field of automated security scanners, including multiple benchmarks published throughout 2010-2014. Shay is an experienced speaker, has been instructing a variety of information security courses for the past 9 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

Technical Level: Intermediate