AppSec Israel 2016 has ended

Log in to bookmark your favorites and sync them to your phone or calendar.

Track 2 [clear filter]
Monday, September 19

10:05 IDT

The Threat of Advanced Cross-Site Search Attacks
Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.


Nethanel Gelernter

Cyberpion & College of Management Academic Studies
Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies... Read More →

Monday September 19, 2016 10:05 - 10:50 IDT
Room 10 - CS and Communications Building
  Track 2

10:55 IDT

The Dark Side of Search Engines Optimizations
Search engines optimization (SEO) is a technique being used by web sites owners in order to improve visibility and traffic to their web site. Legitimate SEO activity will use optimization techniques such as: changing structure and textual usage of the web site pages, publication in social media and web forums that will referrer relevant users.
The ultimate goal of SEO campaign is to promote web site ranking in the leading search engines, having the promoted web site returned in the primary result page once searching for relevant terms and keywords. 

In the presentation I’m going to present what happens when threat actors get into the world of SEO campaigns abuse SEO optimization techniques and moreover, use all kind of attack techniques such as SQL injection and open redirects in order to manipulate search engines ranking.
I will also evaluate some of the SEO attacks and the manipulating techniques, try to determine who are the victims in this story, check if these attacks achieved their goal and supply more interesting insights on the world of “Blackhat SEO”.

avatar for Or Katz

Or Katz

Principal Lead, Security Researcher, Akamai
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as Principal Lead Security Researcher for Akamai. Katz is a frequent Speaker in security conferences and published several articles and white papers on threat intelligence and defensive... Read More →

Monday September 19, 2016 10:55 - 11:25 IDT
Room 10 - CS and Communications Building
  Track 2

11:45 IDT

Could a few lines of code it all up!
March 2016. An anonymous open source developer decides to remove his code (left-pad) from a public repository.
Shortly thereafter, several large organizations felt the impact of his actions. Facebook, AirBnB and others experienced errors impacting the functionality of their services. Packages using “left-pad” wouldn’t properly execute.
Today, we embrace both the open source community and the growth of open source projects, modules and packages but… Dependencies and recursive dependencies might become a risk or even a new attack vector which we didn’t foresee.
Could there be other cases of common and popular open source packages depending on open source modules that might not be there tomorrow or, even worse, could they be maliciously modified?

Join us for an insightful session that will reveal our research on this topic where you will learn:
• Which common open source packages might not be there tomorrow and how this can affect you?
• How packages you use could be maliciously modified impact on your app Discuss the risks introduced by hybrid application development
• How intertwined and complex dependencies have become

avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →
avatar for Erez Yalon

Erez Yalon

Director of Security Research, Checkmarx

Monday September 19, 2016 11:45 - 12:30 IDT
Room 10 - CS and Communications Building
  Track 2

12:35 IDT

Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing
Testing java client applications is not always straightforward as testing web applications. Even under experienced hands, there might be obstacles coming your way; what if you cannot use a proxy? How do you MitM? What if you just can't? How do you modify the app to you benefit?

Fortunately, Java is still java. This lecture is based on a true story, and will follow an interesting case of pen-testing a known product; what tools and techniques can be used in order to jump over hurdles, all the way to the finish line.

The lecture aims to enrich the pentester's toolbox as well as mind, when facing java client applications; MitM-ing, run-time manipulations and patching the code are only some of the discussed cases.

In addition, a newly developed proxy for intercepting and tampering with TCP communication over TLS/SSL and bypassing certificate-pinning protections, will be introduced during the lecture.

avatar for Tal Melamed

Tal Melamed

Head of Security Research, Protego Labs
In the past year, Tal Melamed been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability... Read More →

Monday September 19, 2016 12:35 - 13:20 IDT
Room 10 - CS and Communications Building
  Track 2
  • Audience Breakers
  • Language Hebrew
  • Technical Level Intermediate / Advanced

14:15 IDT

The Ways Hackers Are Taking To Win The Mobile Malware Battle
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around... Read More →

Monday September 19, 2016 14:15 - 15:00 IDT
Room 10 - CS and Communications Building
  Track 2
  • Audience Breakers
  • Language Hebrew
  • Technical Level Intermediate / Advanced

15:05 IDT

Bot Extension - Abusing Google Chrome Extensions for Bot Attacks
Chrome extensions have opened a variety of opportunities for either users and developers, expanding the limits of what we've known as browsing experience. Attacker have also spotted the widely usage of such extensions, and abuse people's trust in Chrome Web Store to distribute malicious extensions. This allows them to run web-based bot attacks straight from victims' browsers, shending cross-site Ajax requests, resulting in impersonation of users in third-party websites.
Furthermore, the detection of such bot attack by the attacked server is more complex than in regular distributed attacks, since real humans actually use the Chrome tab abused to attack the victim.
The lecture will include an overview on Chrome Extension abilities followed by techniques to abuse them in order to run bot attacks, as well as distribute a malicious extensions to big crowds of victims.

avatar for Tomer Cohen

Tomer Cohen

R&D Security Team Leader, Wix.com
Experienced security researcher & pentester, one of the founders of Magshimim Cyber Training Program.

Monday September 19, 2016 15:05 - 15:50 IDT
Room 10 - CS and Communications Building
  Track 2
  • Audience Defenders
  • Language Hebrew
  • Technical Level Intermediate / Advanced

16:05 IDT

Law and the Israeli Cybersecurity Industry
From an international perspective, Israel provides a unique laboratory for studying the effect of law and regulation on cybersecurity research and development. This presentation will provide an introduction to specific laws and regulations concerning cybersecurity research and ask whether these laws have in actual practice influenced the growth of the cybersecurity ecosystem in Israel. More specifically, how have industry players, including startups, multinationals and the military, reacted to the unique legal framework that Israel provides for cybersecurity activities?


Eli Greenbaum

Partner, Yigal Arnon & Co.
Eli Greenbaum is partner in the law firm of Yigal Arnon & Co., specializing in technology, intellectual property and cybersecurity. He received his masters degree in Applied Physics from Columbia University and his law degree from Yale Law School. Eli has published widely in the intersection... Read More →

Monday September 19, 2016 16:05 - 16:50 IDT
Room 10 - CS and Communications Building
  Track 2

16:55 IDT

Signoff or Sign-Out
Software Signoff is an inevitable step in maturing our software development processes in order to deliver better and safer software. Like with other engineering disciplines before, the growing concerns for safety, security and standards is driving the industry to do better. In this talk we will explain what Software Signoff means and why organizations must adopt it before it is too late.

avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product developmentAs the founder and... Read More →

Monday September 19, 2016 16:55 - 17:25 IDT
Room 10 - CS and Communications Building
  Track 2