Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track 1 [clear filter]
Tuesday, October 13

11:15 IDT

Internet of Things (IOT) Insecurity

During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.

If you'd ever heard the IOT buzzword, and you want to know what it's all about, this talk is for you.


Israel Chorzevski

CTO, AppSec Labs
avatar for Erez Metula

Erez Metula

Application Security Expert, Founder, AppSec Labs
Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.Erez has extensive hands-on experience performing security assessments... Read More →

Tuesday October 13, 2015 11:15 - 12:00 IDT
Main Auditorium

12:00 IDT

The Node.js Highway: Attacks are at Full Throttle

The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.

Attacks include:

  • Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
  • Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
  • Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.

This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.

avatar for Helen Bravo

Helen Bravo

Product Management Director, Checkmarx
Helen Bravo is the Product Manager at Checkmarx. Helen has more than fifteen years of experience in software development, IT security and source-code analysis. Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer... Read More →

Tuesday October 13, 2015 12:00 - 12:30 IDT
Main Auditorium
  Track 1

13:30 IDT

Security Automation in the Agile SDLC - Real World Cases

How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.

avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product developmentAs the founder and... Read More →

Tuesday October 13, 2015 13:30 - 14:15 IDT
Main Auditorium
  Track 1

14:15 IDT

The Spy in the Sandbox: Practical Cache Attacks in Javascript and their Implications

Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.

In this work, we challenge this limiting assumption by presenting a successful side-channel attack that assumes a far more relaxed and practical attacker model. In our model, the victim merely has to *access a website* owned by the attacker using his personal computer. Despite this minimal model, we show how the attacker can still launch a side-channel attack in a practical time frame and extract meaningful information from the system under attack. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.

Joint work with Vasileios P. Kemerlis, Angelos D. Keromytis and Simha Sethumadhavan.

avatar for Yossi Oren

Yossi Oren

Senior Lecturer, Ben Gurion University
Hi! I am a senior lecturer at the Department of Information Systems Engineering in Ben Gurion University, and a member of BGU's Cyber Security Research Center. Before joining BGU I was a Post-Doctoral Research Scientist in the Network Security Lab at Columbia University in the City... Read More →

Tuesday October 13, 2015 14:15 - 15:00 IDT
Main Auditorium
  Track 1

15:15 IDT

Man in the Cloud Attack

File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.

In our presentation we will examine how common cloud synchronization services can be used by hackers to steal private and corporate data, remain persistent on infected machines and avoid perimeter detection mechanisms. All of this could be done from the attacker’s laptop, without any exploits and without writing server side code.

Objective: Understand risks & mitigations of MitC attacks


Tuesday October 13, 2015 15:15 - 16:00 IDT
Main Auditorium

16:00 IDT

One Class to Rule Them All: Deserialization Vulnerabilities in Android

The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.

For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.


Roee Hay

IBM Security
Roee leads the X-Force Application Security Research Team at IBM Security. His team focuses on discovering new vulnerabilities and attacks. In recent years, his team has discovered several high severity vulnerabilities in the Android Platform and SDKs.

Tuesday October 13, 2015 16:00 - 16:30 IDT
Main Auditorium
  Track 1

16:40 IDT

Game of Hacks: Play, Hack & Track

We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.

Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules.

Join us to: • Play GoH against the audience in real time and get your claim for fame. • Understand how vulnerabilities were planted within Game of Hacks. • See real attack techniques (some caught us off guard) and how we handled them. • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application. • Hear what to watch out for on the ultra-popular node.js framework.

avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →

Tuesday October 13, 2015 16:40 - 17:25 IDT
Main Auditorium
  Track 1