AppSec Israel 2018 has ended
Room 001 [clear filter]
Wednesday, September 5

17:00 IDT

Gathering, networking, wine and cheese

Wednesday September 5, 2018 17:00 - 17:45 IDT
Room 001

17:45 IDT

avatar for Shira Shamban

Shira Shamban

Dome9 Security

Wednesday September 5, 2018 17:45 - 18:00 IDT
Room 001

18:00 IDT

DNS Exfiltration or Why I threw away my supervised learning models for anomaly detection

Supervised learning (or “machine learning by examples”) is here to stay, but is it always the optimal solution? Whenever engineers need to tell the difference between cats and dogs they will turn to supervised learning models provided with lots of training examples. But what happens when you’re looking for a rare and extraordinary phenomenon such as a unicorn? In that case you might have abundant examples of horses but almost no unicorn examples. In our story, the unicorn is the problem of detecting “low and slow” DNS exfiltration attacks, such as the 2014 cyberattack on Home Depot that resulted in the theft of 65M credit card numbers. While the Home Depot attack establishes the importance of the problem, it’s rare to find enough similar examples in order to predict the next DNS exfiltration cyber campaign. In this talk we will discuss the advantages of Anomaly Detection in the absence of training samples and walk through our solution based on the Isolation Forest algorithm and the challenges we faced implementing it as a large-scale solution in Spark Scala. This is the story of how we had to take a different approach to our problem and how we got to catch and block a live ‘white-hat’ cyber attack on one of our clients’ platform.

avatar for Ada Sharoni

Ada Sharoni

Senior Software Developer, Akamai
Originally started as an algorithm developer in signal processing and for the past several years have been a back-end developer. As a "Talpiot" graduate, I served in the Israeli intelligence community and as a commander of Talpiot cadets. When asked about my favorite book I still... Read More →

Wednesday September 5, 2018 18:00 - 18:30 IDT
Room 001

18:30 IDT

Lessons Learned from My Path in the Appsec World
avatar for Tamar Twena-Stern

Tamar Twena-Stern

Software Manager & Architect, Bit
I am a software manager and an architect. In the past, I Managed a development group in Edgeverve systems and was an architect of a transaction engine. I also led a team of performance experts at NCR Retail , I was a solution architect in Personetics, and I had a start up of my own... Read More →

Wednesday September 5, 2018 18:30 - 19:00 IDT
Room 001

19:00 IDT

Wednesday September 5, 2018 19:00 - 19:30 IDT
Room 001
Thursday, September 6

10:45 IDT

(De)Serial Killers
By Dor Tumarkin

Take the plunge into deserialization attacks - from understanding the fundamentals of serialization to vulnerability breakdown, through RCE demos in various technologies (Java, C#, Python). Includes research and exploit demo of never-before-seen vulnerabilities in Microsoft’s Message Queue. 

avatar for Dor Tumarkin

Dor Tumarkin

Application Security Research Team Leader, Checkmarx
AppSec Researcher, Team Leader at Checkmarx. Former Red-Team member and consultant at Cisco and Security-Art.7 years experience in red-teams, penetration testing, code-review, threat modelling and more.

Thursday September 6, 2018 10:45 - 11:30 IDT
Room 001

11:45 IDT

How to hack cryptographic protocols with formal methods
By Ofer Rivlin

The presentation slides can be found at:

tl;dr: The design of even the smallest security protocols is prone to vulnerabilities. For example, the security protocols of federation & connected cars networks are extremely complex. I explore the use of formal methods for automating validation and hacking cryptographic protocols.
Long description:
Key exchange and trust establishment protocols are high risk and complex. Manual security verification of these protocols is error-prone, incomplete, and time-consuming.
Protocol designers are not necessarily security experts. We want to give them the methods and tools that will simplify security assessment and help understand security requirements.
Many standard web protocols for establishing trust between service providers and clients, and with identity providers have proven vulnerable, as well as custom protocols to enable some specific B2B communication (i.e. online payments, cross-domain authentication, etc.)
The target of the talk is to share high-level practicle knowledge of formal methods and to recognize the benefits of using formal methods when designing or attacking cryptography protocols.
I will discuss the following subjects:
Logical issues and attack scenarios in protocols.
Simplifying the secure designing of complex key exchange and trust establishment protocols by using formal methods, automation and the change of mindset.
Demonstrating analysis and hacking of security protocol formal models in domains like SSO & access delegation, IOT and connected vehicles (V2X and VANET - Vehicle Ad Hock Networks).

Thursday September 6, 2018 11:45 - 12:30 IDT
Room 001

12:30 IDT

Attacking and Defending NFC Applications
By Aviad Ben-Moshe

In this lecture, I will present an overview of the NFC technology, how it is being used and what industries can and will benefit from it most (hint – Retail, Fintech & IoT) – while focusing on its security aspects.
We have seen an increase of 400% in the production of NFC enables devices in the last 3 years and an increase of ~300% of the number of connected IoT devices. The numbers are continually growing rapidly.
After clarifying the uniqueness and special aspects of the NFC technology, we will take a deep dive into application security aspects of NFC based solutions such as duplicating tags, parameter tampering, sensitive information saved in plain text and more.
The technological mechanisms of NFC create a unique threat landscape which I will discuss in detail presenting the risks, threats, and mitigations relevant to NFC.
In addition, we will expose a customized PENETRATION TESTING METHODOLOGY for NFC based applications so you can tackle your next NFC based PT in an educated effective manner.


Thursday September 6, 2018 12:30 - 13:00 IDT
Room 001

14:00 IDT

Is Your Mobile Application Storing Your Company Secrets?
By Swaroop Yermalkar

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions then this talk is for you! 

avatar for Swaroop Yermalkar

Swaroop Yermalkar

Lead Security Engineer
Swaroop Yermalkar works as a lead security engineer with a diverse skill set focused on Mobile App Pentest, Web, API and AWS Pentesting. In addition, he has authored the book “Learning iOS Pentesting” and lead an open source project - OWASP iGoat which is developed for iOS security... Read More →

Thursday September 6, 2018 14:00 - 14:45 IDT
Room 001

14:45 IDT

Controlling the view controllers in iOS applications - a new automatic tool
By Tomer Hadad

A major part of mobile PT deals with bypassing client-side controls; mostly to load a post-registration/validation screen/component. This ultimate goal is mostly achieved by combining tools/methods. What if we could simply auto-enum the screens and force-load interesting ones? Meet Scwapper. 

avatar for Tomer Hadad

Tomer Hadad

Application Attack & Penetration Researcher, EY IL Advanced Security Center
Tomer is an application security researcher in EY's Cyber Security Center in Tel Aviv, Israel. He performs vulnerability research on a wide range of applications: web apps, desktop apps, mobile, and embedded systems. Tomer has trained and mentored dozens of consultants in the industry... Read More →

Thursday September 6, 2018 14:45 - 15:30 IDT
Room 001

15:45 IDT

Value Driven Threat Modeling
By Avi Douglen

Threat Modeling is a great method to identify potential security flaws, part of any secure design. But instead of investing time + budget in a top-heavy, big-model-up-front threat modeling methodology, we can use a lightweight value-driven approach to embed security right into the agile dev process! 

avatar for Avi Douglen

Avi Douglen

OWASP BoD, Bounce Security
AviD is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for around 20 years. My research interests include efficient security engineering, usable... Read More →

Thursday September 6, 2018 15:45 - 16:30 IDT
Room 001
Filter sessions
Apply filters to sessions.