2nd OWASP Israel mini conference at the Interdisciplinary Center Herzliya (IDC), Monday, May 21st, 13:30
Hi fellow Security experts,
Following the big success of the 1st one, we are glad to announce the 2nd OWASP
Israel mini conference at Interdisciplinary Center Herzliya (IDC). The mini
conference is a non-commercial event focusing on web application security. As
you can see in the program below, we have carefully selected the presentations
and we hope they are all relevant, informative and most importantly, none
commercial. Never the less, we are happy to say that we were able to get very
distinguish companies to sponsor the event and make sure that the refreshments
would be great. The meeting is sponsored by Breach Security, Checkpoint,
Hacktics, Applicure Technologies, Zend, Microsoft and the Interdisciplinary
Center Herzliya (IDC).
The meeting will be held on Monday, May 21st, Starting at 13:30 at
Interdisciplinary Center (IDC) Herzliya campus (driving directions will be sent
to registrants). Participation is free and open to all, but please inform us
(e-mail to ofers@xxxxxxxxxx) that you are coming as space is limited. Feel free
to spread the word about this meeting to anyone you feel would be interested.
You can also register to get the OWASP Israel mailing list
(http://lists.owasp.org/mailman/listinfo/owasp-israel) and receive updates
regarding chapter's meetings. For further details please contact us at
ofers@xxxxxxxxxx or go to the web page at
http://www.owasp.org/index.php/Israel#2nd_OWASP_IL_mini_conference_at_IDC.2C_May__21th_2007
Dr. Anat Bremler-Barr
Program Academic Director, Information Security Program
Efi Arazi School of Computer Science, IDC Herzliya
Ofer Shezaf
Chapter Leader, OWASP Israel
CTO, Breach Security
The agenda of the meeting is:
* Gathering and Refreshments
13:30 - 14:00
* Updates from OWASP Europe, Milan
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security
14:00 - 14:15
Since the conference is just a few days after OWASP Europe 2007 in Milan, and
since most of you would not have a chance to be there, I will try to convey the
content and spirit of this unique conference to you.
In addition you will hear Yair Amit, who will repeat the presentation he is
going to make in OWASP Europe, and Erez Metula will build his lecture on OWASP
chief evangelist's presentation about .NET. For my presentation in OWASP
Europe, you had to come to the previous OWASP IL Mini Conference.
* Pen-Testing at Microsoft: FuzzGuru fuzzing framework
John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft
14:15 - 15:00
Fuzzing is the main systematic methodology used these days by hackers to find
vulnerabilities in web and other applications. Fuzzing can find buffer overrun,
denial-of-service and information disclosure vulnerabilities. It should be done
for C++, C#/Java, ASP/JP code.
FuzzGuru is a generic network fuzzing development framework developed in
Microsoft Israel Development Center and is formally recommended best practice
for all products developed in Microsoft.
In this talk John will present some fuzzing testing theory, demonstrate the
tools and discuss Microsoft fuzzing practices.
* Unregister Attacks in SIP
Ronit Halachmi-Bekel, Efi Arazi school of Computer Science at Interdisciplinary
Center (IDC) Herzliya
15:00 - 15:40
The presentation discusses a research work done at the Interdisciplinary Center
(IDC) Herzliya about the "unregister attack", a new kind of a denial of service
attack on SIP servers. In this attack, the attacker sends a spoofed
"unregister" message to a SIP server and cancels the registration of the victim
at that server. This prevents the victim user from receiving any calls.
The research also offers a solution: the SIP One-Way Hash Function Algorithm
(SOHA), motivated by the one-time password mechanism. SOHA prevents the
unregister attack in all situations. The algorithm is easy to deploy since it
requires only a minor modification and is fully backwards compatible and
requires no additional configuration from the user or the server.
The paper is a joint work with Dr. Anat Bremler-Barr and Jussi Kangasharju. The
paper was presented at the 14th IEEE International Conference on Network
Protocols (ICNP).
* Break
15:40 - 16:00
* Application Denial of Service; is it Really That Easy?
Shay Chen, Hacktics
16:00 - 16:40
Denial of service attacks, which are quite a nuisance on the network layer, are
a nightmare when done on the application layer, but are equally underrated.
On our last conference, Dr. Anat Bremler-Bar discussed some of the theoretical
aspects of application layer denial of service attacks. Shay Chen will expand
and explore the practicalities of application layer denial of service. He will
show real world techniques, real life stories and personal experiences
conducting DOS attacks during penetration testing on major Israeli sites.
* Behavioral Analysis for Generating A Positive Security Model For Applications
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security
16:40 - 17:10
In the last OWASP IL conference, as well as in OWASP Europe in Milan, I
explored the potential of a negative security model for securing applications.
While a negative security model can provide some level of security, most agree
that a positive security model is preferable for protection application.
However, building a rule set to provide positive security is a difficult and
never ending project. Modern tools employ behavioral analysis to build
automatically those rules. The presentation will discuss the algorithms and
methods used to build automatically an application layer positive security rule
set as well as the problems and limitation of such as approach.
* Overtaking Google Desktop - Leveraging XSS to Raise Havoc
Yair Amit, Senior Security Researcher, Watchfire
17:10 - 17:50
Yair will present a ground breaking research paper by Watchfire application
security labs. The paper describes an innovative attack methodology against
Google Desktop which enables a malicious individual to achieve a remote,
persistent access to sensitive data, and potentially a full system control.
This represents a significant real world example of a new generation of
computer attacks which take advantage of Web application vulnerabilities
utilizing the increasing power of the Web browser. Their purpose is to remotely
access private information.
This presentation would be presented by Yair the week before at OWASP Europe in
Milan.
* Break
17:50 - 18:00
* Application Security is Not Just About Development
David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman
18:00 - 18:20
What many developers forget about is that the application even though it is a
very important part of securing the "Gold", data, there are other risks that
require their attention. These risks require their understanding and
preventative measures need to be implemented, managed and validated to limit
the exposure to themselves and their organizations. E.g. Developers do not see
the need for securing their code.
One of the things I will provide you during my presentation is why you should
secure your code. It is one of the ways you will keep your job.
* .NET reverse engineering
Erez Metula, Application Security Department Manager, 2Bsecure
18:20 - 19:20
The presentation will introduce MSIL (Microsoft Intermediate Language) and
debugging MSIL. Based on this foundation the presentation will explore and
demonstrate tools and techniques for changing the behavior of .NET assemblies
and the CLR using reversing engineering techniques.