OWASP Jerusalem 2013 04

OWASP Jerusalem Apr 2013 meeting was held on the 3/4/2013 Tuesday at the Bynet building in Har Hozvim in Jerusalem.

The meeting’s agenda was as follows:

Gathering - Refreshments & Opening Remarks: 18:00-18:15

First Lecture 18:15-18:45 Josh Amishav-Zlatin - A is for Anonymous and Application Layer DoS Attacks:

Slides: http://prezi.com/b5rmsx4lrxwo/a-is-for-anonymous-and-application-layer-dos-attacks/

Abstract: Denial of service (DoS) attacks are like an annoying pest that wont go away. DoS attacks are a persistent problem on the Internet, which are extremely difficult to solve in a scalable fashion. According to WHID data, Denial of Service attacks make up a very significant portion of web based attacks. Despite efforts to code your app securely, a malicious user with minimum bandwidth might still be able to take your application offline at will. In this talk, we will focus on Slow HTTP DoS attacks which have been a popular attack method by various hacktivist groups such as Anonymous. We will also discuss several techniques that can be used to mitigate this threat.

Bio: Josh leads the R&D team at Pure Hacking where he focuses on web application defensive research and develops customized ModSecurity rulesets to help customers reduce risk associated with their web applications. Josh specializes in web application penetration testing and FOSS based security solutions. He is an active member of the ModSecurity community and is currently involved with the OWASP Core Rule Set, AuditConsole and WASC Threat Classification projects. Josh has over 10 years of experience in the IT security industry, working with both financial and government clients to help secure their critical applications

Second Lecture 18:50-19:25 Amitay Dan - Car Phone Intelligence

Many hackers try to demonstrate how to attack cars and mobile phones, but like any other battle there is a need for proper Intelligence. This lecture will show how to use systematic flaws like number's floor, hidden numbers and tenders to pinpoint and attack targets. In the close future almost every car will have a cellular modem, thus we need to start creating our defense right now.

Bio: Amitay Dan researches strategic and tactical cyber attack methods from databases, telecommunication and phreaking as well as medical field attacks. He works as a cyber intelligence analyst at Black Cube

Workshop 19:30-20:30 David Kaplan - Intro to Timing Attacks 

Timing Attacks have become popular over the past number of years and have been employed successfully against numerous targets ranging from network-based attacks to games consoles. During the hour-long workshop, participants will have a chance to learn about simple software timing attacks and will attempt to attack vulnerable pieces of software. Participants are required to bring their own laptops. A Virtual Box image with all tools needed for the workshop will be provided in advance of the day (participants are expected to have this installed prior to the start of the workshop). Some experience with Linux – an advantage. Programming experience – a must (Python + gcc will be provided in the VM, any other languages participants should bring necessary software).

The workshop will be delivered in English.

Bio: Security Researcher working for Intel Corp. by day and hacker by night - breaking things for both fun and profit! Previously part of the red team at NDS (now Cisco). Interested in all things security; with a special interest in real-time and Linux-based embedded systems.