OWASP Israel January 2017 Chapter Meeting

Join us for the first meetup of the year!

Agenda:

17:00 – Gathering, Food & drinks

17:30 – Opening Note

17:45 – IP Agnostic Bot Detection

Michael Groskop, Director of WAF & R&D Security, Radware

Bot-generated attacks targeting web application infrastructure are increasing in both volume and scope. Bots are becoming more sophisticated, leveraging headless browser technologies and use different evasion techniques such as dynamically changing IP addresses. In this presentation we will review the challenges associated with IP agnostic detection of bot generated attacks, the complexity involved in distinguishing the good bots from the bad and the actions application developers can take for better thwarting of such attacks.

18:30 – R U aBLE? - BLE Application Hacking

Tal Melamed, Technical Lead, AppSec Labs

As IoT devices are increasingly embedded in our every day lives, vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is part of Bluetooth 4. Today Bluetooth is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment. Like most rising technologies, security is often left out.

In this lecture we will demonstrate how to perform penetration-testing for applications communicating with connected-devices over BLE. What equipment, libraries and projects can be used.

19:15 - Coffee Break

19:30 - Should I Trust My Vendor?

Yaniv Simsolo, CTO, Palantir Security

Modern systems and business models mandate different approaches to security. Sometimes, the business objectives of the vendor override the security objectives that we, the security community, think the product should have. When approaching a complex system design, numerous challenges arise when considering the trust we put on vendors’ hands and vendors’ responsibilities. Similar security challenges exist on the other scale: considering the maturity (or lack thereof) of small scale IoT products.

Does the aim sanctify the means?
In certain cases, either mal-coding or business practices result in a very poor security of a product or a service. This can get to extreme cases were the vendor outright attacks its own customers. Such was the case for example when I purchased a brand new laptop from a known manufacturer, and was attacked with viruses and malicious business practices software. Indeed, certain vendors are worse than others.

In the presentation we will explore notable examples of vendors abusing their customers’ trust and review the (few) mitigation alternatives we may incorporate in our products and systems.