2nd OWASP Israel mini conference at the Interdisciplinary Center Herzliya (IDC), Monday, May 21st, 13:30

["Ofer Shezaf" <OferS () Breach com>]

Hi fellow Security experts,

Following the big success of the 1st one, we are glad to announce the 2nd OWASP Israel mini conference at 
Interdisciplinary Center Herzliya (IDC). The mini conference is a non-commercial event focusing on web application 
security. As you can see in the program below, we have carefully selected the presentations and we hope they are all 
relevant, informative and most importantly, none commercial. Never the less, we are happy to say that we were able to 
get very distinguish companies to sponsor the event and make sure that the refreshments would be great. The meeting is 
sponsored by Breach Security, Checkpoint, Hacktics, Applicure Technologies, Zend, Microsoft and the Interdisciplinary 
Center Herzliya (IDC). 

The meeting will be held on Monday, May 21st, Starting at 13:30 at Interdisciplinary Center (IDC) Herzliya campus 
(driving directions will be sent to registrants). Participation is free and open to all, but please inform us (e-mail 
to ofers () breach com) that you are coming as space is limited. Feel free to spread the word about this meeting to 
anyone you feel would be interested. You can also register to get the OWASP Israel mailing list 
(http://lists.owasp.org/mailman/listinfo/owasp-israel) and receive updates regarding chapter's meetings. For further 
details please contact us at ofers () breach com or go to the web page at 
http://www.owasp.org/index.php/Israel#2nd_OWASP_IL_mini_conference_at_IDC.2C_May__21th_2007

Dr. Anat Bremler-Barr
Program Academic Director, Information Security Program
Efi Arazi School of Computer Science, IDC Herzliya       

Ofer Shezaf
Chapter Leader, OWASP Israel 
CTO, Breach Security

The agenda of the meeting is: 

* Gathering and Refreshments 
13:30 - 14:00 

* Updates from OWASP Europe, Milan
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security 
14:00 - 14:15 

Since the conference is just a few days after OWASP Europe 2007 in Milan, and since most of you would not have a chance 
to be there, I will try to convey the content and spirit of this unique conference to you. 
In addition you will hear Yair Amit, who will repeat the presentation he is going to make in OWASP Europe, and Erez 
Metula will build his lecture on OWASP chief evangelist's presentation about .NET. For my presentation in OWASP Europe, 
you had to come to the previous OWASP IL Mini Conference. 

* Pen-Testing at Microsoft: FuzzGuru fuzzing framework 
John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft 
14:15 - 15:00 

Fuzzing is the main systematic methodology used these days by hackers to find vulnerabilities in web and other 
applications. Fuzzing can find buffer overrun, denial-of-service and information disclosure vulnerabilities. It should 
be done for C++, C#/Java, ASP/JP code. 
FuzzGuru is a generic network fuzzing development framework developed in Microsoft Israel Development Center and is 
formally recommended best practice for all products developed in Microsoft. 
In this talk John will present some fuzzing testing theory, demonstrate the tools and discuss Microsoft fuzzing 
practices. 

* Unregister Attacks in SIP 
Ronit Halachmi-Bekel, Efi Arazi school of Computer Science at Interdisciplinary Center (IDC) Herzliya 
15:00 - 15:40 

The presentation discusses a research work done at the Interdisciplinary Center (IDC) Herzliya about the "unregister 
attack", a new kind of a denial of service attack on SIP servers. In this attack, the attacker sends a spoofed 
"unregister" message to a SIP server and cancels the registration of the victim at that server. This prevents the 
victim user from receiving any calls. 
The research also offers a solution: the SIP One-Way Hash Function Algorithm (SOHA), motivated by the one-time password 
mechanism. SOHA prevents the unregister attack in all situations. The algorithm is easy to deploy since it requires 
only a minor modification and is fully backwards compatible and requires no additional configuration from the user or 
the server. 
The paper is a joint work with Dr. Anat Bremler-Barr and Jussi Kangasharju. The paper was presented at the 14th IEEE 
International Conference on Network Protocols (ICNP). 

* Break 
15:40 - 16:00 

* Application Denial of Service; is it Really That Easy? 
Shay Chen, Hacktics 
16:00 - 16:40 

Denial of service attacks, which are quite a nuisance on the network layer, are a nightmare when done on the 
application layer, but are equally underrated. 
On our last conference, Dr. Anat Bremler-Bar discussed some of the theoretical aspects of application layer denial of 
service attacks. Shay Chen will expand and explore the practicalities of application layer denial of service. He will 
show real world techniques, real life stories and personal experiences conducting DOS attacks during penetration 
testing on major Israeli sites. 

* Behavioral Analysis for Generating A Positive Security Model For Applications 
Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security 
16:40 - 17:10 

In the last OWASP IL conference, as well as in OWASP Europe in Milan, I explored the potential of a negative security 
model for securing applications. While a negative security model can provide some level of security, most agree that a 
positive security model is preferable for protection application. 
However, building a rule set to provide positive security is a difficult and never ending project. Modern tools employ 
behavioral analysis to build automatically those rules. The presentation will discuss the algorithms and methods used 
to build automatically an application layer positive security rule set as well as the problems and limitation of such 
as approach. 

* Overtaking Google Desktop - Leveraging XSS to Raise Havoc 
Yair Amit, Senior Security Researcher, Watchfire 
17:10 - 17:50 

Yair will present a ground breaking research paper by Watchfire application security labs. The paper describes an 
innovative attack methodology against Google Desktop which enables a malicious individual to achieve a remote, 
persistent access to sensitive data, and potentially a full system control. 
This represents a significant real world example of a new generation of computer attacks which take advantage of Web 
application vulnerabilities utilizing the increasing power of the Web browser. Their purpose is to remotely access 
private information. 
This presentation would be presented by Yair the week before at OWASP Europe in Milan. 

* Break 
17:50 - 18:00 

* Application Security is Not Just About Development 
David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman 
18:00 - 18:20 

What many developers forget about is that the application even though it is a very important part of securing the 
"Gold", data, there are other risks that require their attention. These risks require their understanding and 
preventative measures need to be implemented, managed and validated to limit the exposure to themselves and their 
organizations. E.g. Developers do not see the need for securing their code. 
One of the things I will provide you during my presentation is why you should secure your code. It is one of the ways 
you will keep your job. 

* .NET reverse engineering 
Erez Metula, Application Security Department Manager, 2Bsecure 
18:20 - 19:20 
The presentation will introduce MSIL (Microsoft Intermediate Language) and debugging MSIL. Based on this foundation the 
presentation will explore and demonstrate tools and techniques for changing the behavior of .NET assemblies and the CLR 
using reversing engineering techniques.