Why Does Database Patching Require A PhD?
Over the years there is a tendency among some database vendors to avoid disclosure of any technical details regarding patched vulnerabilities. Sadly, this approach puts database customers at risk. What can enterprises do? We show how to reverse engineer a handful of Oracle vulnerabilities and describe workarounds that could be put in place until the patch is applied.
A Perfect CRIME? TIME Will Tell
Presented at: RSA Europe 2013 (Amsterdam, NL)
Imperva's ADC Group has presented a new approach to the CRIME attack, which allows the attacker to launch the attack with no eavesdropping capabilities. The attack was first shown in BlackHat Europe in Amsterdam 2013.
Tell Me Your IP And I Will Tell You Who You Are
The new attack technique, called TIME (Timing Info-leak Made Easy), is focusing on HTTPS Response as opposed to the original CRIME technique. TIME overcomes the two previously mentioned limitations of the original attack, removing the eavesdropping requirement, making the attack surface broader.
Presented at: BlackHat Europe 2013
IP addresses have been traditionally considered an unreliable method for attack detection. The unreliability is attributed to the use of web proxies, NAT and non-static IP addresses for end-stations. This session will demonstrate how information derived from IP addresses can in fact be used to dramatically improve attack detection capabilities. The presentation will discuss attributes such as Geo Location, Reverse DNS Lookup, Anonymous Proxy lists and more. We discuss how IP intelligence can be used to increase detection effectiveness (ratio of false positives to false negatives) by “ruling” on otherwise indecisive anomalies. We also discuss certain scenarios in which IP intelligence is crucial for even detecting anomalies. The presentation is supported by corroborative evidence derived from actual log data and demonstrates some of the tools that can be used for analysis.
Staring at the Beast: 6 Months of Attack Vector Research
Presented at: RSA Conference 2010
Security officers and vendors alike must look beyond traditional vulnerability information and become privy to the true activities of attackers, as well as be aware of true activity by hackers. In this session, we will look at the intelligence gathered through such data collection efforts that provide insight into the actual focus of hackers, current attack trends, behavioral patterns of attack, and attack tools. These help us create more effective security policies and tools in a timely manner.
Business Logic Bots: Friend or Foe?
Presented at: RSA Conference 2010
Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.
Business Logic Attacks: Bots and Bats
Presented at: OWASP AppSec DC 2009
In this presentation Eldad Chai, Web Research Team Leader at Imperva, discusses the growing risk of business logic attacks. Business logic attacks are attacks that turn the web application functionalities against the business - breaking the business logic instead of breaking the application. Analyzing hacking incidents from the recent years that inflicted real money loss we see more facilitating business logic attacks. Some examples are comment SPAM and Web Leeching attacks and even a better example is how Google's own features are used by hackers to make money.
Blame it on the Media(Bot) – Using Google Advertising Mechanism for Web Application Attacks
Presented at: OWASP AppSec Europe 2009 - Poland
The research summarized in this presentation was aimed at demonstrating how search engines can be manipulated to serve as attack tools. We were able to show that the AdWords and AdSense services from Google can indeed be used to launch attacks against unsuspecting web applications. Attacks types we were able to demonstrate include buffer overflow, SQL injection and CSRF.
Web Application Security and Search Engines – Beyond Google Hacking
Presented at: Infosecurity Europe 2009
In this presentation, Imperva's CTO Amichai Shulman goes over incidents of accidental data leakage through search engines, Google Hacking threats and mitigation techniques, an overview of Google worms and related incidents, search engines used as a means of distributing malware, site masking threats and mitigation techniques, the “Search of Death” threat, and tools and best practices for protection against the various threats.
The Most Dangerous Web 2.0 Threats…and How to Stop Them
Presented at: OWASP Europe 2008
In this presentation, Ms. Noa Bar-Yosef, Security Research Engineer at Imperva, describes what Web 2.0 is, the key risks and challenges associated with Web 2.0, and mitigation techniques and practical approaches for protecting against vulnerabilities exposed through usage of Web 2.0 technologies.
Defeating Web 2.0 Attacks without Recoding Applications
Presented at: InfoSec Canada 2008
The Untold Tale of Database Communication Protocol Vulnerabilities
Presented at: OWASP USA 2007
In this presentation, Imperva's CTO Amichai Shulman relates a history of the database threat environment, a walk-through of database vulnerabilities, and presents mitigation techniques for addressing database threats and vulnerabilities.
Top 10 Database Threats
Presented at: BlackHat USA 2007
In this presentation, Imperva's CTO Amichai Shulman explains the key drivers for database security, the top 10 database security threats, and suggested mitigation techniques. He ends by illustrating a “new approach” to database security- the database monitoring and security gateway solution, a unified solution for protecting both the data and the database.
Anatomy of a Database Attack
Presented at: RSA Europe 2006, Sybase Techwave 2006, and RSA Japan 2007
In this presentation, Imperva's CTO Amichai Shulman describes why hackers are motivated to launch database attacks, tools and techniques used to launch attacks, and methods for preventing attacks, including a database security gateway as a solution.
Real Site Phishing and Advanced Cross Site Scripting
Presented at: InfoSec UK 2006, InfoSec USA 2007
In this presentation, Imperva's CTO Amichai Shulman provides insight into what phishing is, types of phishing attacks, commonly proposed solutions for mitigating phishing attacks, advanced phishing techniques with Cross Site Scripting and Script Injection, and various defenses against phishing.
Traditional SQL Injection Protection: The Wrong Solution for the Right Problem
Presented at: RSA USA 2006
In this presentation, Imperva's CTO Amichai Shulman describes what SQL injection is, why it is one of the biggest threats to Web applications, several common protection mechanisms against SQL Injection and why these mechanisms fail to solve the SQL injection problems. The attack techniques presented are based on research from Imperva's Application Defense Center.
Client Oriented Classification of DB Attacks and Countermeasures
Presented at: RSA Europe 2005
In this presentation, Imperva's CTO Amichai Shulman explains the current landscape of database security, the pitfalls of existing database protection approaches, client based attack classification as a method for classifying the various types of users accessing the database, and considerations for building effective and efficient countermeasures.
Presented at: RSA USA 2005