One of our goals in the security research team is to improve global awareness of cyber security attacks by hosting small gatherings to facilitate communication in the cyber security community. We recently sponsored a meetup at our Tel Aviv office to encourage “bite-size” talks about key security topics. In attendance were top local security and networking professionals.
Our sessions focused on cross site search, targeted phishing attacks and security research. We also covered ways to conduct security intelligence investigation against spear phishing campaigns and research on vulnerability levels in SOHO routers and DNSSec.
Featuring Security Experts
We were very pleased to host a group of expert security speakers at our first event.
Dr. Haya Shulman is head of the Cyber Security, Analytics, and Defenses department at Fraunhofer SIT in Darmstadt, Germany. Before joining Fraunhofer SIT, Dr. Shulman was a research group leader in EC-SPRIDE (European Center for Security and Privacy by Design). She is a hacker and a security researcher, mainly in the fields of network and cyber security, focusing on attacks and countermeasures.
Nethanel Gelernter received his Ph.D. from Bar Ilan University in Ramat Gan, Israel, for his work around new web-application attacks and anonymous communication. Today, Gelernter leads the cyber security research and studies in the College of Management Academic Studies. Recently, he established Cyberpion, a company that explores new attack vectors and develops defenses against them. He is also an industry consultant.
Eyal Sela is a cyber security analyst and head of intelligence at ClearSky Cyber Security. Sela is in charge of leading the intelligence team, investigating incidents, and developing investigation techniques and procedures, and writing reports, breaking alerts, and advisories.
Discussing cross site search, spear phishing, and security research
Nethanel Gelernter was the first speaker and he talked extensively about a side channel attack called cross site search. This attack vector acquires sensitive information by comparing the differences in load times of search results in several large web services. For example, he spoke about how response times would be slightly different depending on whether a contact name appeared (or didn’t appear) in the user’s contact list. Cross site searches can be carried out against online mail providers to harvest credit card numbers.
Next up was Eyal Sela. He discussed ways to conduct security intelligence investigations against spear phishing campaigns and similar threats. Sela gave examples of recent malware campaigns carried out by different groups, and the ways companies can hunt for the attackers’ digital footprint.
The third talk revolved around three different research projects currently being conducted by Dr. Haya Shulman. These projects included:
- Vulnerability levels in SOHO (small office/home office) routers across different countries and ISPs
- Misconfiguration (which causes encryption degradation) in the adoption of DNSSec
- Ways which can disrupt routers and degrade performance by causing them to decrease the packet lengths severely, by altering their MTU values
Top questions from the audience
We had several questions from the audience and wanted to share these three.
Question: Aren’t such attacks (cross site search) protected when the API sees a large number of these requests?
Gelernter: We haven’t been blocked by any of the major targets we implemented the attacks against. We used an algorithm which drastically reduced the amount of requests needed (as per the published research paper) which may have helped.
Question: Can this be mitigated by using a token, as in token protection of CSRF attacks?
Gelernter: The searches, in most cases, are meant to work as a simple link/POST action. We don’t use a token because it’s supposed to work outside of a specific session’s scope.
Question: You say that MTU changes using UDP protocol also affects TCP MTU rates. Is this behavior vendor specific?
Shulman: According to our research, this happens across all tested vendors, as MTU rates are saved by IP addresses.
We were very excited to see such a great response to the first of many events we plan this year. Our goal continues to be to help share knowledge within the cyber security community and its tech fans. The next SecSessions will be held on June 20. Would you like to be a speaker? Please let me know at benh [at] incapsula.com. To follow the SecSessions events, visit http://www.meetup.com/SecSessions-Cybersecurity-Meetup/.