In this engaging session, we demonstrate a live attack technique aimed at bypassing MDM solutions with email encryption offerings. Further, we show how mobile surveillance software effectively renders the encryption feature useless. This demonstration includes a mobile spyware version which directly accesses the MDM’s memory storage, retrieves the plain-text emails and sends them on to a remote server. Finally, we present mitigation techniques to solve against this increasing threat.

Ohad Bobrov is CTO and co-founder of Lacoon Mobile Security. Ohad has nearly 15 years of experience in mobile and networks. Prior to Lacoon, he founded the mobile mass network solution department at NICE systems and led it for 5 years. Ohad holds a BSc in Computer Sciences and an MBA from Tel-Aviv University. He was granted a number of awards both for his academic work and professional achievements.

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations. In a preliminary presentation (Eurocrypt'04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was the very low bandwidth of the acoustic side channel (under 20 kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.
We describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 7.5 meters away.
Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

The unprecedented popularity of modern mobile phones has made them a lucrative target for skillful and motivated attackers. Advanced attackers manage to bypass both the security mechanisms that are part of the mobile phone operating system and the additional security tools that are installed on the device. For example, members of BGU cyber security labs have recently demonstrated, on Android based devices, how traffic which is tunneled via VPN can be intercepted before it has been encrypted. In this seminar, two ongoing research studies at BGU cyber security labs will be reviewed. The studies focus on trusted detection of malicious activities that may indicate the presence of a malicious code running in the mobile device. The first study tries to detect malicious activities by power analysis. The power measurements are performed directly on the battery and not within the device that could be accessible to the attacker. In this study it is demonstrated that critical sensor activation, such as GPS, by a malicious code of the attacker can be detected and that it is possible to distinguish between malicious and benign user activation. The second study focuses on detecting sophisticated malicious code such as rootkits that attackers manage to install on mobile phones. The detection mechanism consists of both hardware and software components. The hardware component is based on the JTAG interface, which is present in most modern mobile phones and ARM processors. JTAG, which is an industry standard for hardware debug, allows to halt the core of the analyzed device without triggering the operation system. It enables monitoring the system memory while the rootkit is not aware that it is being analyzed. The software component consists of a detection mechanism that extracts the Android kernel's memory areas for further analysis. Preliminary evaluation results of both studies will be presented.

Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of the Cyber Security Labs at BGU, and a Professor in the Department of Information Systems Engineering at BGU. He holds B.Sc. and M.Sc. degrees in Computer and Electrical Engineering from BGU and a Ph.D. in Information Systems from Tel-Aviv University. He served as the head of the software engineering program at BGU for two and a half years. For the past ten years he has led the cooperation between BGU and Deutsche Telekom. Prof. Elovici has published more than 56 refereed journal articles in leading journals and published over 100 papers in various refereed conferences. In addition, he has co-authored a book on social network security and a book on information leakage detection and prevention. His primary research interests are computer and network security, cyber security, web intelligence, information warfare, social network analysis, and machine learning. Prof. Elovici also consults professionally in the area of cyber security.

Hola set out to create an overlay P2P network for HTTP, to accelerate the web and to make it more efficient. One of the methods developed for this was a software based routing system, where packets were to be re-routed through other peers to create more efficient and robust routes. Once the product was released to market in Jan-2013, consumers started using this routing system as a commercial variation of the Tor network, to achieve anonymity. This enabled them to bypass censorship and other types of filters on the Internet that were constricting the "Worldwide" element of the the WWW. Since then Hola has been installed 20m times and is growing fast. The goal of the discussion is to describe the technical elements of the system, how it works, how it is being used, to share with and learn from the audience.

Over the last few months, a series of unprecedented leaks by Edward Snowden had made it possible for the first time to get a glimpse into the actual capabilities and limitations of the techniques used by the NSA to eavesdrop to computers and other communication devices. In this talk I will survey some of the things we have learned, and discuss possible countermeasures against these capabilities.

Multiple different factors, and constrains, must be taken into account when designing an architecture of a security solution. The lecture would discuss key design requirements and how real world security operations effect those. A number of examples will be discussed illustrating what does, and more importantly does not, work in the real world looking into a number of examples taken from gained experience.

The antimalware industry has spent the past two decades detecting, blocking, and removing malware for their customers. And while they can claim business success, the industry’s disjointed efforts put little real pressure on the malware syndicates: it’s all too easy to sidestep individual defenses, spew more malware into the system, and continue to enjoy a high return on malware investment. Defending customers is important, but it doesn’t remove malware’s value proposition. If we want the syndicates gone, we have to hit them where it hurts: their wallet. We need to coordinate not just with each other, but cross-industry to do this. We will present examples of successful coordinated efforts against the syndicates. We will lay out a scale-out proposal on how security vendors, Internet service providers, CERTS, and ecommerce companies can execute coordinated syndicate campaigns that increase customer protection, reduce risk management and fraud costs, and, most importantly, remove the value proposition that sustains the large scale malware syndicates.