Skip to main content

IBM R&D Labs in Israel

Haifa Security Research Seminar 2014

December 1, 2014
Organized by IBM Research – Haifa

Tab navigation





Opening Remarks
Itai Jaeger, Cyber Security Strategy Lead, IBM Research – Haifa


Keynote: Tomorrow's Security Challenges Today
Robert G. Freeman, Manager, X-Force Research, IBM

Abstract: Everyone that considers themselves leaders in the computer security space has an opinion on future threats and whether or not they purely match potential threats to threats that their products tend to cover or not, there are a lot of events that either do not happen or have not happened yet. For instance, for many years we had heard about how mobile threats were going to be cataclysmic. They may be at some point in time in the future, but it has not happened. At the moment, we are facing a lot of security breaches, many likely due to known threats and/or threat paradigms with no indication of it ceasing.

Looking forward to the near future, we have to figure out what security really means to the cloud. It remains nebulous today. However, many of tomorrow's security challenges already exist. There are many weak links out there, such as routers / IoT devices, password reuse, business partners with intranet access and even risks posed by the existence of commercial public record aggregators. These weak links will remain as cloud picks up steam. Additionally, 2014 has taught us the importance of auditing open-source software for vulnerabilities like "Heartbleed" and "Shellshock." This talk will focus on these issues and how they relate to the big picture for security researchers.

Bio: Robert Freeman manages the world-renowned, X-Force Advanced Research , a leading applied computer security research team with experts located around the globe. Our focus is researching vulnerabilities and malware in both a proactive and reactive sense so as to be ahead of trends and work on protection technologies and public awareness of threats and security architectures. We have been published at many top conferences around the world including Blackhat, Hack-in-the-Box, Virus Bulletin, MIRcon and several others.

Robert has held a variety of roles in X-Force over the past twelve years, including multiple technical leadership functions. He got his start in the later 1990's in the digital rights management field before moving into the anti-malware space and onwards. Robert holds multiple patents and has discovered some impressive Windows-based vulnerabilities over the years. Today, Robert focuses his energy on managing the X-Force Research efforts to diversify and grow influence.




Physical (In)Security: It's not All about Cyber
Inbar Raz, Professional Security Troublemaker

Abstract: Today's threat landscape is all about Cyber. We have cyber threats, cyber security, cyber warfare, cyber intelligence, cyber espionage... Cyber is a synonym for the Internet, but sometimes, it's not -all- about the internet. Focusing defences on the Internet front leads to some wrong assumptions and the overlooking of much simpler, yet just-as-dangerous attack vectors.

Bio: Inbar has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 on his Dragon 64. At 13 he got a PC, and promptly started Reverse Engineering at the age of 14 and through high-school he was a key figure in the Israeli BBS scene. He spent most of his career in the Internet Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an earlier age.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities. Since late 2011, he has been running the Malware and Security Research at Check Point, using his extensive experience of over 20 years in the Internet and Data security fields. He has presented at a number of conferences, including Kaspersky SAS,, ZeroNights, ShowMeCon, several Law Enforcement events and Check Point events.


Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics
Prof. Avishai Wool, Tel Aviv University
Video     Presentation

Abstract: The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal.

Joint work with Amit Kleinmann and Niv Goldenberg.

Bio: Prof. Avishai Wool is an associate professor in the School of Electrical Engineering at Tel Aviv University. He is also deputy-director of the Interdisciplinary Cyber Research Center at TAU. He received a B.Sc. in Mathematics and Computer Science with honors from Tel Aviv University (1989). He has a M.Sc. (1992) and a Ph.D. (1997), both in Computer Science from the Weizmann Institute of Science. His research interests include computer, network, and wireless security, smart-card and RFID systems, sidechannel cryptanalysis, and firewall technology.

Prior to joining Tel Aviv University, Prof. Wool spent four years as a Member of Technical Staff at Bell Laboratories, Murray Hill, NJ, USA. In 2000 he co-founded Lumeta Corp. In 2003 he co-founded AlgoSec Systems, a network security company, for which he continues to serve as Chief Technical Officer. He has served on the program committee of the leading IEEE and ACM conferences on computer and network security. He is a senior member of IEEE, and a member of the ACM and USENIX.




How to Generate Keys from Facial Images and Keep Your Privacy at the Same Time
Dr. Orr Dunkleman, University Of Haifa
Video     Presentation

Abstract: Biometric authentication is more secure than using regular passwords, as biometrics cannot be "forgotten" and allegedly contain high entropy. Thus, many constructions rely on biometric features for authentication, and use them as a source for "good" cryptographic keys. At the same time, biometric systems carry with them many privacy concerns. Unlike regular passwords, which can be easily changed if compromised, changing biometric traits is far from being easy. Hence, we need to protect the privacy of the system's users in case of a leakage of the systems internal "password file".

In this talk we describe a proof-of-concept (PoC) system which transforms facial attributes from a single image into keys in a consistent, discriminative, and privacy-aware manner. The outcome is a user-specific string that cannot be guessed, and it reveals no information concerning the users of the system, even when the system's secrets are revealed.

This is a joint work with Margarita Osadchy and Mahmood Sharif.

Bio: Orr Dunkelman is a lecturer in the Computer Science department at the University of Haifa. His research focuses on cryptanalysis, cryptography, security, and privacy. He is best known for his work on symmetric-key cryptanalysis, mostly of block ciphers, and the introduction of new cryptanalytic techniques. Orr has worked on many of the most widely deployed ciphers such as the AES, KASUMI (used in 3G mobile networks), A5/1 (used in GSM networks), and IDEA, publishing more than 60 papers in international venues. He served in more than 50 conference committees, two of which as the program chair (FSE 2009 and CT-RSA 2012), and has won several distinctions and awards (e.g., best paper awards in Crypto 2012 and FSE 2012). Orr obtained his Ph.D. in computer science in 2006 from the Technion and a B.A. in computer science in 2000 from the Technion.


Finding Hypervisor Bugs and Vulnerabilities
Dr. Nadav Amit, Technion – Israel Institute of Technology

Abstract: The hypervisor is a crucial software component of the cloud infrastructure that mediates between virtual machines and the physical hardware. However, existing hypervisor testing methods repeatedly fail to discover critical bugs, which compromise the stability and the security of virtual machines. As a result, virtual machines do not reach the same robustness level of bare-metal machines.

To address this discrepancy, we suggest to test hypervisors using the functional validation tools of physical hardware. To study the applicability of this method, we adapt Intel's state-of-the-art CPU validation tools for virtual environment, and execute extensive tests of the popular KVM hypervisor. In this talk we will present our current findings and demonstrate how bugs we revealed can be used to attack virtual machines.

Bio: Nadav Amit is a senior researcher at the Technion, Israel. He received his PhD from the Technion. Prior to his studies, he was working as a system validation engineer in Intel. He is a recipient of the IBM Fellowship Award.




Mobile Security Attacks: A Glimpse from the Trenches
Yair Amit, CTO & Co-Founder, Skycure
Video     Presentation

Abstract: Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will describe and demonstrate emerging mobile security threats: from physical, through network and up to application level. Hold on to your seats as we expose statistics and insights about real-world attacks on mobile-devices around the world.

Bio: Yair Amit has been active in the security world for more than a decade. His research is being regularly covered by media-outlets and presented in security conferences around the world. Prior to founding Skycure, Yair managed the Application Security & Research Group at IBM, to which he joined through the acquisition of Watchfire, a startup that was a pioneer in the field of web-application security.


Recognizing Speech From Gyroscope Signals
Dr. Gabi Nakibly, National Research & Simulation Center, Rafael
Video     Presentation

Abstract: We show that the MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (<200Hz>). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech. Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone. This is a joint work with Yan Michalevsky and Dan Boneh.

Bio: Gabi is a fellow at the National Research & Simulation Center (part of Rafael ltd.) where he leads state-of-the-art security research projects. Since 2008 he also serves as an adjunct lecturer and an associate researcher at the Technion. In the summer of 2012 Gabi was a visiting scholar at Stanford University's security lab. Starting 2007 through 2012 Gabi was a recipient of the Katzir Fellowship. Gabi holds a B.Sc. in Information Systems Engineering and B.Sc. in Industrial Engineering and Management from the Technion (received in 1999, summa cum laude). In 2008 he finished the direct track to PhD in Computer Science at the Technion.




Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels
Dr. Mark Silberstein, Technion – Israel Institute of Technology

Abstract: Modern systems keep long memories. As we show in this paper, an adversary who gains access to a Linux system, even one that implements secure deallocation, can recover the contents of applications' windows, audio buffers, and data remaining in device drivers—long after the applications have terminated.

We design and implement Lacuna, a system that allows users to run programs in "private sessions." After the session is over, all memories of its execution are erased. The key abstraction in Lacuna is an ephemeral channel, which allows the protected program to talk to peripheral devices while making it possible to delete the memories of this communication from the host. Lacuna can run unmodified applications that use graphics, sound, USB input devices, and the network, with only 20 percentage points of additional CPU utilization.

Bio: Mark Silberstein is an assistant professor at the Technion EE department. Mark's main research interest is how to design efficient systems with accelerators -- GPUs, FPGAs, DSPs -- and how to provide a convenient and easy-to-use systems software in order to build them.


Cyberterror and the Power of OSINT
Etay Maor, Senior Fraud Prevention Strategist, Trusteer, IBM

Abstract: In recent months we are seeing an increase in the use of the internet by different extremist groups (ISIS for one) to spread propaganda. The way these groups use the internet has actually significantly changed and now includes many elements such as: incitement, propaganda, fund raising, recruitment and even operational intelligence.

During this session Etay will show multiple examples of how these groups used the internet to launch attacks and promote their cause. As part of this we will also touch upon the power of OSINT (open source intelligence) when trying to find and attack a target, be it a critical infrastructure or a specific person. We will see examples of how social networks, social engineering, google hacking and other techniques can be put to use by adversaries.

Bio: Etay is a senior fraud prevention strategist at Trusteer, an IBM company, where he leads fraud fighting and threat awareness projects. A security evangelist, Etay regularly presents at industry events and academic master classes as well as volunteer for educational security awareness programs.Previously, Etay was the Head of RSA's Cyber Threats Research Labs where he managed malware research and intelligence teams and was part of cutting edge security research.

Etay holds a BA in Computer Science and is finalizing his MA in Counter Terrorism and Cyber Terrorism, he is a teaching assistant at an Introduction to Cyber Security course and a member of the International Institute for Counter Terrorism where he focuses on cyber terrorism research.


Closing Remarks
Moshe Levinger, Area Manager, Computing as a Service


Reception and Posters