AGENDA
  Whoami   blah
  Paterva blah blah



Always wanted to do a talk on fun stuff

1.     It’s a security con ?
    ...
INTELLIGENCE / INFO GATHERING
  Why   do you ‘hack’?
      Information
      Control…leads to information
  Controls  ...
YOU ARE PART OF THE STACK!
    Threats are moving up the stack
    Network -> OS -> Application - - -> Person




      ...
PEOPLE, SOCIAL ENGINEERING AND MALWARE
    Everyone is talking malware….

  Malware -> attacking the workstation
  Serv...
HACKERS VS. CRIMINALS
  Commercializing   vulnerabilities
MAKING ZA STRONGER
 Don’t hack ... but if you really have to:
   Have good/right intentions -> !criminal
            Nev...
UAVS
  UAV  == Unmanned aerial vehicle
  Think back to your model airplane
       Let’s put a camera in there !
      ...
UAVS
UAVS
  Different   altitudes
       60k feet / 18km++ (Zephyr)
       100 feet (hand launched)
       747 flies at aro...
UAVS
  Initial
         idea 1980s, serious thought in 1990s
  Driving force behind it  CIA
       CIA pilots
  Most ...
UAVS - PREDATOR
UAVS - REAPER
UAVS - AVENGER
UAVS – AVENGER SPECS
  Jet  engine
  Speed – 740 km/h

  Fly time – 20h

  Altitude – 60k feet / 18km

  Stealth - in...
UAVS – COMMAND & CONTROL
  Line of sight – C band (4 – 8 GHz)
  Satellite – Ku band (11 – 15 GHz)
       Can be routed ...
CAPTURING UAVS
  If
    communications dies it flies home
  Self destruct ?
FOOTAGE
MATCHING WAR PORN TO GOOGLE EARTH
EARTH
UAVS – PROBLEMS
  Not   a lot – it seems to kind of work well..

  Ku   band sucks in heavy weather
      Pray for rain...
SO, WE’RE PRETTY MUCH ...
LET’S JUST HIDE
  Optics,      infra red, RADAR
       Conceal, underground
       Rapid change in environment?
      ...
HOW LASER GUIDED MUNITIONS WORK
  Understand       a little about light
       Light storage system == FAIL
  Terminolo...
PAINTING THE TARGET
LASER ON!
ENCODING
  But - there could be multiple targets and multiple
   munitions
  Seeker needs to know where it should go

 ...
PIM
PRF / PIM
  Missiles   are pre-programmed, or programmed on
   the fly.
  PRF code is 3 digits.
      Does this make se...
BTW - HOW DOES IT GET TO THE
MUNITIONS?

  Open   protocol – on the ‘net
      MIL-STD-3014 - MiDEF == PDF for munitions...
DUDE, ERRR...NO.. VERY UN-COOL, DON’T
PRESS THAT ...
AND THE OTHER SIDE OF THE EQUATION
DETECTION

  See the light!
  We can detect the designator’s laser light
      We know we are being targeted (like in t...
DETECTION




   Laser warning sensor configured as a multi-sensor arrangement and interfaced
with a suitable smoke/aeroso...
DETECTION

  Can   we determine the direction of the designator?
      Know where the special ops guy is sitting / plane...
REPLAY
  Sniff
       the light!
  Replay attack should work well...
       You don’t even have to know what the design...
“WTF – DID IT JUST TURN THIS WAY?!”

   .. replay the laser pulses ...
  ..and point it somewhere else...like..

  ...a...
JDAMS

  Guidance    retrofitted to dumb bombs
      GPS
      TV (with RF link)
      Inertial navigation system


 ...
WHY DO YOU HAVE THESE SLIDES AT THE
CON ACTUALLY? AG, NO MAN REALLY...


  Ona more serious note...
  Same principles in...
QUESTIONS?
FACEBOOK 0 DAY, BOUGHT TO YOU BY...
...VODACOM
WE USE THE MAGIC EMAIL ADDRESS...
..AND AWAY IT GOES!
Make Tea Not War
Upcoming SlideShare
Loading in …5
×

Make Tea Not War

748 views

Published on

Roelof Temmingh
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology, Sports
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
748
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Make Tea Not War

  1. 1. AGENDA   Whoami blah   Paterva blah blah Always wanted to do a talk on fun stuff 1.  It’s a security con ?   blah 2.  UAVs, laser guided munitions   The fun stuff 3.  EXCLUSIVE – hold the press !!   (South African) Facebook zero day !
  2. 2. INTELLIGENCE / INFO GATHERING   Why do you ‘hack’?   Information   Control…leads to information   Controls are getting harder to break   In proper assessment, 80-90% of time is spent on intelligence gathering.   Intelligence gathering is also   A port scan   A Nessus scan…   ..because we learn more about our target
  3. 3. YOU ARE PART OF THE STACK!   Threats are moving up the stack   Network -> OS -> Application - - -> Person Understand the graph – volume and frequency
  4. 4. PEOPLE, SOCIAL ENGINEERING AND MALWARE   Everyone is talking malware….   Malware -> attacking the workstation   Server in a server room vs. workstation with a person behind it   For conventional malware traditional network mapping is worthless   Focus in the past: find the server and perimeter (infrastructure foot print)   Thinking needs to be updated   Now – person / company profiling -> the new foot print
  5. 5. HACKERS VS. CRIMINALS   Commercializing vulnerabilities
  6. 6. MAKING ZA STRONGER Don’t hack ... but if you really have to:   Have good/right intentions -> !criminal   Never ever use what you found   Don’t give SAP a reason to go look for you...   Mail your findings so that they can learn/fix   ..not from your work - duh...   Development is NOT easy, and they are not idiots!   Treat with respect – ‘jy is volgende vettie!’   Don’t disrupt / destroy / delete anything   (even if they gave you bad service)   ‘Insider knowledge’ does not count...   You are just an ass   Don’t share outside of SA   Sanitize and share the knowledge/tech – locally   Don’t be a doos at international cons.... Slammer ‘secured’ more networks in a day than all the security consultants in a year Change only happens at the point of extinction Strongest piece of metal is at the breaking point A chain is as strong as it’s weakest member
  7. 7. UAVS   UAV == Unmanned aerial vehicle   Think back to your model airplane   Let’s put a camera in there !   Let’s put a BB gun in there !   Let’s put a Hellfire missile in there !!   Different sizes   Fixed wing / rotary   Electrical / Fuel powered   Used to be for recon, now also armed
  8. 8. UAVS
  9. 9. UAVS   Different altitudes   60k feet / 18km++ (Zephyr)   100 feet (hand launched)   747 flies at around 32-40k feet   Speed (max)   747 flies at around 900 km/h   Predator MQ1 – 217 km/h   Avenger, Global Hawk 750 km/h   Prop vs. jet   Flying time   Up to 82 hours ... Typical 30h ish
  10. 10. UAVS   Initial idea 1980s, serious thought in 1990s   Driving force behind it  CIA   CIA pilots   Most known / successful = General Atomic   Predator - Series A   1995   RQ / MQ   Reaper - Series B   MQ9   2002   Avenger - Series C   Announced 2009
  11. 11. UAVS - PREDATOR
  12. 12. UAVS - REAPER
  13. 13. UAVS - AVENGER
  14. 14. UAVS – AVENGER SPECS   Jet engine   Speed – 740 km/h   Fly time – 20h   Altitude – 60k feet / 18km   Stealth - internal weapons bay, shape, materials, exhaust   RADAR / Optics / Targeting   Payload – 1.3 tons of Hellfire / Paveway II/ JDAM
  15. 15. UAVS – COMMAND & CONTROL   Line of sight – C band (4 – 8 GHz)   Satellite – Ku band (11 – 15 GHz)   Can be routed over commercial sats. NBC - 1983   3 crew members   Pilot   Flying - looking through a straw   2 x sensor guys   Difference in two scans :   Tire tracks, movement
  16. 16. CAPTURING UAVS   If communications dies it flies home   Self destruct ?
  17. 17. FOOTAGE
  18. 18. MATCHING WAR PORN TO GOOGLE EARTH EARTH
  19. 19. UAVS – PROBLEMS   Not a lot – it seems to kind of work well..   Ku band sucks in heavy weather   Pray for rain   Lag of up to two seconds   Like playing CS/CoD over a link made of wet towels and barbed wire   No dog fights!   Thus– send in the UAVs once air dominance has been established
  20. 20. SO, WE’RE PRETTY MUCH ...
  21. 21. LET’S JUST HIDE   Optics, infra red, RADAR   Conceal, underground   Rapid change in environment?   The Chinese vs. American spy sat story   Uhmm...next...   Weapons   Bombs, missiles   LASER guided So...it becomes a game of defending against laser guided munitions
  22. 22. HOW LASER GUIDED MUNITIONS WORK   Understand a little about light   Light storage system == FAIL   Terminology   Seeker = the bomb/missile   Designator = guy / plane with the laser   ‘Painting’ the target   Invisible laser == you won’t see it..   Bomb vs. missile   28km,60km (spice) radius
  23. 23. PAINTING THE TARGET
  24. 24. LASER ON!
  25. 25. ENCODING   But - there could be multiple targets and multiple munitions   Seeker needs to know where it should go   Thus – must be able to distinguish designators   This is done by pulsing the laser   Fast   Very fast   You won’t see it’s pulsing ... either.   Encoding   PIM – Pulse Interval Module   PRF – Pulse Repetition Frequency
  26. 26. PIM
  27. 27. PRF / PIM   Missiles are pre-programmed, or programmed on the fly.   PRF code is 3 digits.   Does this make sense?   Everyone should now be thinking...brute force   But just hang on..   Testing it:
  28. 28. BTW - HOW DOES IT GET TO THE MUNITIONS?   Open protocol – on the ‘net   MIL-STD-3014 - MiDEF == PDF for munitions   In flight coding was introduced in 2008
  29. 29. DUDE, ERRR...NO.. VERY UN-COOL, DON’T PRESS THAT ...
  30. 30. AND THE OTHER SIDE OF THE EQUATION
  31. 31. DETECTION   See the light!   We can detect the designator’s laser light   We know we are being targeted (like in the movies)...and run   We can decode the PIM/PRF   We might know if we are a priority target – nice...   Page 45 -6b: “Lower code numbers and faster pulse rates are appropriate for the most important targets and the most difficult operating conditions.”
  32. 32. DETECTION Laser warning sensor configured as a multi-sensor arrangement and interfaced with a suitable smoke/aerosol screening system can be used effectively on platforms like main battle tanks, AFV, etc., to provide platform protection from laser-guided munitions. The development of this sensor is a totally indigenous effort, both in design and implementation.
  33. 33. DETECTION   Can we determine the direction of the designator?   Know where the special ops guy is sitting / plane   Source or reflected light?   We might look at the divergence ??   Shape of the reflected light   Know how far away the special ops guy is / plane
  34. 34. REPLAY   Sniff the light!   Replay attack should work well...   You don’t even have to know what the designator says   Does it makes sense to have a 256 number code?   Why are PRF codes 393,424,515 and so on more popular?   Americans are always thinking big (1000 missiles at a time)   Bomb does not speak .. One way comms   So now it’s becoming interesting..
  35. 35. “WTF – DID IT JUST TURN THIS WAY?!”   .. replay the laser pulses ...   ..and point it somewhere else...like..   ...at the designator (see previous slides)   Will this work when the designator is a plane? NOT   “Page 46, Chapter 5 – Safety: c. Inversion. Caution must be used when the laser-target line is over +30 degrees of the attack heading to ensure the LST or LGB does not detect and guide on the laser designator instead of the target‘s reflected laser energy.”   Oops..
  36. 36. JDAMS   Guidance retrofitted to dumb bombs   GPS   TV (with RF link)   Inertial navigation system   Range up to 60km from drop, up to 12 control surfaces   Cheap – 21k USD compared to missiles at around 75k USD
  37. 37. WHY DO YOU HAVE THESE SLIDES AT THE CON ACTUALLY? AG, NO MAN REALLY...   Ona more serious note...   Same principles in attack (thinking) applies   It’s really just 1s and 0s   Don’t think it’s too complex!   If you ask the right questions, you can Google the answers   (Patents, specs, etc.)   Significantly complex tech is indistinguishable from magic.   Development of UAVs in non US countries is a big headache for the US...
  38. 38. QUESTIONS?
  39. 39. FACEBOOK 0 DAY, BOUGHT TO YOU BY...
  40. 40. ...VODACOM
  41. 41. WE USE THE MAGIC EMAIL ADDRESS...
  42. 42. ..AND AWAY IT GOES!

×