On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
Paterva blah blah
Always wanted to do a talk on fun stuff
1. It’s a security con ?
2. UAVs, laser guided munitions
The fun stuff
3. EXCLUSIVE – hold the press !!
(South African) Facebook zero day !
INTELLIGENCE / INFO GATHERING
Why do you ‘hack’?
Control…leads to information
Controls are getting harder to break
In proper assessment, 80-90% of time is spent on
Intelligence gathering is also
A port scan
A Nessus scan…
..because we learn more about our target
YOU ARE PART OF THE STACK!
Threats are moving up the stack
Network -> OS -> Application - - -> Person
Understand the graph – volume and frequency
PEOPLE, SOCIAL ENGINEERING AND MALWARE
Everyone is talking malware….
Malware -> attacking the workstation
Server in a server room vs. workstation with a person behind it
For conventional malware traditional network mapping is
Focus in the past: find the server and perimeter (infrastructure
Thinking needs to be updated
Now – person / company profiling -> the new foot print
HACKERS VS. CRIMINALS
MAKING ZA STRONGER
Don’t hack ... but if you really have to:
Have good/right intentions -> !criminal
Never ever use what you found
Don’t give SAP a reason to go look for you...
Mail your findings so that they can learn/fix
..not from your work - duh...
Development is NOT easy, and they are not idiots!
Treat with respect – ‘jy is volgende vettie!’
Don’t disrupt / destroy / delete anything
(even if they gave you bad service)
‘Insider knowledge’ does not count...
You are just an ass
Don’t share outside of SA
Sanitize and share the knowledge/tech – locally
Don’t be a doos at international cons....
Slammer ‘secured’ more networks in a day than all the security consultants in a year
Change only happens at the point of extinction
Strongest piece of metal is at the breaking point
A chain is as strong as it’s weakest member
UAV == Unmanned aerial vehicle
Think back to your model airplane
Let’s put a camera in there !
Let’s put a BB gun in there !
Let’s put a Hellfire missile in there !!
Fixed wing / rotary
Electrical / Fuel powered
Used to be for recon, now also armed
60k feet / 18km++ (Zephyr)
100 feet (hand launched)
747 flies at around 32-40k feet
747 flies at around 900 km/h
Predator MQ1 – 217 km/h
Avenger, Global Hawk 750 km/h
Prop vs. jet
Up to 82 hours ... Typical 30h ish
idea 1980s, serious thought in 1990s
Driving force behind it CIA
Most known / successful = General Atomic
Predator - Series A
RQ / MQ
Reaper - Series B
Avenger - Series C
UAVS – COMMAND & CONTROL
Line of sight – C band (4 – 8 GHz)
Satellite – Ku band (11 – 15 GHz)
Can be routed over commercial sats. NBC - 1983
3 crew members
Flying - looking through a straw
2 x sensor guys
Difference in two scans :
Tire tracks, movement
communications dies it flies home
Self destruct ?
MATCHING WAR PORN TO GOOGLE EARTH
UAVS – PROBLEMS
Not a lot – it seems to kind of work well..
Ku band sucks in heavy weather
Pray for rain
Lag of up to two seconds
Like playing CS/CoD over a link made of wet towels and
No dog fights!
Thus– send in the UAVs once air dominance has
SO, WE’RE PRETTY MUCH ...
LET’S JUST HIDE
Optics, infra red, RADAR
Rapid change in environment?
The Chinese vs. American spy sat story
So...it becomes a game of defending against laser guided
HOW LASER GUIDED MUNITIONS WORK
Understand a little about light
Light storage system == FAIL
Seeker = the bomb/missile
Designator = guy / plane with the laser
‘Painting’ the target
Invisible laser == you won’t see it..
Bomb vs. missile
28km,60km (spice) radius
PAINTING THE TARGET
But - there could be multiple targets and multiple
Seeker needs to know where it should go
Thus – must be able to distinguish designators
This is done by pulsing the laser
You won’t see it’s pulsing ... either.
PIM – Pulse Interval Module
PRF – Pulse Repetition Frequency
PRF / PIM
Missiles are pre-programmed, or programmed on
PRF code is 3 digits.
Does this make sense?
Everyone should now be thinking...brute force
But just hang on..
BTW - HOW DOES IT GET TO THE
Open protocol – on the ‘net
MIL-STD-3014 - MiDEF == PDF for munitions
In flight coding was introduced in 2008
DUDE, ERRR...NO.. VERY UN-COOL, DON’T
PRESS THAT ...
AND THE OTHER SIDE OF THE EQUATION
See the light!
We can detect the designator’s laser light
We know we are being targeted (like in the
We can decode the PIM/PRF
We might know if we are a priority target – nice...
Page 45 -6b: “Lower code numbers and faster
pulse rates are appropriate for the most important
targets and the most difficult operating conditions.”
Laser warning sensor configured as a multi-sensor arrangement and interfaced
with a suitable smoke/aerosol screening system can be used effectively on platforms
like main battle tanks, AFV, etc., to provide platform protection from laser-guided
munitions. The development of this sensor is a totally indigenous effort,
both in design and implementation.
Can we determine the direction of the designator?
Know where the special ops guy is sitting / plane
Source or reflected light?
We might look at the divergence ??
Shape of the reflected light
Know how far away the special ops guy is / plane
Replay attack should work well...
You don’t even have to know what the designator says
Does it makes sense to have a 256 number code?
Why are PRF codes 393,424,515 and so on more popular?
Americans are always thinking big (1000 missiles at a time)
Bomb does not speak .. One way comms
So now it’s becoming interesting..
“WTF – DID IT JUST TURN THIS WAY?!”
.. replay the laser pulses ...
..and point it somewhere else...like..
...at the designator (see previous slides)
Will this work when the designator is a plane? NOT
“Page 46, Chapter 5 – Safety: c. Inversion. Caution
must be used when the laser-target line is over +30
degrees of the attack heading to ensure the LST or
LGB does not detect and guide on the laser
designator instead of the target‘s reflected laser
Guidance retrofitted to dumb bombs
TV (with RF link)
Inertial navigation system
Range up to 60km from drop, up to 12 control
Cheap – 21k USD compared to missiles at around
WHY DO YOU HAVE THESE SLIDES AT THE
CON ACTUALLY? AG, NO MAN REALLY...
Ona more serious note...
Same principles in attack (thinking) applies
It’s really just 1s and 0s
Don’t think it’s too complex!
If you ask the right questions, you can Google the
(Patents, specs, etc.)
Significantly complex tech is indistinguishable from
Development of UAVs in non US countries is a big
headache for the US...