Weapons of max destruction v41

624 views
563 views

Published on

Hack in Paris conference: Weapons of mass destruction V41, Protecting country critical infrastructure, tracking and Implications of Stuxnet, provides a detailled view of the ICS attack on the Iran nuclear fuel enrichment plant.

Published in: Education, Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
624
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • This is a sample Pie Chart slide, ideal for communicating product or market segmentation information. To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar . Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab. Edit Chart: Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart). Click the Edit Data button to access the underlying Excel 2007 spreadsheet. Copying Data From a Separate Excel Spreadsheet: From an existing Excel spreadsheet, select the range of cells to be copied, select copy (Ctrl C). In PowerPoint, click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Edit Data button to open the spreadsheet for editing. Select all the data in the Chart in Microsoft Office PowerPoint spreadsheet by clicking the top left corner cell, right-click and select Delete Click in the first empty cell of the spreadsheet and paste (Ctrl V) to place the data copied from the other Excel file. Change Orientation: Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Switch Row/Column button. If the Switch Row/Column button is disabled, click the Select Data button and then click the Switch Row/Column button from within the Select Data Source dialog box, click OK . La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • Countries other than Iran are likely to be collateral damage La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • Weapons of max destruction v41

    1. 1. Hack in Paris – 2012Weapons ofmass destruction v4 Jorge Sebastiao 1
    2. 2. AgendaNew World OrderTarget AttackStuxnetFlameImplicationsQ&A 2
    3. 3. New World 3
    4. 4. Siberia Pipeline 1982CIA computer chip “The Logic Bomb”
    5. 5. Natanz Peace and ProsperityNuclear FuelReprocessing Plant
    6. 6. News
    7. 7. Persistent Targeted attacks Stats Worldwide industry sector since 2008 18172 targeted attacks during 2010
    8. 8. Target AttacksPhase Mass Attack Targeted AttackIncursion Generic social engineering Handcrafted & personalized delivery By-chance infection methodDiscovery Typically no discovery Examination of the infected resource Assumes pre-defined content Monitoring of the user Predictable location Determine accessible resources, & network enumerationCapture Pre-defined specific data Manual analysis & Matches a pre-defined pattern Inspection of the data (IE credit card number)Exfiltration Information sent to a dump Information sent back to the site with little protection attacker Not stored in location for Dump site is long term storage extended time period
    9. 9. What?1. Windows Computer worm discovered in July 20102. 100k+ lines of code (complex)3. 5 different exploits (4 MS vulnerabilities) 1. LNK File Bug – Initial auto exploitation via removable drive 2. Task Scheduler – Privilege Escalation VISTA+ 3. Keyboard Layout – Privilege Escalation XP 4. Spooler / MOF Files – Spreading/Lateral Movement 5. SMB Vuln (MS08-067) – Spreading/Lateral Movement4. Rootkit (hiding binaries) 9
    10. 10. Paradigm ShiftConsequences for the way we think… 10
    11. 11. Timeline 11
    12. 12. Focus on Siemens PLC• Targets SCADA networks • Siemens Simatic WinCC• Rootkit to hide itself • Classic Windows rootkit • PLC (Programmable Logic Controllers) code changes also hidden• Spreads via USB sticks & network shares• Creates botnet • Industrial espionage ready: steal code, documents, project designs • Injects & hide code in PLCs - modifies production processes 12
    13. 13. Overview• Target • Type Nuclear Plant • Victim Iran • Motivation Destroy Centrifuges• Compromise • Social Engineering – Memory Stick • Vector SCADA Systems • Vulnerability Windows/Siemens• Response • Disclosure Jun 2010 • Iran Replaces 1000 Centrifuges • Win/Siemens Patches 13
    14. 14. Attack Flow
    15. 15. Propagation
    16. 16. Network Propagation• Peer-to-peer communication & updates• Infecting WinCC machines via hardcoded database server password• Network shares• MS10-061 Print Spooler Zero-Day Vulnerability• MS08-067 Windows Server Service Vulnerability 16
    17. 17. Testing - Metasploit 17
    18. 18. Attack & Anti-Forensics• Uses encryption / encoding to obfuscate / data streams• Polymorphic• Zero day attacks• Root kits to evade detection• In-memory execution without creating files• Remote Programmable• Disabling itself• Hiding Results/Effects
    19. 19. Siemens - SIMATIC PLCs
    20. 20. From Root Kit to PLC 20
    21. 21. Hides Feedback 21
    22. 22. Resonance - Damage Frequency• In PLC:• forces motors to spin: • at 2 Hz • at 1064 Hz• Damages connected motors 22
    23. 23. Distribution 23
    24. 24. Infection Statistics• 29 September 2010, From Symantec Infected Hosts
    25. 25. Top Countries 25
    26. 26. Siemens Infections Distribution of Infected Systems with Siemens Software80.00 67.6070.0060.0050.0040.0030.0020.00 12.15 8.10 4.9810.00 2.18 2.18 1.56 1.25 0.00 U A S N A R N D I A I O H W R E T S N A T I O N D A E S I O U H A R K E T S N G A B R E T I
    27. 27. Result: Attack Critical Infrastructure
    28. 28. Target? • Natanz enrichment • Bushehri Nuclear Plant• 60%+ Infections in Iran• No commercial gain• Self destruct date• Siemens PLC• Target Nuclear Program• Enrichment• Plant
    29. 29. Siemens Response Source: WSJ, NY Times, eWeek 29
    30. 30. SCADA Impact 30
    31. 31. STRATEGY 31
    32. 32. Flame
    33. 33. Flame•Espionage•Sabotage•Size/Modularity•Gaming Language
    34. 34. Risky Leaks
    35. 35. Olympic GamesPrologueThe worm wasloose..
    36. 36. War and Cyberwar•Stuxnet•Duqu•Flame•…
    37. 37. Recruiting
    38. 38. QuoteBruce SchneierStuxnet a “Mistake”
    39. 39. 18 Critical Infrastructure Sectors
    40. 40. Cross-Sector Interdependencies•Control systems security not sector specific•Connectivity crosses geographic boundaries•Sectors not operationally isolated
    41. 41. Cyberwar: Rules of EngagementChina-USA 1998USA-Iran 200?Cyberwar=war?
    42. 42. Failure on P>D+R 42
    43. 43. Think outside the box 43
    44. 44. Creative Weapons 44
    45. 45. QuestionsJorge.sebastiao@gmail.com

    ×