• Save
Weapons of max destruction v41
Upcoming SlideShare
Loading in...5
×
 

Weapons of max destruction v41

on

  • 607 views

Hack in Paris conference: Weapons of mass destruction V41, Protecting country critical infrastructure, tracking and Implications of Stuxnet, provides a detailled view of the ICS attack on the Iran ...

Hack in Paris conference: Weapons of mass destruction V41, Protecting country critical infrastructure, tracking and Implications of Stuxnet, provides a detailled view of the ICS attack on the Iran nuclear fuel enrichment plant.

Statistics

Views

Total Views
607
Views on SlideShare
587
Embed Views
20

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 20

http://www.linkedin.com 16
https://www.linkedin.com 4

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This is a sample Pie Chart slide, ideal for communicating product or market segmentation information. To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar . Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab. Edit Chart: Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart). Click the Edit Data button to access the underlying Excel 2007 spreadsheet. Copying Data From a Separate Excel Spreadsheet: From an existing Excel spreadsheet, select the range of cells to be copied, select copy (Ctrl C). In PowerPoint, click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Edit Data button to open the spreadsheet for editing. Select all the data in the Chart in Microsoft Office PowerPoint spreadsheet by clicking the top left corner cell, right-click and select Delete Click in the first empty cell of the spreadsheet and paste (Ctrl V) to place the data copied from the other Excel file. Change Orientation: Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Switch Row/Column button. If the Switch Row/Column button is disabled, click the Select Data button and then click the Switch Row/Column button from within the Select Data Source dialog box, click OK . La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • Countries other than Iran are likely to be collateral damage La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet
  • La Nuit du Hack Tracking and Implications of Stuxnet

Weapons of max destruction v41 Weapons of max destruction v41 Presentation Transcript

  • Hack in Paris – 2012Weapons ofmass destruction v4 Jorge Sebastiao 1
  • AgendaNew World OrderTarget AttackStuxnetFlameImplicationsQ&A 2
  • New World 3
  • Siberia Pipeline 1982CIA computer chip “The Logic Bomb”
  • Natanz Peace and ProsperityNuclear FuelReprocessing Plant
  • News
  • Persistent Targeted attacks Stats Worldwide industry sector since 2008 18172 targeted attacks during 2010
  • Target AttacksPhase Mass Attack Targeted AttackIncursion Generic social engineering Handcrafted & personalized delivery By-chance infection methodDiscovery Typically no discovery Examination of the infected resource Assumes pre-defined content Monitoring of the user Predictable location Determine accessible resources, & network enumerationCapture Pre-defined specific data Manual analysis & Matches a pre-defined pattern Inspection of the data (IE credit card number)Exfiltration Information sent to a dump Information sent back to the site with little protection attacker Not stored in location for Dump site is long term storage extended time period
  • What?1. Windows Computer worm discovered in July 20102. 100k+ lines of code (complex)3. 5 different exploits (4 MS vulnerabilities) 1. LNK File Bug – Initial auto exploitation via removable drive 2. Task Scheduler – Privilege Escalation VISTA+ 3. Keyboard Layout – Privilege Escalation XP 4. Spooler / MOF Files – Spreading/Lateral Movement 5. SMB Vuln (MS08-067) – Spreading/Lateral Movement4. Rootkit (hiding binaries) 9
  • Paradigm ShiftConsequences for the way we think… 10
  • Timeline 11
  • Focus on Siemens PLC• Targets SCADA networks • Siemens Simatic WinCC• Rootkit to hide itself • Classic Windows rootkit • PLC (Programmable Logic Controllers) code changes also hidden• Spreads via USB sticks & network shares• Creates botnet • Industrial espionage ready: steal code, documents, project designs • Injects & hide code in PLCs - modifies production processes 12
  • Overview• Target • Type Nuclear Plant • Victim Iran • Motivation Destroy Centrifuges• Compromise • Social Engineering – Memory Stick • Vector SCADA Systems • Vulnerability Windows/Siemens• Response • Disclosure Jun 2010 • Iran Replaces 1000 Centrifuges • Win/Siemens Patches 13
  • Attack Flow
  • Propagation
  • Network Propagation• Peer-to-peer communication & updates• Infecting WinCC machines via hardcoded database server password• Network shares• MS10-061 Print Spooler Zero-Day Vulnerability• MS08-067 Windows Server Service Vulnerability 16
  • Testing - Metasploit 17
  • Attack & Anti-Forensics• Uses encryption / encoding to obfuscate / data streams• Polymorphic• Zero day attacks• Root kits to evade detection• In-memory execution without creating files• Remote Programmable• Disabling itself• Hiding Results/Effects
  • Siemens - SIMATIC PLCs
  • From Root Kit to PLC 20
  • Hides Feedback 21
  • Resonance - Damage Frequency• In PLC:• forces motors to spin: • at 2 Hz • at 1064 Hz• Damages connected motors 22
  • Distribution 23
  • Infection Statistics• 29 September 2010, From Symantec Infected Hosts
  • Top Countries 25
  • Siemens Infections Distribution of Infected Systems with Siemens Software80.00 67.6070.0060.0050.0040.0030.0020.00 12.15 8.10 4.9810.00 2.18 2.18 1.56 1.25 0.00 U A S N A R N D I A I O H W R E T S N A T I O N D A E S I O U H A R K E T S N G A B R E T I
  • Result: Attack Critical Infrastructure
  • Target? • Natanz enrichment • Bushehri Nuclear Plant• 60%+ Infections in Iran• No commercial gain• Self destruct date• Siemens PLC• Target Nuclear Program• Enrichment• Plant
  • Siemens Response Source: WSJ, NY Times, eWeek 29
  • SCADA Impact 30
  • STRATEGY 31
  • Flame
  • Flame•Espionage•Sabotage•Size/Modularity•Gaming Language
  • Risky Leaks
  • Olympic GamesPrologueThe worm wasloose..
  • War and Cyberwar•Stuxnet•Duqu•Flame•…
  • Recruiting
  • QuoteBruce SchneierStuxnet a “Mistake”
  • 18 Critical Infrastructure Sectors
  • Cross-Sector Interdependencies•Control systems security not sector specific•Connectivity crosses geographic boundaries•Sectors not operationally isolated
  • Cyberwar: Rules of EngagementChina-USA 1998USA-Iran 200?Cyberwar=war?
  • Failure on P>D+R 42
  • Think outside the box 43
  • Creative Weapons 44
  • QuestionsJorge.sebastiao@gmail.com