Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Security Lecture at Rah Rah 7


Published on

Cyber Security Lecture on Critical Infrastructures given at Rah Rah 7

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Cyber Security Lecture at Rah Rah 7

  1. 1. Contemporary  threats  to  cri0cal  and  mobile  infrastructures  Are  we  soon  deaf,  blind  and  muted  ?    ANSES  Rah  Rah  7,  Singapore  January  2010      Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  2. 2. Agenda  ➤  About  the  speaker  ➤  CriEcal  Infrastructures:  state  of  affairs  ➤  Trending  threats  for  criEcal  infrastructures  ➤  The  imminent  risk  of  our  mobile  networks  ➤  What  are  we  up  against  ?   Cyber  Defense  Group  
  3. 3. About  the  speaker  ➤  CEO  and  Founder  Avydian  Cyber  Defense  Group  ➤  President  Cyber-­‐Security  at  European  Corporate  Security  AssociaEon  ➤  Cybercrime  invesEgator  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  and  CCSP  (“cer7fied  common  sense  prac77oner”)  ➤  MSc.  InformaEon  Risk  and  BSc.  InformaEon  OperaEons  ➤  Guest  professor  on  capita  selecta  on  Cyber  Warfare  ➤  Cyber  Security  Auditor  &  Advisor  for  <this_is_where_you_go_bleep>   Cyber  Defense  Group  
  4. 4. Cri0cal  Infrastructures:  state  of  affairs     (no,  not  another  stuxnet  talk)   Cyber  Defense  Group  
  5. 5. Cri0cal  infrastructures:  state  of  affairs  ➤  Where  do  we  find  IT  components  and   other  modern  technologies  within   criEcal  infrastructures:   ➤  Nuclear,  oil  and  gas  industry   ➤  Air  traffic  and  railways   ➤  Power  generaEon,  transmission  and  metering   ➤  Water  management   ➤  Satellites   Cyber  Defense  Group  
  6. 6. Cri0cal  infrastructures:  state  of  affairs  ➤  What  do  industrial  systems  do  for  you  ?   ➤  Supply  power  to  your  home   ➤  Provide  drinkable  water  to  your  home   ➤  Traffic  lights   ➤  Control  commuter  trains   ➤  Regulate  the  air  condiEoning  in  the  office   ➤  Ensure  you  can  make  mobile  and  landline   phone  calls   ➤  …   Cyber  Defense  Group  
  7. 7. Cri0cal  infrastructures:  state  of  affairs  ➤  But,  let’s  not  cry  wolf:   ➤  2003  U.S.  East  Cast  Black  out   ➤  2008  Spanair  Crash  ➤  Who  benefits  from  FUD:   ➤  IT  Security:  New  Business  =  Profit  (2016:  7  billion  USD)   ➤  Safety:  Loss  of  Business  =  Loss  ➤  Reliable  incident  reports  is  what  we  need  !   Cyber  Defense  Group  
  8. 8. Cri0cal  infrastructures:  state  of  affairs   Cyber  Defense  Group  
  9. 9. Cri0cal  infrastructures:  state  of  affairs  ➤  Basic  SCADA  architecture:   Blaster   ➤  Human  Management  Interface  (HMI)   ➤  Remote  Terminal  Unit  (RTU)   ➤  Programmable  Logic  Controller  (PLC)   ➤  CommunicaEon  Infrastructure  ➤  Typical  SCADA  protocols:   ➤  Raw  data  protocols:  modbus,  DNP3,  …   ➤  High  level  protocols:  ICCP,  OPC,  …   Cyber  Defense  Group  
  10. 10. Cri0cal  infrastructures:  state  of  affairs  ➤  0.01%  of  recorded  incidents  (that  make  you  think):   ➤  2000,  Russian  hackers  seized  control  of  the  gas  pipeline  network   ➤  2003,  Ohio  Davis-­‐Besse  nuclear  plant  safety  monitoring  system  down  for  five  hours   ➤  2007,  Simple  PING  sweep  acEvated  roboEc  arm  (huh?  Simple  PING?)   ➤  2010,  Stuxnet  Incident  ➤  Main  scenario  is  where  viruses  degrade  the  system  to  make  it  useless:   ➤  2005,  Windmill  incident  Belgium   Cyber  Defense  Group  
  11. 11. Cri0cal  infrastructures:  state  of  affairs  ➤  Some  basic  test  you  go  use  against  your  system:   ➤  nmap  –sV  –A   ➤  Ping  –f  –s  >56200   ➤  Traffic  >  10  Mb/s   ➤  SQL  InjecEon  through  the  HMI   ➤  Usage  of  simple  passwords   ➤  Using  SenEent  Hyper-­‐OpEmized  Data  Access  Network  (SHODAN)  as  search  engine  ➤  As  of  2008,  Metasploit  Framework  has  SCADA  tesEng  modules  built-­‐in   Cyber  Defense  Group  
  12. 12. Cri0cal  infrastructures:  state  of  affairs  ➤  Some  of  the  common  SCADA  challenges  we  experience:   ➤  Security  patching  (problem  in  IT,  nightmare  in  SCADA)  ?   ➤  AuthenEcaEon  of  machines  ?    Logging  ?   ➤  EncrypEon  ?   ➤  AuthorizaEon  for  transacEons  /  commands  ?  Remote  login  ?   ➤  Code  review  and  secure  development  ?   ➤  Protocol  specific  firewalls  ?  ➤  Many  challenges  !   Cyber  Defense  Group  
  13. 13. Cri0cal  infrastructures:  state  of  affairs  ➤  It’s  an  emerging  trend,  so  we  are  scared  and   we  have  poor  risk  management  abiliEes.  ➤  EsEmate  the  risk:   ➤  Q:  How  many  people  killed  by  sharks  in  U.S.  ?  A:  40   ➤  Q:  How  many  people  killed  by  pigs  in  U.S.  ?  A:  23.589  ➤  EsEmate  the  impact  (today)  of:   ➤  Q:  Terrorists  ?   ➤  Q:  Cyber-­‐terrorists  ?   Cyber  Defense  Group  
  14. 14. “  There  is  no  cause  for  panic  nor  cause  to  ignore  the  issue  ”     We  should  be  concerned.    And  so  we  are.    That’s  good.   Cyber  Defense  Group  
  15. 15. Trending  threats  for  cri0cal  infrastructures   Cyber  Defense  Group  
  16. 16. Before:  proprietary,  isolated,  obscure  and  robust    Trend:  documented,  standardized,  connected  and  open     Cyber  Defense  Group  
  17. 17. Trending  threats  for  cri0cal  infrastructures  ➤  Industry  standards  take  security  into  consideraEon:   ➤  BS7799-­‐ISO27000  InformaEon  sec.  management  systems  –  SpecificaEon  with  guidance  for  use   ➤  NISTIR  7628    Guidelines  for  Smart  Grid  Cyber  Security  v1.0   ➤  ANSI/ISA  S.99.1      Security  for  Manufacturing  and  Control  Systems   ➤  ANSI/ISA  SP99      TR2  IntegraEng  Electronic  Sec.  into  Manufacturing  and  Control  Systems  Env.   ➤  ISO/IEC  15408      Common  Criteria   ➤  CIDX      Chemical  Industry  Data  Exchange  -­‐  Vulnerability  Assessment  Methodology  (VAM)  Guidance   ➤  ISPE/GAMP4      Good  Automated  Manufacturing  PracEces   ➤  NIST  System  ProtecEon  Profile  for  Industrial  Control  Systems  (SPP-­‐ICS)   ➤  PCSF  Process  Control  System  Forum  ;  NERC  standards  ;  AGA  standards  ;  NISCC  Guidelines   Cyber  Defense  Group  
  18. 18. Trending  threats  for  cri0cal  infrastructures  ➤  Root  causes  for  SCADA  vulnerabiliEes  today  (and  tomorrow):   ➤  ISO  27000  vs.  ISA-­‐99.00.01  have  contradicEng  prioriEes;  SCADA  wants  AIC,  while   INFOSEC  wants  CIA   ➤  The  human  communicaEon  conflict:  INFOSEC  and  SCADA  people  just  don’t  understand   each  other  !  ➤  The  human  element  remains  a  largely  ignored  weakness:   ➤  You  get  bored  at  night,  right  ?   ➤  You  want  to  browse  the  Internet  on  your  shiu,  right  ?   ➤  You  want  to  logon  from  your  home  to  the  HMI,  right  ?   Cyber  Defense  Group  
  19. 19. Trending  threats  for  cri0cal  infrastructures  ➤  Bad  Trends  Top  5  :  Things  that  probably  will  stay  around  for  a  while   ➤  Office  AutomaEon  and  Industrial  Networks  become  connected   ➤  Cyber  Security  remains  an  auerthought  during  design  of  soluEons   ➤  Protocols  are  in  clear-­‐text  (speed  reasons)   ➤  Inadequately  developed  firewalls  that  naEvely  speak  SCADA  protocols   ➤  Insecure  coding  pracEces  ➤  Old  protocols,  old  systems:   ➤  Basic  hacking  techniques  most  likely  will  work   Cyber  Defense  Group  
  20. 20. Trending  threats  for  cri0cal  infrastructures  ➤  Focus  on  Top  3  CriEcal  Infrastructures:   Oil  and  Gas   Smart  Grid   TelecommunicaEon   Cyber  Defense  Group  
  21. 21. Trending  threats  for  cri0cal  infrastructures  ➤  Ongoing  developments:  Smart  Grids  /  Smart  Metering   ➤  Metering  and  control  of  intelligent  electricity  delivery  to  the  household   ➤  Privacy  by  Design:  Achieving  the  Gold  Standard  in  Data  ProtecEon  for  the  Smart  Grid  as   a  guideline  on  best  pracEces  (actually,  prewy  good)  ➤  High  Priority  on  security:   U.S.  Na7onal  Coordinator  for  Security,  Infrastructure  Protec7on,  and  Counter-­‐Terrorism,  has  stated  that   a  cyber  aSack  aimed  at  energy  infrastructure  “could  disable  trains  all  over  the  country  and  it  could  blow   up  pipelines.  It  could  cause  blackouts  and  damage  electrical  power  grids…It  could  wipe  out  and  confuse   financial  records…  It  could  do  things  like  disrupt  traffic  in  urban  areas  by  knocking  out  control  computers.   It  could…wipe  out  medical  records.   Cyber  Defense  Group  
  22. 22. Trending  threats  for  cri0cal  infrastructures   Replace  exisEng   New  SCADA   Controlled   Improvement  of   SCADA  systems   based  soluEons   Industrial   SCADA  security   with  new   are  deployed  in   Environment   controls   soluEons   society   Cyber  Defense  Group  
  23. 23. The  imminent  threat  of  our  mobile  networks   Cyber  Defense  Group  
  24. 24. If  you  have  the  ability  to  deliver  a  reasonably  strong  radio  signal,     then  those  around  you  are  compromised.      Any  informa7on  that  goes  across  a  cell  phone  you  can  now  intercept.    Even  though  the   GSM  spec  requires  it,  this  is  a  deliberate  choice  on  the  cell  phone  makers   Cyber  Defense  Group  
  25. 25. The  imminent  threat  of  our  mobile  networks  ➤  Security  by  obscurity  :   ➤  GSM  is  one  of  the  oldest  protocols  (and  most  insecure;  it’s  like  telnet)   ➤  Extremely  liwle  scruEny  on  3G/GSM  protocols   ➤  Only  4  closed-­‐source  GSM  stacks  produced   ➤  GSM  chipset  makers  never  release  any  hardware  documentaEon   ➤  Access  to  firmware  source  (3.5G  baseband  codes)  are  only…  some  lucky  few   ➤  Prices  for  BTS’s,  etc.  are  very  steep  ➤  Open  source  research  is  on  its  way  (and  advancing  rapidly)  !   Cyber  Defense  Group  
  26. 26. The  imminent  threat  of  our  mobile  networks  ➤  GSMA  is  not  too  worried,  though  :   “  …  intercept  approach  has  underes0mated  its  pracEcal  complexity   A  hacker  would  need  a  radio  receiver  system  and  the  signal  processing     soDware  necessary  to  process  the  raw  radio  data.  CSMA,  Aug  2009   ✓  Underes0mated  complexity:  Ability  to  decrypt  A5  family  in  (near)  real  Eme  (2009)   ✓  Underes0mated  complexity:  IMSI  catching,  bypass  A3/A8,  …  (2010)   ✓  Radio  receiver  system:  USRP  /  USRP2  +  GNUradio  +  OpenBTS  (you  know,  the  soDware)   Cyber  Defense  Group  
  27. 27. The  imminent  threat  of  our  mobile  networks   Trixie  ➤  Become  your  own  operator:   R/TFX900   Priceless   175  USD   ➤  Universal  Souware  Radio  Peripheral   ➤  GNUradio  Project   ➤  OpenBTS  /  OpenBSC  /  SMSqueue   USRP   800  USD   ➤  OsmocomBB   ➤  Asterisk   52  Mhz  ➤  Under  1.500  USD  you  cover  up  to   37  USD   300  m  of  GSM  signal  (indoor)  +  2   channels  (850/900/1800/1900).   Cyber  Defense  Group  
  28. 28. The  imminent  threat  of  our  mobile  networks  ➤  Or  become  your  own  DIY  mobile   intelligence  unit:   ➤  4  x  USRP2  (Xilinx  Spartan  FPGA’s)   ➤  4  x  quad  core  i7  CPU’s   ➤  2  x  nvidia  Tesla  CUDA  C2070  cores   ➤  Power  generator  +  antennas   ➤  4  TB  storage  ➤  Costs  about  20.000  USD.  Cheap  eh?   Cyber  Defense  Group  
  29. 29. The  imminent  threat  of  our  mobile  networks  ➤  The  mobile  network  threat  vectors:   ConfidenEality   Availability   Integrity   AcEve  Intercept   Power  Jamming   InserEng  audio  streams   Passive  Intercept     Call  Blackholing   Fuzzing  GSM  handsets   IMSI  Catching   LocaEon  Monitoring   Cyber  Defense  Group  
  30. 30. “  Cell  phones  behave  like  ducks  ”     (you  may  quote  me  on  this)   Cyber  Defense  Group  
  31. 31. The  imminent  threat  of  our  mobile  networks  (confidenEality)   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=525,  MNC=010   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  32. 32. The  imminent  threat  of  our  mobile  networks  (confidenEality)  ➤  Listening  in  on  phone  calls  +  SMS  (“unlawful   intercept”):   ➤  Using  the  Berlin  A5  Codebooks  (2.3  TB)   ➤  Decode  A5.1  within  seconds  /  minutes  ➤  Ac0ve  intercept:   ➤  Passive  intercept:   ➤  AcEve  downgrade  of  A5.1/.2/.3  to  A5.0   ➤  Time-­‐Memory  Tradeoff  Awack   ➤  OpenBTS  +  Asterisk   ➤  OpenBTS  +  Airprobe   ➤  Basically,  man-­‐in-­‐the-­‐middle  awack  on  GSM   ➤  DecrypEon  required   Cyber  Defense  Group  
  33. 33. The  imminent  threat  of  our  mobile  networks  (confidenEality)  ➤  How  handsets  get  connected  to  a  rogue  base   staEon  so  an  awacker  can  intercept:   ➤  Receive  gain  override  (“so,  you  are  a  100db   tower?”)  (used  for  IMSI  catchers  by  R&S)   ➤  Changing  LAC  (LocaEon  Area  Code)  to  enEce   handsets  to  handoff  to  new  (your)  BTS   ➤  Short  jam  burst,  so  handsets  are  forced  to  execute   handset  power-­‐up  process   ➤  ConEnuous  jam  3G  bands,  so  fail-­‐over  to  GSM   Cyber  Defense  Group  
  34. 34. The  imminent  threat  of  our  mobile  networks  (confidenEality)  ➤  Remote  and  local  tracking  of  users,  using  a   blend  of  RRLP,  GPS,  GSM,  SMS,  mobile   applicaEons  and  Google  technologies:   ➤  Google  GSM  GeolocaEon  API  (not  LaEtude)   ➤  Cell-­‐locaEons  stored  on  local  smartphones   ➤  Using  applicaEons  to  covertly  send  out  logs   Cyber  Defense  Group  
  35. 35. The  imminent  threat  of  our  mobile  networks  (availability)  ➤  By  accident.  Jammed  my  neighborhood  in  a   800m  radius  using  GNUradio,  2W  and  a  noise   generator  =>  Impossible  to  defend!  ➤  Purposeful:   ➤  Camping  GSM  signals  and  sink-­‐holing  them   ➤  Noise  generators  in  the  GSM  spectrum   ➤  Frequency  division  duplexing  flooding   ➤  Sending  IMSI  DETACH  messages   ➤  Channel  Request  Flooding  of  the  RACH   Cyber  Defense  Group  
  36. 36. The  imminent  threat  of  our  mobile  networks  (availability)  ➤  Channel  Request  Flooding  of  the  Random   Access  Channel  (RACH)  burst:   ➤  Anonymous  awack   ➤  Successfully  executed  under  a  few  seconds   ➤  Cell-­‐phone  registers  (Channel  Request),  when  the   channel  is  not  established  (Eme-­‐out),  the  channel  is   released  by  the  BSC   ➤  Only  affects  one  BTS  at  a  Eme   Cyber  Defense  Group  
  37. 37. The  imminent  threat  of  our  mobile  networks  (availability)   DoS   Cyber  Defense  Group  
  38. 38. The  imminent  threat  of  our  mobile  networks  (availability)  ➤  Isolated  noise  output  test:  892  mode  test  ➤  Results:   ➤  Upset  neighbors,  but  peace  of  mind   ➤  Completely  knocked  out  the  850/900  GSM  signal  in   800  meter  radius,  using  a  short  (45sec)  burst  ➤  Test  (but  I’m  not  doing  it):   ➤  100  W  amplifier  (450  USD)  (1.500  W  HAM  limit!!)   ➤  Will  knock  out  GSM/3G/CDMA  over  large  secEon  of   Singapore   Cyber  Defense  Group  
  39. 39. The  imminent  threat  of  our  mobile  networks  (integrity)  ➤  ManipulaEng  voice  conversaEons  ➤  AcEve  intercepEon  required,  as  we  do  not   modify  GSM  signal,  but  ulaw  data  packets:   ➤  Should  be  easy  to  manipulate  (given  IMSI  spoofing)  ➤  No  pracEcal  usage,  unless  you  really  want  to   annoy  people  :-­‐)  ➤  …  manipulaEng  SMS  messages  however,  is  a   threat  (OTP  over  SMS,  anyone?).   Cyber  Defense  Group  
  40. 40. The  imminent  threat  of  our  mobile  networks  (integrity)   Free  McDonalds!   Cyber  Defense  Group  
  41. 41. The  imminent  threat  of  our  mobile  networks  (integrity)  ➤  Fuzzing  target:   ➤  GSM  stack  in  baseband  processor   ➤  GSM  funcEon  libraries  in  operaEng  system  ➤  Fuzzing  results  auer  one  month  (using  scapy):   ➤  iPhone  IOS  4.2,  already  2  crashes   ➤  Windows  Mobile  7,  already  5  crashes   ➤  Android  2.2,  already  3  crashes  ➤  Not  sure  if  they  are  exploitable  yet.   Cyber  Defense  Group  
  42. 42. What  are  we  up  against  ?   Cyber  Defense  Group  
  43. 43. What  are  we  up  against  ?  ➤  Vital  and  criEcal  infrastructures  keeps   humans  safe,  alive  and  comfortable,  but:   ➤  Closed  source  protocols  are  being  leveraged  over   vulnerable  transportaEon  media  and  protocols   (think  TCP/IP,  RPC,  …)   ➤  Full  disclosure  research  increasingly  brings  exploits   and  vulnerabiliEes  in  the  open   ➤  It  is  100%  target  of  terrorist  awacks  and  asymmetric   warfare  tacEcs   ➤  Alot  of  Fear-­‐Uncertainty  and  –Doubt  (FUD)   Cyber  Defense  Group  
  44. 44. What  are  we  up  against  ?  ➤  Mobile  telecommunicaEons  and  wireless   technologies  are  connecEng  everyone  and   everything,  yet  they  are  mostly  based  on   insecure  protocols:   ➤  SCADA  systems  using  GSM  for  large  plant  coverage   ➤  SCADA  systems  using  Bluetooth  (e.g.  smart  meters)   ➤  SCADA  systems  using  Wi-­‐Fi  /  ZigBee  protocols  ➤  Our  day-­‐to-­‐day  lives  and  safety  inherently   depend  on  IT  systems  and  networks  (*gulp*)   Cyber  Defense  Group  
  45. 45. What  are  we  up  against  ?  ➤  Hackers  will  conEnue  to  awack  embedded   and  industrial  systems  (“stuxnet  is  only  the   beginning”).  ➤  Within  five  years,  a  large  scale  electronic   awack  will  disrupt  a  modern  society  to  its   inner  fabric.  ➤  Security  industry  will  need  to  rapidly   embrace  industrial  standards  and  collaborate   on  establishing  secure  and  robust  protocols.   Cyber  Defense  Group  
  46. 46. “  Unless  cyber  security  controls  can  guarantee    our  safety,  it  is  irresponsible  to  merge  industrial  protocols   with  vulnerable  IT  technologies    (law  of  weakest  link)”     (you  may  quote  me  on  this  one  too)   Cyber  Defense  Group  
  47. 47. If  not,  one  day  we  will  wake  up  and  find  ourselves:     deafened     blinded     and  muted   Cyber  Defense  Group  
  48. 48. Contemporary  threats  to  cri0cal  and  mobile  infrastructures  Are  we  soon  deaf,  blind  and  muted  ?    ANSES  Rah  Rah  7,  Singapore  January  2010      Thank  You,   Cyber  Defense  Group