Stuxnet dc9723
•Download as PPT, PDF•
1 like•7,823 views
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
Report
Share
Report
Share
![[object Object],[object Object],[object Object],[object Object],Who Am I ?](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Mission Critical Security in a Post-Stuxnet World Part 2
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
A Stuxnet for Mainframes
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Stuxnet - Case Study
Stuxnet is a sophisticated malware that targeted Siemens supervisory control and data acquisition (SCADA) systems. It used multiple zero-day exploits to spread via USB devices and network shares to infect SCADA systems indirectly connected to the internet. Stuxnet installed rootkits to hide its files and injected itself into processes to remain undetected while sabotaging its targets. It was the first malware known to target and damage physical infrastructure.
Mission Critical Security in a Post-Stuxnet World Part 1
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
I Heart Stuxnet
This document summarizes the Stuxnet computer worm, which targeted industrial control systems. It provides a timeline of Stuxnet from 2008-2010, describes its infection mechanisms using zero-day exploits and stolen digital certificates. It explains how Stuxnet intercepted communications between Siemens Step 7 software and PLC controllers to reprogram industrial systems without detection. While the origins of Stuxnet are unknown, speculation points to the US, Israel, or other nation states as the likely creator in order to sabotage Iran's nuclear program.
Building HMI with VB Tutorial [1998]
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Stuxnet mass weopan of cyber attack
Stuxnet is a computer worm that targets industrial control systems and was the first discovered malware that spies on and subverts industrial systems. It uses zero-day exploits to spread via USB drives to programmable logic controllers, sabotaging operations by overriding input/output functions without the operator's knowledge. The sophisticated worm was likely developed with stolen technical specifications and digital certificates to infiltrate targeted Iranian nuclear facilities.
Recommended
Mission Critical Security in a Post-Stuxnet World Part 2
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
A Stuxnet for Mainframes
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
Stuxnet - Case Study
Stuxnet is a sophisticated malware that targeted Siemens supervisory control and data acquisition (SCADA) systems. It used multiple zero-day exploits to spread via USB devices and network shares to infect SCADA systems indirectly connected to the internet. Stuxnet installed rootkits to hide its files and injected itself into processes to remain undetected while sabotaging its targets. It was the first malware known to target and damage physical infrastructure.
Mission Critical Security in a Post-Stuxnet World Part 1
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
I Heart Stuxnet
This document summarizes the Stuxnet computer worm, which targeted industrial control systems. It provides a timeline of Stuxnet from 2008-2010, describes its infection mechanisms using zero-day exploits and stolen digital certificates. It explains how Stuxnet intercepted communications between Siemens Step 7 software and PLC controllers to reprogram industrial systems without detection. While the origins of Stuxnet are unknown, speculation points to the US, Israel, or other nation states as the likely creator in order to sabotage Iran's nuclear program.
Building HMI with VB Tutorial [1998]
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Stuxnet mass weopan of cyber attack
Stuxnet is a computer worm that targets industrial control systems and was the first discovered malware that spies on and subverts industrial systems. It uses zero-day exploits to spread via USB drives to programmable logic controllers, sabotaging operations by overriding input/output functions without the operator's knowledge. The sophisticated worm was likely developed with stolen technical specifications and digital certificates to infiltrate targeted Iranian nuclear facilities.
Stuxnet - More then a virus.
This presentation is for my article on Stuxnet.
For my article visit : http://www.slideshare.net/hardeep4u/stuxnet
Stuxnet worm
The Stuxnet worm was designed to target Siemens industrial control systems used in Iran's uranium enrichment centrifuges. It spread to these systems through infected USB drives and exploited multiple Windows vulnerabilities. It then took control of centrifuges and varied their speeds, damaging around 1,000 centrifuges and slowing Iran's nuclear program. While not intended to spread beyond Iran, it ended up infecting systems in other countries as well through file transfers.
Stuxnet flame
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
Stuxnet
Stuxnet is a computer virus that targets industrial control systems. It spreads through infected USB drives and networks, then infects PLCs (Programmable Logic Controllers) that are configured for specific industrial processes. Once infected, Stuxnet alters the PLC code to change the industrial process without the operator's knowledge through a "man in the middle" attack when programming software updates the PLC. The presentation demonstrates how Stuxnet infects a PLC and alters its code to change an industrial process.
The World's First Cyber Weapon - Stuxnet
Understand the world’s first cyber weapon – Stuxnet in 10 minutes.
* Discovery Of the First Cyber Weapon
* High Level Architecture Overview Of The Target
* How Does Stuxnet Sabotage A Uranium Enrichment Plant – Cyber-physical Attack
* Summary
* References
Stuxnet
Stuxnet is a computer worm discovered in 2010 that targets industrial software and equipment. It is believed to have been designed to damage Iran's nuclear facilities. Stuxnet spreads through infected USB drives and seeks out specific models of programmable logic controllers used to automate industrial processes. It communicates with command and control servers to carry out its infection routine and propagate further through networks. Mitigation techniques for Stuxnet and other threats to industrial control systems include security information and event management systems, intrusion monitoring, and passive vulnerability scanning of control system networks.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
This document discusses how abusing CPU hot-add weaknesses could allow escalating privileges in server datacenters. It describes how CPU hot-add works, allowing addition of new CPUs to a running system without shutting down. Two memory regions important for hot-add are identified as assets to protect: 0x38000 holding SMI code, and 0x0e2000 holding SIPI vectors. An attack corrupting 0x38000 to inject malicious SMI code and escalate to SMM privileges is demonstrated. Mitigation using hardware protection of memory regions from DMA is discussed.
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
In era of cloud computing, security is becoming more and more critical for customers. In existing HW/SW architecture hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel Software Guard Extension (SGX) provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. Intel SGX makes such protection possible through the use of enclave, which is a protected area in userspace application where the code/data cannot be accessed directly by any software from outside. This presentation intends to give you an introduction of Intel SGX technology, including what it is, how it works, and the existing SW stack to enable SGX for customers, followed by introduction of our work to support SGX virtualization in Xen hypervisor, including the high-level design, current status and future plan.
[Wroclaw #3] Trusted Computing
The document discusses using a Trusted Platform Module (TPM) to securely store encryption keys for disk encryption on Linux. It describes configuring TPM to measure and seal an encryption key file using PCR registers. Modifications are made to initramfs and cryptroot scripts to support unsealing the key during boot without user input by using the TPM. While TPM provides secure storage, integrating it with Linux disk encryption requires additional configuration to get the key unsealed and passed to cryptsetup during early boot stages.
Slide used at ACM-SAC 2014 by Suzaki
This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.
Tkos secure boot_lecture_20190605
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspec...
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspection
and Stealth Breakpoints"
Demystifying Secure enclave processor
"The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors."
(Source: Black Hat USA 2016, Las Vegas)
Defense
This document presents Radium, a secure policy engine in the hypervisor that aims to provide integrity measurement of computing environments. It discusses defining the problem of trusting computing devices and components. It provides background on technologies like SRTM, DRTM and Flask that are used. The Radium architecture employs DRTM to boot a trusted hypervisor and uses asynchronous root of trust for measurement and a secure mandatory access control policy to regulate access between trusted and untrusted environments. The prototype implementation and evaluation show Radium can provide timely integrity measurements with zero downtime compared to traditional trusted systems. Future work areas include incorporating Intel SGX and improving the minimal trusted computing base of the hypervisor.
Troopers15 Lightning talk: VMI & DRAKVUF
This document discusses virtual machine introspection (VMI) and the DRAKVUF dynamic malware analysis tool. It begins with an overview of why VMI is useful, describing how it allows security monitoring from outside the VM for increased isolation and visibility. It then introduces DRAKVUF and provides a link to a video demonstration. Finally, it includes a "rant" about the limitations of dynamic analysis for threat detection and argues it is better suited to identifying attack infrastructure and behaviors rather than individual samples.
Breaking hardware enforced security with hypervisors
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
Virtual Machine Introspection with Xen on ARM
This document discusses virtual machine introspection (VMI) with Xen on ARM platforms. It notes that VMI allows advanced security capabilities by separating the security monitoring domain from the trusted computing base (TCB). The document outlines that Xen on ARM provides isolation between guest VMs and the hypervisor through security modules. It also describes how the LibVMI library can reconstruct guest OS state information by interpreting ARM guest page tables. The document states that interposition, or stepping into guest VM execution on events of interest, requires hardware and hypervisor support through two-stage address translation configuration and trap handlers. It concludes that work remains to be done on ARM hardware event trapping support and performance testing of Xen on ARM trap handlers.
RISC-V-Day-Tokyo2018-suzaki
The document discusses Trusted Execution Environments (TEEs) and running the Open Portable Trusted Execution Environment (OP-TEE) trusted operating system on RISC-V. It provides an overview of TEEs, describes OP-TEE and the requirements to implement it on RISC-V, including developing a boot sequence, kernel driver, and libraries. The document also compares TEE implementations on ARM TrustZone and Intel SGX and covers memory mapping when running OP-TEE on ARM-based boards.
The Stuxnet Virus FINAL
Stuxnet was a computer virus unleashed in 2009 that targeted Iran's nuclear facilities. It disrupted centrifuges used to enrich uranium, slowing Iran's nuclear program. The virus was introduced via USB and spread through industrial control systems. Stuxnet is believed to have been created by the U.S. and Israel to damage Iran's nuclear capabilities without using military force. It changed cyber security worldwide and highlighted the risks of cyber attacks targeting critical infrastructure.
About cyber war
Cyber war, cyber terrorism, and cyber espionage were discussed. The document began by noting some disclaimers from the author about their expertise and intentions. It then discussed how cyber war is often misunderstood and does not refer to things like cybercrime or hacking. The document went on to discuss how cyber attacks could potentially lead to accidental nuclear war by degrading decision making systems. It also provided a real example of how access was gained to a strategic nuclear system, highlighting the risks of cyber threats in this domain.
More Related Content
What's hot
Stuxnet - More then a virus.
This presentation is for my article on Stuxnet.
For my article visit : http://www.slideshare.net/hardeep4u/stuxnet
Stuxnet worm
The Stuxnet worm was designed to target Siemens industrial control systems used in Iran's uranium enrichment centrifuges. It spread to these systems through infected USB drives and exploited multiple Windows vulnerabilities. It then took control of centrifuges and varied their speeds, damaging around 1,000 centrifuges and slowing Iran's nuclear program. While not intended to spread beyond Iran, it ended up infecting systems in other countries as well through file transfers.
Stuxnet flame
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
Stuxnet
Stuxnet is a computer virus that targets industrial control systems. It spreads through infected USB drives and networks, then infects PLCs (Programmable Logic Controllers) that are configured for specific industrial processes. Once infected, Stuxnet alters the PLC code to change the industrial process without the operator's knowledge through a "man in the middle" attack when programming software updates the PLC. The presentation demonstrates how Stuxnet infects a PLC and alters its code to change an industrial process.
The World's First Cyber Weapon - Stuxnet
Understand the world’s first cyber weapon – Stuxnet in 10 minutes.
* Discovery Of the First Cyber Weapon
* High Level Architecture Overview Of The Target
* How Does Stuxnet Sabotage A Uranium Enrichment Plant – Cyber-physical Attack
* Summary
* References
Stuxnet
Stuxnet is a computer worm discovered in 2010 that targets industrial software and equipment. It is believed to have been designed to damage Iran's nuclear facilities. Stuxnet spreads through infected USB drives and seeks out specific models of programmable logic controllers used to automate industrial processes. It communicates with command and control servers to carry out its infection routine and propagate further through networks. Mitigation techniques for Stuxnet and other threats to industrial control systems include security information and event management systems, intrusion monitoring, and passive vulnerability scanning of control system networks.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
This document discusses how abusing CPU hot-add weaknesses could allow escalating privileges in server datacenters. It describes how CPU hot-add works, allowing addition of new CPUs to a running system without shutting down. Two memory regions important for hot-add are identified as assets to protect: 0x38000 holding SMI code, and 0x0e2000 holding SIPI vectors. An attack corrupting 0x38000 to inject malicious SMI code and escalate to SMM privileges is demonstrated. Mitigation using hardware protection of memory regions from DMA is discussed.
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
In era of cloud computing, security is becoming more and more critical for customers. In existing HW/SW architecture hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel Software Guard Extension (SGX) provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. Intel SGX makes such protection possible through the use of enclave, which is a protected area in userspace application where the code/data cannot be accessed directly by any software from outside. This presentation intends to give you an introduction of Intel SGX technology, including what it is, how it works, and the existing SW stack to enable SGX for customers, followed by introduction of our work to support SGX virtualization in Xen hypervisor, including the high-level design, current status and future plan.
[Wroclaw #3] Trusted Computing
The document discusses using a Trusted Platform Module (TPM) to securely store encryption keys for disk encryption on Linux. It describes configuring TPM to measure and seal an encryption key file using PCR registers. Modifications are made to initramfs and cryptroot scripts to support unsealing the key during boot without user input by using the TPM. While TPM provides secure storage, integrating it with Linux disk encryption requires additional configuration to get the key unsealed and passed to cryptsetup during early boot stages.
Slide used at ACM-SAC 2014 by Suzaki
This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.
Tkos secure boot_lecture_20190605
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspec...
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspection
and Stealth Breakpoints"
Demystifying Secure enclave processor
"The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors."
(Source: Black Hat USA 2016, Las Vegas)
Defense
This document presents Radium, a secure policy engine in the hypervisor that aims to provide integrity measurement of computing environments. It discusses defining the problem of trusting computing devices and components. It provides background on technologies like SRTM, DRTM and Flask that are used. The Radium architecture employs DRTM to boot a trusted hypervisor and uses asynchronous root of trust for measurement and a secure mandatory access control policy to regulate access between trusted and untrusted environments. The prototype implementation and evaluation show Radium can provide timely integrity measurements with zero downtime compared to traditional trusted systems. Future work areas include incorporating Intel SGX and improving the minimal trusted computing base of the hypervisor.
Troopers15 Lightning talk: VMI & DRAKVUF
This document discusses virtual machine introspection (VMI) and the DRAKVUF dynamic malware analysis tool. It begins with an overview of why VMI is useful, describing how it allows security monitoring from outside the VM for increased isolation and visibility. It then introduces DRAKVUF and provides a link to a video demonstration. Finally, it includes a "rant" about the limitations of dynamic analysis for threat detection and argues it is better suited to identifying attack infrastructure and behaviors rather than individual samples.
Breaking hardware enforced security with hypervisors
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
Virtual Machine Introspection with Xen on ARM
This document discusses virtual machine introspection (VMI) with Xen on ARM platforms. It notes that VMI allows advanced security capabilities by separating the security monitoring domain from the trusted computing base (TCB). The document outlines that Xen on ARM provides isolation between guest VMs and the hypervisor through security modules. It also describes how the LibVMI library can reconstruct guest OS state information by interpreting ARM guest page tables. The document states that interposition, or stepping into guest VM execution on events of interest, requires hardware and hypervisor support through two-stage address translation configuration and trap handlers. It concludes that work remains to be done on ARM hardware event trapping support and performance testing of Xen on ARM trap handlers.
RISC-V-Day-Tokyo2018-suzaki
The document discusses Trusted Execution Environments (TEEs) and running the Open Portable Trusted Execution Environment (OP-TEE) trusted operating system on RISC-V. It provides an overview of TEEs, describes OP-TEE and the requirements to implement it on RISC-V, including developing a boot sequence, kernel driver, and libraries. The document also compares TEE implementations on ARM TrustZone and Intel SGX and covers memory mapping when running OP-TEE on ARM-based boards.
What's hot (20)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspec...
Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspec...
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
Viewers also liked
The Stuxnet Virus FINAL
Stuxnet was a computer virus unleashed in 2009 that targeted Iran's nuclear facilities. It disrupted centrifuges used to enrich uranium, slowing Iran's nuclear program. The virus was introduced via USB and spread through industrial control systems. Stuxnet is believed to have been created by the U.S. and Israel to damage Iran's nuclear capabilities without using military force. It changed cyber security worldwide and highlighted the risks of cyber attacks targeting critical infrastructure.
About cyber war
Cyber war, cyber terrorism, and cyber espionage were discussed. The document began by noting some disclaimers from the author about their expertise and intentions. It then discussed how cyber war is often misunderstood and does not refer to things like cybercrime or hacking. The document went on to discuss how cyber attacks could potentially lead to accidental nuclear war by degrading decision making systems. It also provided a real example of how access was gained to a strategic nuclear system, highlighting the risks of cyber threats in this domain.
Tobii T60 T120 User Manual
The document provides safety information and instructions for using the Tobii T60 and T120 Eye Trackers. It details proper placement, temperature and humidity levels, and ingress protection. The eye trackers should only be used in office and home environments and placed on stable, level surfaces away from direct sunlight or extreme temperatures.
Declaration of malWARe
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
تجزیه و تحلیل بدافزار استاکس نت (Stuxnet)
استاکس نت را میتوان از نوع بدافزارهای روت کیت دانست.
روت کیت ها نوع پیشرفتهتر بدافزارها هستند که بصورت چند جزءی طراحی می شوند, هرکدام از اجزا روت کیت وظیفه خاصی دارد, در نهایت هدف تمام اجزا بروزرسانی هسته بدافزار است.
هسته بدافزار با توجه به اطلاعاتی که از اجزا خود دریافت نموده میتواند به سایر اجزا خود برای انجام کاری دستور بدهد.
بدافزار استاکس نت فعالیت خود را با چند فایل آغاز میکند که تمام این فایلها نقشه مهمی در شروع موفقت آمیز این بدافزار دارند....
گفتیم بدافزار استاکس نت فعالیت خودرا با چهار فایل .lnk که فرمت فایلهای شرتکات در ویندوز است آغاز میکند
آسیبپذیری LNK یکی از آسیبپذیری های روز صفری بود که این بدافزار از آن برای انتشار خود از طریق حافظه های جانبی (USB) استفاده میکرد.
استاکس نت با سواستفاده از این آسیبپذیری میتوانست خود را بدون اینکه از کاربر برای اجرا خود کمک بگیرد اجرا کند, چهار فایل .lnk تنها وظیفه اجرای فایلهای .tmp را برعهده داشتند.
اما دو فایل دیگر که درواقع فایلهای اصلی بدافزار هستن.....
رونوشت گرفتن از حافظه را میتوان به عکس گرفتن با دوربین دیجیتال تشبیه کرد, زمانی که شما با استفاده از دوربین دیجیتال از کلاس درسی عکس برداری میکنید پس از آن میتوانید با نگاه کردن به آن عکسها تحلیل کاملی از آن محیط به عمل اورید, اینکه هر فرد مشغول چه کاری هست …
ابتدا با استفاده از ابزار ولوتیلیتی زبان پایتون به تجزیه و تحلیل این بدافزار
خواهیم پرداخت تا یک دید کلی و کاملی از این بدافزار بدست بدست بیاوریم
سپس در نسخه بعدی این مقاله به بصورت کاملتر روی جزیات متمرکز خواهیم شد و هر قسمت از فایلهای اجرای بدافزار را با استفاده از بزارهای مانند windebug ,IDA Pro دیباگ خواهیم کرد و نحوهی فعالیت هر فرایند را بصورت مجزا برسی خواهیم کرد و در آخر سورس کد مشابهی برای آن قسمت ارایه خواهیم کرد.
ابتدا با استفاده از ابزار ولوتیلیتی زبان پایتون به تجزیه و تحلیل این بدافزار
خواهیم پرداخت تا یک دید کلی و کاملی از این بدافزار بدست بدست بیاوریم
سپس در نسخه بعدی این مقاله به بصورت کاملتر روی جزیات متمرکز خواهیم شد و هر قسمت از فایلهای اجرای بدافزار را با استفاده از بزارهای مانند windebug ,IDA Pro دیباگ خواهیم کرد و نحوهی فعالیت هر فرایند را بصورت مجزا برسی خواهیم کرد و در آخر سورس کد مشابهی برای آن قسمت ارایه خواهیم کرد.
Nuit du Hack 2K16 - Scénarios d'attaques sur un système industriel
Nuit du Hack 2K16 - Scénarios d'attaques sur un système industriel
Préparé & Présenté par Guillaume Preau, Edouard Bedoucha.
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.
Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.
Cyber Crime & Cyber War
This document discusses cyber crime and cyber war. It begins with introductions from the speaker, Uday, who works in penetration testing and data analysis. Several topics are then brought up for discussion, including how cyber war is defined, how it differs from cyber crime and espionage, and whether real data exists to argue that cyber war is occurring. Business models for cyber crime, like pay-per-install malware distribution, are presented. The document aims to have an academic debate on these issues and determine what constitutes an actual cyber war.
Case study 11
Cyberwarfare poses serious challenges for security experts in detecting, preventing, and attributing cyber intrusions, as demonstrated by successful attacks on systems like the FAA and Pentagon networks. People, organizations, and technology all contribute to the problem. Individuals and nations can conduct cyberwarfare for a fraction of the cost of other forms of warfare. The US lacks clear cybersecurity policies and leadership. While technical solutions are being developed, such as Cybercom and new standards, effective prevention will remain difficult given the ability of adversaries to develop more advanced techniques and denial of responsibility in cyberspace.
INTERNET SECUIRTY TIPS
This document provides 100 security tips across various topics including social engineering, social media, physical computer security, password security, smartphones, encryption, anti-virus software, public computers, and WiFi security. The tips advise users to be wary of suspicious emails and phone calls, use strong and unique passwords, encrypt sensitive information, regularly update software, avoid using public computers for sensitive tasks, and lock down physical devices and wireless networks. Following these tips can help users protect themselves from common online threats like phishing scams, malware, and unauthorized access to personal information or devices.
InfoSecurity Europe 2014: The Art Of Cyber War
With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments.
In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks.
Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit: http://www.radware.com/ert-report-2013/
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
The document summarizes a seminar on the Stuxnet cyber attack. It discusses Stuxnet as a sophisticated cyber weapon targeting Iranian nuclear facilities. It provides an overview of Stuxnet's architecture and propagation methods, describing how it exploited Windows vulnerabilities to infect industrial control systems and spread via removable drives. The document analyzes Stuxnet's command-and-control infrastructure and rootkit functionality used to hide its files and remain undetected on systems.
Sitrain blocos de orgazação
O documento descreve os blocos de organização do S7-1500, incluindo OBs cíclicos, de partida, de interrupção e de erro. Ele explica como configurar e usar diferentes tipos de interrupção e como estruturar um programa usando blocos de organização.
Apostila pcs7 v8.0 v2
Este documento fornece uma introdução ao software SIMATIC PCS 7, que integra ferramentas de automação de plantas em uma única plataforma. Ele descreve os conceitos básicos de projeto do PCS 7, incluindo a criação de um novo projeto usando o assistente New Project Wizard. Além disso, fornece uma visão geral dos principais componentes do PCS 7, como AS, OS, CFC e SFC.
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
Is the world in the midst of a cyber-war? If so, what are the implications?
In this presentation Carl Herberger, Radware's VP of Security Solutions, explores some of the most notable recent cyber-attacks and how many of the findings correlate with the tenets of warfare as defined in The Art of War by Sun Tzu, the ancient military general, strategist and tactician.
How should organizations be preparing for an information security landscape that is shaped by ideologically motivated cyber warfare rather than just opportunistic cyber-crime? Learn the techniques being employed to safeguard IT operations in a theatre that is witnessing ever more sophisticated attacks.
For more on how to help detect, mitigate and win this cyber war battle, visit here: http://www.radware.com/ert-report-2013/ to download the 2013 Global Application and Network Security Report.
Manejo de avisos y alarmas en HMI
Este documento describe la configuración de avisos y alarmas en sistemas HMI. Explica los tipos de avisos como avisos de sistema, avisos de servicio y alarmas. Detalla las herramientas y propiedades para configurar un visor de avisos, incluyendo la categoría, apariencia, representación, visualización, barra de herramientas y columnas. El objetivo es mostrar los avisos y alarmas de manera adecuada en la interfaz de usuario.
Sitrain introdução a ihm
O documento fornece instruções sobre como configurar e conectar um painel de toque a um PLC, incluindo ajustar o endereço IP do painel, inserir o painel no projeto, conectar o painel à CPU, conectar logicamente o painel à CPU através de tags, e verificar as tags de interface. O documento também lista uma série de exercícios passo-a-passo para configurar estas funcionalidades.
Cyber War ( World War 3 )
Fight for new “space” is now “Cyber space”.
War fare changed to “Information Technology” .
Cyber space stage platform for World War 3.
Teoria s7 300-basico
Este documento presenta la programación básica de un PLC Siemens S7-300 utilizando el software Step7. Explica los elementos de memoria del PLC como marcas, contadores, temporizadores y bloques de datos, y describe el ciclo de trabajo y los lenguajes de programación. Además, detalla la estructura de memoria del S7-300 y cómo crear y simular proyectos de programación en Step7.
Viewers also liked (19)
Nuit du Hack 2K16 - Scénarios d'attaques sur un système industriel
Nuit du Hack 2K16 - Scénarios d'attaques sur un système industriel
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
Similar to Stuxnet dc9723
Nullbyte 6ed. 2019
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
Activity 5
This document provides instructions for interpreting debug output on a Cisco router. The steps have a student configure debugging for IP routing on router R1. Interface Serial 0/0/0 between R1 and R2 is then configured with an IP address. Debug messages indicate the route is added but its state is initially false since the remote side is not yet configured. After fully configuring the local interface, debug output shows the interface state change to down until the remote side is also configured. The steps aim to demonstrate how debug output can provide insight into route states during router configuration.
Windows Architecture Explained by Stacksol
Now here we explained the windows architecture. The inside view of Microsoft Windows. The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode.
Automated defense from rootkit attacks
The document proposes an approach for automated defense against rootkit attacks through early detection and containment. It tracks dependencies between files and processes to automatically undo any damage caused by intrusions. The approach detects intrusions when malicious processes illegally access protected system zones. A prototype was developed demonstrating detection of a user-level rootkit, kernel-level rootkit, and stealth worm. Future work includes intrusion detection through system call and network anomalies.
Kunal - Introduction to BackTrack - ClubHack2008
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and "Google hacking" to find sensitive information online.
Kunal - Introduction to backtrack - ClubHack2008
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
Workshop on BackTrack live CD
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
Rootkit&honeypot aalonso-dcu-dec09
Autonomous: no human interaction
Semi-autonomous: limited human interaction
Managed: extensive human interaction
Source: http://www.honeynet.org/papers/honeynet/tools/taxonomy.html
Optional Reading - Symantec Stuxnet Dossier
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity
Intrusion Techniques
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
The document discusses vulnerabilities found in common office equipment like printers. It begins with an introduction explaining the researchers' approach of analyzing the security of enterprise printers from various manufacturers through a red teaming methodology. They found printers pose risks as they sit on corporate networks, process sensitive data, and are often assumed to be low risk. The document then covers the large attack surface printers present, including exposed services, firmware, and hardware issues. It describes common flaws found like weak configurations, default credentials, and memory corruption issues. Finally, it provides an example of exploiting a stack buffer overflow vulnerability to achieve remote code execution on a printer.
Cisco Malware: A new risk to consider in perimeter security designs
The networking equipment like switches and routers have historically been considered as passive elements in implementations of the security architecture. However, the new programming capabilities of these devices involve the risk of malicious software. If this risk materializes, imagine the consequences to the company\'s information. This presentation shows proof of concept on what features could support a malware inside IOS devices, how to detect it, how to remediate it and how to minimize the risk of occurrence within a security architecture.
Malware freak show
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
Malware Freak Show
The document discusses several cyber threats including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems in 2010. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware discovered in 2012 that supported eliminating traces of its files. Gauss stole credentials and collected information from infected machines. All pose serious risks to computer networks and systems critical to society.
Finfisher- Nguyễn Chấn Việt
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
How Microsoft will MiTM your network
A scenario on basic incident response and showing how Microsoft uses a service that automatically creates a Man in the Middle incident. It also covers an overview on some inherent tools and how to use them for security operations
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
Part 1 of the first session of the newly formed Christchurch Embedded .NET User Group.
Introduces the range of embedded platforms and technologies offered by Microsoft. Covers the .NET Micro and Compact Frameworks as well as operating systems such as Windows Embedded CE and Windows Mobile.
Presented by Andrew Leckie, Bryn Lewis and myself.Hacker Halted 2014 - Post-Exploitation After Having Remote Access
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Symantec White Paper: W32.Ramnit Analysis
Ramnit is a worm that spreads through removable drives by infecting files. The worm (W32.Ramnit) was first discovered in early 2010 and later that year, a second variant of Ramnit (W32.Ramnit.B) was identified. Since then, Ramnit’s operators have made considerable upgrades to the threat, including implementing the use of modules, which was borrowed from the leaked source code of the Zeus banking Trojan (Trojan.Zbot) in May 2011.
Currently, Ramnit’s operators are primarily focused on information-stealing tactics, targeting data such as passwords and online banking login credentials. They also install remote access tools on affected computers in order to maintain back door connectivity. It is estimated that the Ramnit botnet may consist of up to 350,000 compromised computers worldwide.
Similar to Stuxnet dc9723 (20)
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
More from Iftach Ian Amit
Cyber Risk Quantification - CyberTLV
Quantitative Risk Analysis Workshop - focused on working with business risk and factoring in cyber elements, and how to optimize the application of controls for the most effective risk management.
Devsecops at Cimpress
This document discusses DevSecOps at Cimpress, an online printing company. It outlines some of the challenges of their worldwide and decentralized operations with varying technology stacks. Their approach involves threat modeling to identify threats, assets, and controls. They create security assertions based on the threat model and assure test case coverage. The focus is on integrating security into development in a way that is not burdensome to developers. The expected deliverables include automated unit test coverage and tool scans to address the threat model.
BSidesTLV Closing Keynote
What have you done?
Communities, hacking, sharing. What's wrong with today's hacker community, and the many simple ways to fix it.
Social Media Risk Metrics
Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.
ISTS12 Keynote
The keynote address for ISTS12 (Information Security Talent Search) at RIT (Rochester Institute of Technology).
From your Pocket to your Heart and Back
This document discusses cyber security risks in the financial and healthcare industries and their impact on homeland security. It covers three parts: examples of information disclosure vulnerabilities in access points; connecting these vulnerabilities to critical infrastructure protection and homeland security; and arguing that an asset-centric rather than product-centric approach is needed to address industry-specific security challenges.
Painting a Company Red and Blue
The document discusses the roles and techniques of red teams and blue teams, with the red team focusing on simulating real threats through activities like social engineering and identifying vulnerabilities, while the blue team aims to assess risks, minimize damage from attacks, and apply lessons learned to strengthen processes, people, and technology. It provides examples of tactics for each team and emphasizes the importance of collaboration between red and blue teams to continuously improve an organization's security.
"Cyber" security - all good, no need to worry?
This document discusses cyber security risks and incidents over time. It notes that 52% of all incidents are from businesses, with government, medical, and education each accounting for around 15-20% of incidents. The majority (57%) of incidents are caused by outside actors, while 20% are from insider threats and 10% are accidental insider incidents. The number of reported data loss incidents has increased significantly over time from just over 100 in 2004 to over 1600 in 2013. The document advocates returning to basic risk management practices, including prioritizing remediation based on risk, impact, costs, and addressing the most critical gaps in assets, processes, technologies and threats based on priority. It warns against overspending on products and focusing
Armorizing applications
This document discusses the importance of application logs for security purposes. It notes that while network, system and other logs have improved, application logs are still often lacking crucial context about user actions and application state. To effectively investigate issues, security analysts need a unified view of all log data, including details applications have about user sessions, access and functionality used. The document urges application developers to make more of this type of contextual log data available to defenders to help connect dots between different system components and entities.
Seeing Red In Your Future?
Derbycon 2013 - Seeing Red in Your Future?
This talk is designed to complement the “Fifty Shades of Red” talk tomorrow, and provide context for organizations who either think about engaging in a red team test, or have been doing red teaming and want to see more value out of it. In this talk we’ll cover some of the basic elements of what red teaming is, and specifically how it benefits an organization engaging in such a practice. Red teaming by itself is a high-interaction test. Unlike many other tests (namely penetration testing, compliance engagements, vulnerability assessments and other IT related practices), red team is not limited to the technical scope of the organization’s security infrastructure. As such, it is imperative to be able to extract as much value out of a red team engagement as possible, and see return on that investment in as many different areas of the organization as possible. Based on years of experience in conducting red team tests, training and helping organizations improve their security through red teaming, these insights will be applicable to everyone who is seeing red in their future (and you all should in order to really address security in an organization that has people working in it and not just machines).
Hacking cyber-iamit
Hacking involves a single target and shallow attacks using common tools and techniques, motivated by financial or political goals. Cyber attacks are part of cyber warfare involving strategic targets across physical, social, intelligence and electronic domains using custom tools in a coordinated campaign. Cyber defenses require a strategic defense in depth approach across all domains with awareness training, unlike typical IT security products. Hacking is an individual battle while cyber attacks are part of a larger warfare strategy.
Passwords good badugly181212-2
This document discusses best practices for securely storing passwords. It notes that passwords are often stored insecurely, such as in plain text. To securely store passwords, it recommends encrypting them using cryptographic hash functions with salts. Specifically, it advises using functions such as SHA-2, bcrypt, and scrypt, which can include salts and be slowed down through key stretching to make passwords very difficult to hack or crack. Following these guidelines helps protect users and companies by securing password data.
Bitcoin
This document provides an introduction to bitcoin, including what it is, how it works, advantages, disadvantages, weaknesses, history, data, mining process over time, physical representations, and future possibilities. Bitcoin is described as a decentralized digital currency based on cryptography, without a central authority. Transactions are confirmed by miners who are rewarded with new bitcoins. Key aspects covered include how users can send and receive bitcoins, security issues, increasing difficulty of mining over time, and the currency's value and adoption over its history.
Sexy defense
The document discusses strategies for maximizing home-field advantage in cybersecurity defense. It argues that defenders should flip the perspective of red team attackers by mapping assets and security issues, correlating internal and external threat data over time, and taking proactive measures like counterintelligence operations. Examples given include infiltrating hacker communities to booby-trap tools and using attackers' own tools against them. The presentation calls on vendors to develop integrative security products and defenders to own their security data and intelligence in order to focus defenses on real risks rather than compliance.
Cyber state
A presentation on the state of cyber security, current threats and opportunities at the national level.
An overview of current readiness analysis for countries, along-with a recommended strategic approach to developing capabilities and partnerships locally, regionally, and globally.
Advanced Data Exfiltration - the way Q would have done it
An updated version of my data exfiltration talk. Much more "visual" in nature.
Used it at Hashdays, Govcert.NL, SourceBCN, and SecurityZone.
Infecting Python Bytecode
A method of infecting python bytecode with self-spreading mechanism.
Presented at the November 2011 meeting of the DC9723.
Exploiting Second life
Second Life is a free online virtual world where users can generate content. Users can exchange the virtual currency, Linden Dollars, for real money. Key industries include real estate, adult entertainment, and fashion. Some users exploit the system by creating weapons to annoy others or using third-party viewers to crash clients and copy content illegally. In response, Linden Lab banned over 10,000 users and tightened policies around virtual weapons and third-party viewers.
Cheating in Computer Games
This document discusses cheating in games and the techniques used. It covers reasons for cheating such as fun, profit, and gaining knowledge. It also discusses common cheating methods like bots, trainers, patching, and hooking. It provides examples of how to hook into the Windows API and examples of anti-cheating techniques used by game developers. Overall, the document is about cheating techniques in games and the ongoing challenge for developers to create uncheatable games.
More from Iftach Ian Amit (20)
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
Recently uploaded
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S4 HANA to Public cloud data object differences
A Comprehensive Guide to DeFi Development Services in 2024
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Azure API Management to expose backend services securely
How to use Azure API Management to expose backend service securely
Programming Foundation Models with DSPy - Meetup Slides
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Trusted Execution Environment for Decentralized Process Mining
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Skybuffer SAM4U tool for SAP license adoption
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Astute Business Solutions | Oracle Cloud Partner |
Your goto partner for Oracle Cloud, PeopleSoft, E-Business Suite, and Ellucian Banner. We are a firm specialized in managed services and consulting.
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Fueling AI with Great Data with Airbyte Webinar
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Recently uploaded (20)
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Azure API Management to expose backend services securely
Azure API Management to expose backend services securely
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
Stuxnet dc9723
- 1. Tomer Teller , DC9723, 18/1/11 Stuxnet: How to take over a (nuclear) power plant
- 6. This is not normal… Statistics ref: Symantec dossier paper
- 7. Welcome to the Battle Field
- 8. What’s going to happen? Here
- 9. What’s going to happen? Water Pipe Gas pipeline Nuclear Reactor
- 10. Mission Objectives Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
- 16. EXE AutoRun Autorun.inf Technique cont.
- 23. Mission #1 Completed Here
- 24. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
- 30. Mission #2 Completed Here Ping Alive
- 31. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
- 33. Infected PLC Example (READ/WRITE) Step7/WinCC New DLL PLC Original DLL Read () Data Modified Data Read() Original Data Write() Data New DLL Original DLL Write() Wrote Modified Data Field GP 5 5 500 500 5 5 ? ? ? 500 500 5
- 34. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
- 38. kthxbye Tomer Teller [email_address]