Hacking Exposed
Hacking Exposed
Hacking Exposed
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Attacking Infrastructure<br />
<strong>Hacking</strong> <strong>Exposed</strong> - Australia<br />
Stuart McClure<br />
GM/SVP<br />
Risk and Compliance BU<br />
McAfee, Inc.
Attacks and Headlines<br />
Threats: Opportunity Meets Motivation Meets Ability…<br />
PDA,<br />
cell phone,<br />
wireless<br />
Bots, Botnets<br />
DDOS networks<br />
User-propagated<br />
viruses, Trojans,<br />
PW stealers<br />
Targeted<br />
attacks<br />
MISUSED<br />
FUNCTIONALITY<br />
MALICIOUS<br />
INTENT<br />
USERS’ POOR<br />
COMMON SENSE<br />
Social<br />
Engineering, Privacy<br />
Breaches, Collusion<br />
DESIGN<br />
FLAWS<br />
Spam, mass-mailers,<br />
phishing, pharming<br />
Vulnerabilities,<br />
Exploits,<br />
Scripted attacks<br />
Spyware,<br />
Adware, PUPs
Evolution: Motivation<br />
From Vandalism… …To Financial Gain<br />
Nation State Intelligence<br />
Intellectual Property Exfiltration<br />
Cyberterrorism
Evolution: Techniques<br />
From Viruses and Trojans…<br />
…To Advanced<br />
Persistent<br />
Threats (APTs)
Evolution: Targets<br />
From PCs, modems, Mainframes… …To Infrastructure
Myths of<br />
Infrastructure<br />
Security
Myth #10<br />
Critical infrastructure is complex<br />
and only understood by the<br />
most elite propeller heads…
SCADA<br />
• SCADA stands for supervisory control and data acquisition. It<br />
generally refers to an industrial control system: a computer system<br />
monitoring and controlling a process. The process can be industrial,<br />
infrastructure or facility-based as described below:<br />
• Industrial processes include those of manufacturing, production, power<br />
generation, fabrication, and refining, and may run in continuous, batch,<br />
repetitive, or discrete modes.<br />
• Infrastructure processes may be public or private, and include water<br />
treatment and distribution, wastewater collection and treatment, oil and<br />
gas pipelines, electrical power transmission and distribution, Wind<br />
Farms, civil defense siren systems, and large communication systems.<br />
• Facility processes occur both in public facilities and private ones,<br />
including buildings, airports, ships, and space stations. They monitor<br />
and control HVAC, access, and energy consumption.<br />
Source: wikipedia.org
SCADA
NIST SP800-82: Guide to ICS Security (Sept 08)
NIST SP800-82: Communications
NIST SP800-82: Full SCADA Implementation
NIST SP800-82: Railway
NIST SP800-82: DCS
NIST SP800-82: Manufacturing
SCADA
Myth #10<br />
Critical infrastructure is complex<br />
and only understood by the<br />
most elite propeller heads…
Myth #9<br />
Critical infrastructure is<br />
firewalled off from the rest of<br />
the world, especially the<br />
Internet…
SANS Diary: SCADA (Aug. 22, 2010)
Myth #9<br />
Critical infrastructure is<br />
firewalled off from the rest of<br />
the world, especially the<br />
Internet…
Myth #8<br />
Critical infrastructure is difficult<br />
to obtain and only certified<br />
approved individuals can obtain<br />
them.
ATMs
RTUs/MTUs/PLCs/HMIs/DAS/IED and more…
Biomedical
Myth #8<br />
Critical infrastructure is difficult<br />
to obtain and only certified<br />
approved individuals can obtain<br />
them.
Myth #7<br />
Critical infrastructure runs only<br />
on tightly controlled operating<br />
systems and platforms<br />
unknown by the bad guys…
Automated Teller Machines<br />
Processor : 1<br />
Processor Name : Intel(R) Pentium(R) 4 CPU 2.80GHz<br />
Vendor : GenuineIntel<br />
CPU Speed : 2814 MHz<br />
Identifier : x86 Family 15 Model 2 Stepping 9<br />
C:\ (NTFS, Size 80024M, Free 70449M)<br />
Microsoft Windows XP-Professional--Service Pack 3- (Build 2600)<br />
Installed in C:\WINDOWS.<br />
Arch: 32 bit
ATMs and SCADA
Myth #7<br />
Critical infrastructure runs only<br />
on tightly controlled operating<br />
systems and platforms<br />
unknown by the bad guys…
Myth #6<br />
These systems are secure (or<br />
at least very limited in<br />
functionality) leaving only the<br />
smallest openings for an<br />
attacker.
ATMs: Services Running (edited for your protection)<br />
Application Layer Gateway Service<br />
COM+ Event System<br />
Cryptographic Services<br />
DCOM Server Process Launcher<br />
DHCP Client<br />
Distributed Link Tracking Client<br />
DNS Client<br />
Domain Time Client<br />
Event Log<br />
IPSEC Services<br />
Vendor Specific Apps (30+)<br />
Net Logon<br />
Network Connections<br />
Network Location Awareness (NLA)<br />
Plug and Play<br />
Print Spooler<br />
Protected Storage<br />
Remote Access Connection Manager<br />
Remote Procedure Call (RPC)<br />
Secondary Logon<br />
Security Accounts Manager<br />
SNMP Service<br />
System Event Notification<br />
Task Scheduler<br />
TCP/IP NetBIOS Helper<br />
Telephony<br />
Endpoint Management Apps (2)<br />
Windows Audio<br />
Windows Firewall/Internet Connection Sharing<br />
(ICS)<br />
Windows Management Instrumentation<br />
Wireless Zero Configuration<br />
Workstation
ATMs: Listening Services<br />
Active Connections<br />
Proto Local Address Foreign Address State Proto Local Address Foreign Address State<br />
• TCP 0.0.0.0:135 0.0.0.0:0 LISTENING • UDP 0.0.0.0:135 *:*<br />
• TCP 0.0.0.0:445 0.0.0.0:0 LISTENING • UDP 0.0.0.0:161 *:*<br />
• TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING • UDP 0.0.0.0:445 *:*<br />
• TCP 0.0.0.0:1081 0.0.0.0:0 LISTENING • UDP 0.0.0.0:500 *:*<br />
• TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING • UDP 0.0.0.0:1043 *:*<br />
• TCP 0.0.0.0:3030 0.0.0.0:0 LISTENING • UDP 0.0.0.0:1082 *:*<br />
• TCP 0.0.0.0:8330 0.0.0.0:0 LISTENING • UDP 0.0.0.0:1083 *:*<br />
• TCP 0.0.0.0:9495 0.0.0.0:0 LISTENING • UDP 0.0.0.0:4500 *:*<br />
• TCP 0.0.0.0:15948 0.0.0.0:0 LISTENING • UDP 0.0.0.0:9909 *:*<br />
• TCP 127.0.0.1:1058 0.0.0.0:0 LISTENING • UDP 127.0.0.1:1025 *:*<br />
• TCP 127.0.0.1:5920 0.0.0.0:0 LISTENING • UDP 127.0.0.1:1050 *:*<br />
• TCP 127.0.0.1:8331 0.0.0.0:0 LISTENING • UDP 172.19.127.84:137 *:*<br />
• TCP 172.19.127.84:139 0.0.0.0:0 LISTENING • UDP 172.19.127.84:138 *:*<br />
• TCP 172.19.127.84:1112 x.x.x.x:445 TIME_WAIT<br />
• TCP 172.19.127.84:1114 x.x.x.x:445 TIME_WAIT<br />
• TCP 172.19.127.84:1118 172.19.19.44:443 TIME_WAIT<br />
• TCP 172.19.127.84:1120 x.x.x.x:443 TIME_WAIT<br />
• TCP 172.19.127.84:1121 x.x.x.x:443 TIME_WAIT<br />
• TCP 172.19.127.84:1122 x.x.x.x:443 TIME_WAIT<br />
• TCP 172.19.127.84:1138 x.x.x.x:135 ESTABLISHED<br />
• TCP 172.19.127.84:1139 x.x.x.x:1025 ESTABLISHED<br />
• TCP 172.19.127.84:1141 x.x.x.x:443 TIME_WAIT<br />
• TCP 172.19.127.84:1142 x.x.x.x:135 ESTABLISHED<br />
• TCP 172.19.127.84:1143 x.x.x.x:1025 ESTABLISHED
Myth #6<br />
These systems are secure (or<br />
at least very limited in<br />
functionality) leaving only the<br />
smallest openings for an<br />
attacker.
Myth #5<br />
Because they don’t run<br />
standard software and<br />
operating systems, they don’t<br />
really have vulnerabilities…
Smart Meters: The OFF Switch<br />
July 2010, Two Cambridge researchers<br />
analyze the “off switch”:<br />
1. Non-payment<br />
2. Energy “rationing”<br />
Source: http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf
ATMs: Default Passwords
SCADA: Siemens database default passwords<br />
• CVE-2010-2772<br />
• Siemens Simatic WinCC SCADA system<br />
– Uses hardcoded database username and password<br />
– Allows WinCC to interface with the SQL database<br />
• uid=WinCCConnect;<br />
• pwd=2WSXcder;<br />
• Then attached to specific databases:<br />
– use master select name from master..sysdatabases where filename like<br />
N'%s'<br />
– exec master..sp_attach_db 'wincc_svr',N'%s',N'%s'<br />
– exec master..sp_detach_db 'wincc_svr'<br />
– use wincc_svr
SCADA: Default Passwords…
2x the 0-days in 2010<br />
MSIE HTML Object Memory Corruption Vulnerability (Jan. 14)<br />
CVE-2010-0249 (MS10-002)<br />
MSIE Dynamic OBJECT tag and URLMON sniffing Vulnerabilities (Feb. 3)<br />
CVE-2010-0255 (MS10-035)<br />
Adobe Acrobat, Reader, Remote Code Execution Vulnerability (Feb. 11) – 5 days<br />
CVE-2010-0188 (APSB10-07) ALL PLATFORMS<br />
MSIE Uninitialized Memory Corruption Vulnerability (Mar. 9)<br />
CVE-2010-0806 (MS10-018)<br />
Adobe Flash/Reader/Acrobat authplay.dll code execution (June 4) – 24 days*<br />
CVE-2010-1297 (APSA10-01) ALL PLATFORMS<br />
Windows Shell .lnk Vulnerability (July 16) – 16 days<br />
CVE-2010-2568 (MS10-046) – Active exploitation with Stuxnet worm, many more…<br />
Apple iPhone/iPad/iPod Code Execution and Sandbox Bypass (Aug. 3) – 8 days<br />
CVE-2010-1797/CVE-2010-2972/CVE-2010-2973 – Active exploitation jailbreakme.com<br />
Adobe Reader, Acrobat, Remote Control Vulnerability (Sept. 7) – 7 days and counting<br />
CVE-2010-2883 (APSA10-02) - Active embedded PDF exploitation ROP to bypass ASLR/DEP
Stuxnet: “The most<br />
sophisticated<br />
publicly sourced<br />
worm ever seen…”<br />
Me, July 30, 2010
Stuxnet: Under the Hood<br />
• Discovered in July 2010 by VirusBlokAda company in Minsk, Belarus<br />
• Affecting 14 plants to-date in Iran, Indonesia, India, UK, North America, Korea<br />
• Targets Siemens WinCC and SIMATIC Process Control System (PCS7)<br />
• Using four 0-day vulnerabilities plus Conficker (MS08-067) *<br />
– Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues)<br />
– LSASS Privilege Escalation Heap Overflow (MS10-068/MS09-066) (patched<br />
on Tues)<br />
• Specially crafted LDAP messages to listening LSASS service<br />
– Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every<br />
version of Windows since Windows 2000 (even Win95) (patched Aug. 2)<br />
– One privilege escalation exploit (yet to be patched) *<br />
• A user opens a folder that contains the .lnk template files<br />
• Rootkit drivers signed with valid certificates (Realtek and Jmicron)<br />
• UPX packed, XOR encoded everywhere<br />
• Once loaded, queries Siemens database with known default password<br />
• Connected to C&C servers, sending sensitive data<br />
• Manipulating the database to control the HMI output and manipulating the PLC’s
How Stuxnet works…<br />
• Original strain created four .lnk files on disk/USB key:<br />
– LNK file name: "Copy of Shortcut to.lnk"<br />
– MD5: CD4AAEF95C7E26A4A8188C0F19A1E612)<br />
– Executes:<br />
– “\\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#079801835673<br />
4E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp”<br />
– LNK file name: "Copy of Copy of Shortcut to.lnk"<br />
– MD5: F96B219DF8B3EEDF3591373F9EDD3CFD)<br />
– Executes:<br />
– “\\.\STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP<br />
#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-<br />
00a0c91efb8b}\~WTR4141.tmp“<br />
– LNK file name: "Copy of Copy of Copy of Shortcut to.lnk"<br />
– MD5: F291DC2BD652D47C611C8024B593B1A2)<br />
– Executes:<br />
– “\\.\STORAGE#RemovableMedia#8&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp”<br />
– LNK file name: "Copy of Copy of Copy of Copy of Shortcut to.lnk"<br />
– MD5: C93EDA637AB1DD5B2D7001E07B53D3E4)<br />
– Executes:<br />
– “\\.\STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp”
How Stuxnet works…<br />
• When the folder is opened in Explorer.exe (or Total Commander), the<br />
.lnk files exploit the 0-day vulnerability to silently load the first file<br />
~WTR4141.tmp (a DLL file) into memory and pass control to it<br />
(execute it) in Explorer.exe address space<br />
– Once running, the worm’s rootkit features hide all files names ending in<br />
*.lnk and starting with ~wtr (including the the above files) by hooking the<br />
following APIs:<br />
– FindFirstFileW<br />
– FindNextFileW<br />
– FindFirstFileExW<br />
– NtQueryDirectoryFile<br />
– ZwQueryDirectoryFile<br />
• Then it loads the 2 nd .tmp file, ~WTR4132.tmp file
How Stuxnet works…<br />
– ~WTR4132.tmp – DLL is a CPL applet containing ~12 encoded components in<br />
the last .stub section:<br />
• 298.000, 7A4E2D2638A454442EFB95F23DF391A1, s7otbxsx.dll.<br />
• 145.920, 335707EABBE7FF256E0650432ACCEC9B, svchost.dll<br />
• 102.400, F979C6A3E668C5073C4C6506461B034E, svchost.dll<br />
• 40.960, A3844A1B6BEA3F6FAF9C276858F40960, -<br />
• 26.616, F8153747BAE8B4AE48837EE17172151E, MRXCLS.SYS<br />
• 25.720, 37FC7C5D89F1E5A96F54318DF1A2B905, ~WTR4141.TMP<br />
• 17.400, ED68775A8E242933403F7791BBA2437A, MRXNET.SYS<br />
• 14.848, F9BAE53E77B31841235F698955AECE30, -<br />
• 10.240, C1CB4117D9998C79AE10C1B890C23A4D, Executable extracted<br />
from CAB<br />
• 9.728, 98FBEBD8883021FBE6464C37ACF17938, -<br />
• 5.237, D102BDAD06B27616BABE442E14461059, CAB file<br />
• 4.171, F58DBFCD6119C139E9E143D3660A1288, LNK template/skeleton
Bypassing Detection<br />
• Creates the following mutexes to ensure that only one instance of itself<br />
is running in memory:<br />
– @ssd[random number] (i.e. “@ssd094”, “@ssd083A1”)<br />
– Global\Spooler_Perf_Library_Lock_PID_01F<br />
– Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}<br />
– Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}<br />
– Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}<br />
– Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}<br />
– Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}<br />
– Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
Rootkit Drivers and Registry Keys…<br />
• Drops 2 malicious rootkit drivers into %Systemroot%\drivers\ folder<br />
and runs them:<br />
File name: mrxnet.sys<br />
MD5: CC1DB5360109DE3B857654297D262CA1<br />
Payload: Hides the files ending with "*.lnk" and beginning with "~wtr". Monitors system events and<br />
activities, i.e. new program loading.<br />
File name: mrxcls.sys<br />
MD5: F8153747BAE8B4AE48837EE17172151E<br />
Payload: Injects malicious code to system processes (services.exe, svchost.exe, lsass.exe)<br />
• SYSTEM\CurrentControlSet\Services\MRxCls<br />
• SYSTEM\CurrentControlSet\Services\MRxNet<br />
These two indicators are definitive ways to detect the malware running.
MRXCLS.SYS<br />
0xF8153747BAE8B4AE48837EE17172151E<br />
• Injects malicious code into existing processes (services.exe, svchost.exe,<br />
lsass.exe)<br />
• Creates HKLM\System\CurrentControlSet\Services\Services\MRxCls registry<br />
key
MRXNET.SYS<br />
0xCC1DB5360109DE3B857654297D262CA1<br />
• Monitors system events and activities (i.e. – new program loading, hides *.tmp<br />
files)<br />
• Creates HKLM\System\CurrentControlSet\Services\Services\MRxNet registry<br />
key
MRXNET.SYS<br />
0x1E17D81979271CFA44D471430FE123A5
Stuxnet: Propogating…<br />
• Spreads to removable drives and network shares:<br />
– Attempts to access $ADMIN and $IPC<br />
• Checks whether SCADA software is installed on the<br />
infected machine by checking following registry keys:<br />
– SOFTWARE\SIEMENS\STEP7<br />
– SOFTWARE\SIEMENS\WinCC\Setup
Stuxnet: Pilfering…<br />
• Connects to the Siemens database using default<br />
credentials, pulls data<br />
• Searches for files on the Siemens systems:<br />
– GracS\cc_tlg7.sav<br />
– GracS\cc_alg.sav<br />
– GracS\db_log.sav<br />
– GracS\cc_tag.sav<br />
– s7tgtopx.exe (used to recompile the Safety Program)<br />
– Many more…
Stuxnet: Command and Control (C&C/C2)<br />
• Worm checks internet connectivity by accessing two legitimate sites:<br />
– www.windowsupdate.com (65.54.221.118)<br />
– www.msn.com (65.55.17.25)<br />
• Malware sends current IP address as well as following information to<br />
the C2 server:<br />
– GetUserNameW() – Retrieves the name of the user associated with the<br />
current thread (Explorer or Total Commander processes).<br />
– GetComputerNameW() - Retrieves the NetBIOS name of the local<br />
computer established at system startup. If the caller is running under a<br />
client session, this function returns the server name.<br />
– NetGetJoinInformation() - Retrieves join status information for the<br />
specified computer (NetBIOS name of the domain or workgroup to which<br />
the computer is joined)
Stuxnet: Command and Control (C&C/C2)<br />
• Stuxnet attempts to access following C&C servers:<br />
– www.mypremierfutbol.com<br />
– www.todaysfutbol.com<br />
• The data is encrypted and sent:<br />
– http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334d5d775e9<br />
9b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d699d2fb4a875ec1ce<br />
7a0f9e7dd11b6bfa1fe5377d602c39621b7f329<br />
• Malware uses RPC protocol for requesting a service from the client<br />
(compromised machine) over the network.<br />
•<br />
• Following actions may be executed as a response to RPC calls:<br />
– create process, terminate process, read file, write file, delete file, set file<br />
attribute, inject file to a system process
STUXNET REVERSING<br />
DEMO
Stuxnet: HELP<br />
• Siemens UPDATE -<br />
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=<br />
en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=108055<br />
77&treeLang=en<br />
• Siemens Security Whitepaper<br />
http://cache.automation.siemens.com/dnl/jE/jE2MjIwNQAA_26462131_HB/<br />
wp_sec_b.pdf<br />
• Countermeasures<br />
– Tool to detect the malware<br />
– SIMATIC Security Update (checks if the Microsoft update is present)<br />
• Process for removing malware<br />
– Apply Microsoft patches to your systems<br />
– Harden your systems<br />
• Apply a security template<br />
• Disable USB ports<br />
– Firewalls and AV, etc.
Iran – Bushehr Nuclear Power, Persian Gulf (Feb.09)<br />
Source: United Press International
Myth #5<br />
Because they don’t run<br />
standard software and<br />
operating systems, they don’t<br />
really have vulnerabilities…
Myth #4<br />
No one is that bored to target<br />
these systems.
BlackHat 2010 – Las Vegas, NV
ATMs: Vulnerabilities (Physical)<br />
July 2010 – Barnaby Jack (Triton)<br />
• Use generic ATM key purchased online<br />
for $10US<br />
• Open the front cover with key, insert<br />
USB key with customized Windows CE<br />
firmware<br />
• Rebooting to USB key boots off of the<br />
customized firmware which empties the<br />
ATM of cash – Jackpot!!
ATMs: Vulnerabilities (Cyber)<br />
July 2010 – Barnaby Jack (Tranax)<br />
• Bypass vulnerability in Remote Management<br />
Authentication (Tranax fixed in Nov. 2009)<br />
• Allows for uploading of firmware (with rootkit)<br />
and reboot<br />
• Once running the new firmware allows:<br />
– Upload Rootkit, Reset to Default, Get Track<br />
Data, Get ATM Settings, Jackpot!<br />
• Rootkit also provides:<br />
– Backdoor menu from keypad sequence
Infrastructure Hacks - Missouri
BHO<br />
DEMO
Myth #4<br />
No one is that bored to target<br />
these systems.
Myth #3<br />
Whatever problems exist, they<br />
can’t really do any real<br />
damage…
Bakery
Public Transportation
Diesel Generator: This is just a test…<br />
(the Original “Operation Aurora”)<br />
• DHS exercise demonstrated the link between cyber and physical on<br />
CNN…
Biomed: Implantable Medical Devices<br />
• FDA has issued 23 recalls on IMDs in<br />
2010 – six caused by software defects.<br />
• In 2008, three Universities came together<br />
to RE 2003 IMD’s – they were able to:<br />
– Extract private data<br />
– Reprogram the therapy<br />
settings<br />
– Keep the device “awake”<br />
to run out the battery quicker<br />
– Disable the “shocking” mechanism to<br />
regulate beat<br />
– Introduce additional “shock” to produce<br />
fibrillation<br />
Source: http://www.secure-medicine.org/icd-study/icd-study.pdf<br />
• FDA in 2010 initiated to “Reduce Infusion<br />
Pump Risks”…but nothing related to security.
Avionics: Spanair Flight 5022<br />
• Aug. 2008 crash killed 154<br />
• Malware on diagnostic systems implicated<br />
• Full report comes out in Dec. 2010
Myth #3<br />
Whatever problems exist, they<br />
can’t really do any real<br />
damage…
Myth #2<br />
There is nothing we can do…it<br />
is hopeless…
DOE report<br />
• May 2010 Report from Idaho National Laboratory<br />
– http://www.fas.org/sgp/eprint/nstb.pdf<br />
• Top Vulnerabilities in Industrial Control Systems (ICS)<br />
• Most Likely Access Vector:<br />
Unpatched Vulnerabilities
Infrastructure Control Frameworks<br />
• NIST SP 800-82 (requirements) Guide to ICS Security<br />
Sept. 2008<br />
– 4.2.6 Perform Risk and Vulnerability Assessment<br />
– 5.1 Firewalls<br />
– 5.3 Network segregation<br />
– 5.6 Firewall rules<br />
– 5.11 Preventing man-in-the-middle attacks<br />
– 6 ICS Security Controls<br />
• NISTIR 7628 (guidelines) – Smart Grid Cyber Security<br />
Aug. 10, 2010<br />
– CIA model measurements<br />
– SG.CA-1 Security Assessment and Authorization Policy and<br />
Procedures
NERC (Project 2008-06 Cyber Security Order 706)<br />
• North American Electric Reliability Council (NERC)’s<br />
Critical Infrastructure Protection (CIP) initiatives cover:<br />
– CIP-002-2 – Critical Cyber Asset Identification<br />
– CIP-003-2 – Security Management Controls<br />
– CIP-004-2 – Personnel and Training<br />
– CIP-005-2 – Electronic Security Perimeter(s)<br />
– CIP-006-2a – Cyber Security (Physical Security)<br />
– CIP-007-2 – Systems Security Management<br />
– CIP-008-2 – Incident Reporting and Response Planning<br />
– CIP-009-2 – Recovery Plans for Critical Cyber Assets<br />
http://www.nerc.com/files/CIP-003-1.pdf<br />
http://www.nerc.com/files/CIP-004-2.pdf
SCADA: SANS Handler’s Diary<br />
Manuel Humberto Santander Pelaez (working @ Utility Company)<br />
8/22/10<br />
“The corporate antivirus didn't work because it<br />
consumed all the resources of the DAS and the<br />
HMI. Same happened with the Host IPS. The<br />
solution we found for the problem was SolidCore<br />
S3 product<br />
(http://www.solidcore.com/products/s3control.html),<br />
as it was non-intrusive, did not add<br />
extra layers and virtual devices to the operating<br />
system and controlled very good the zero-day<br />
problems.”
Myth #2<br />
There is nothing we can do…it<br />
is hopeless…
Myth #1 DENIAL WORKS…<br />
“According to Chris King, Chief Strategy and Regulatory<br />
Officer at eMeter Corporation…when asked about security<br />
threats within the Smart Grid, King noted that the Smart<br />
Grid does not present any new security threats and<br />
highlights that technologies today are more secure than<br />
ever.”<br />
Sept. 2010
BONUS?
Apple and Jailbreakme.com<br />
• jailbreakme.com web site checks user-agent and other values to<br />
determine appropriate response<br />
• If non-iPhone OS device - post informational page (browser-side<br />
JavaScript checking)<br />
• If iPhone/iPod/iPad, PDF is served up<br />
• PDF contains FreeType CFF Font exploit that owns MobileSafari<br />
(~userland only)<br />
• IOSurface kernel mode exploit is used to own base OS<br />
• Cydia is d/l’d and installed<br />
• Complete control of device is obtained, and package management is<br />
provided
Initial screen (blue pill or red pill ? )
iPad being owned
PCAP of ownage – User-Agent values checked
First request is for wallpaper
Owned – now grab Cydia, etc
Thank you!<br />
stuart_mcclure@mcafee.com<br />
www.hackingexposed.com