SlideShare une entreprise Scribd logo

ACS-2010

Bob Radvanovsky
Bob Radvanovsky

SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference

Business
1  sur  26
Télécharger pour lire hors ligne
SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Enumerating and Validating ICS Devices Creative Commons License v3.0. 1
Who and what is “Infracritical”? • Leading industry and business in Critical Infrastructure Protection (CIP). – Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’. – Established open public discussion forums on current and relevant topics and affairs. – Defines strategic vision of ‘future thought’ in infrastructure development and support. • Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list. 2
Presentation Agenda • Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects: – Enumerate and validate industrial automation/control systems devices (fingerprint). – Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository. – Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the Hirschmann ICS firewall (Hirschmann EAGLE TX/TX). 3
Outline Results from ‘The Gathering’ (May 2010) • Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement. • Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared. • Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely. 4
Reasons for Having ‘The Gathering’ • Need based on a “show ‘n tell” principle. • Allows participants to see, work and handle ICS equipment that would otherwise not be possible. • Allow and share ideas, concepts, ideologies between participants. • Discuss methods of improvement of performance of shared ICS equipment. • Write recommendations for manufacturers. 5
Other Discoveries • We are limiting public discussion on these discoveries. • Schweitzer SEL-3620: – SSL interface survived the overnight assault from the Mu Dynamics fuzzer device. – No problems found. • Another popular industrial switch TELNET interface: – 158 problems found. • Write recommendations for manufacturers. 6
Project ‘Enlightenment’ • Validate CSET/CS2SAT network maps. • Develop and exercise controlled methods of enumerating ICS equipment and appliances. • Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators. • Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc. – control system protocols: Modbus, Profibus, DNP, EthernetIP, etc. 7
Project ‘NINJA’ Network INtelligence Joint Analysis • Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’. • Centralize data repository for public viewing (vetted). • Provide sensitive intelligence for dissemination through encrypted methods. – encrypted email (automatic) – encrypted web portal(s) • Website: www.thinklikeninja.com 8
Current Enumeration: Hirschmann EAGLE TX/TX • One of the more recognized industrial automation firewalls. • Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007. • Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies. • Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008. image is actual model of device tested  9
Hirschmann Enumeration: Discoveries Found with Firewall • Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies. • Software from Innominate can interchangeably be used between Hirschmann and Innominate versions. • Software and firmware would be synchronized. • Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1). • Firmware after v4.2.3 had similar requirements. 10
Hirschmann Enumeration: Discoveries Found with Firewall • Actual ICS screen shot. • Tests were performed against two (2) firewalls. • Firewall #1: Innominate • Firewall #2: Hirschmann 11
Hirschmann Enumeration: Discoveries Found with Firewall • F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall. • F/W v4.0.4 (and higher) did not drop ARP tables. • However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint. • NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router. 12
Hirschmann Enumeration: Discoveries Found with Firewall Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT … Device type: WAP|specialized|print server|storage-misc|general purpose|broadband router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded (94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec embedded (93%), Fortinet embedded (91%), Google embedded (91%) OS fingerprint not ideal because: Timing level 3 (Normal) used Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded) (95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance) model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%), MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux 2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search appliance (91%) No exact OS matches for host (test conditions non-ideal). … 13
Hirschmann Enumeration: Discoveries Found with Firewall • Ports open on INTERNAL network interface include: - 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323) • Enumeration utilized for device included testing from: - SNMP and HTTPS connections - Enumeration method utilizes an ‘open source’ tool. - One tool that will be heavily utilized is NMAP v5 (and newer). - NMAP (as of Version 4) allows integration of a scripting language. - The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc). - Over 150 (and growing) common scripts available from Insecure. 14
Hirschmann Enumeration: Discoveries Found with Firewall • During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36). • Device is currently available for evaluation for the general public. • Access has been granted to the INTERNAL network interface. • Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script. • Script written specifically for enumerating the Hirschmann. • Script is currently in ‘draft mode’, and is being finalized. • Current version of enumeration script is ‘mguard-10091201.nse’. 15
Hirschmann Enumeration: Discoveries Found with Firewall If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this: # nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT Nmap scan report for xxx (1.1.1.1) Host is up (0.0096s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Flash ID : 420401db459c83e7  NOTE the flash ID number; |_............Manufacturer of device : Hirschmann ID obtained via SSL certificate. 1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds 16
Hirschmann Enumeration: Discoveries Found with Firewall If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized: # nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:24 Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed Initiating Connect Scan at 10:24 Scanning xxxx (1.1.1.1) [1000 ports] Discovered open port 53/tcp on 1.1.1.1 Discovered open port 22/tcp on 1.1.1.1 Discovered open port 443/tcp on 1.1.1.1 Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports) NSE: Script scanning 1.1.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:24 Completed NSE at 10:25, 6.06s elapsed ... 17
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.17) Nmap scan report for xxx (1.1.1.1) Host is up (0.096s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** PHASE 1: TLS/SSL certificate verification | ....Step 1: SSL certificate info : CONFIRMED | ....Step 2: SSL certificate MD5 hash information | ............Flash ID : 420401db459c83e7 | ............Organization name : Hirschmann Automation and Control GmbH | ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5 | ............SSL certificate version: 4.2.1 or newer 18
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.18) | ** PHASE 2: File presence verification | ....Step 1: Existence of "/favicon.ico" | ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207 | ............Server type/version : 4.2.1 or newer | ....Step 2: Existence of "/gai.js" | ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b | ............Server type/version : 4.2.1 | ....Step 3: Existence of "/style.css" | ............File style.css MD5 : d71581409253d54902bea82107a1abb2 | ............Server type/version : 4.2.1 | ** PHASE 3: HTML pattern matching verification | ....Step 1: Confirmation of HTML code per version | ............HTML code verified : CONFIRMED | ............HTML code variant : Hirschmann | ....Step 2: Confirmation web server verification | ............Web server verified : CONFIRMED | ............Web server name/type : fnord | ............Web server version : 1.6 19
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.19) | ** PHASE 4: Documentation | ....Step 1: Documentation exist? : YES |.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf |_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds 20
Hirschmann Enumeration: Discoveries Found with Firewall The following is a sample taken from the startup log while connected to the console: ... Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary See http://www.tux.org/lkml/#export-tainted for information about tainted modules Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o Warning: loading power will taint the kernel: non-GPL license – Proprietary Eagle: PHY sysctl directory registered. See http://www.tux.org/lkml/#export-tainted for information about tainted modules ... Thoughts about this? 21
Hirschmann Enumeration: Summary of the Unit • This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable. - Malware that gets inside secured networks can still cause damage. - Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc. - Need out-of-band commands of the firewall. • Licensing problems could make unit a deliberate target. • ARP table ought to have hard-wired option. • Not a stateful firewall; not aware of industrial protocols. 22
One More Thing… Interesting Coincidence? • At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast address to master interface 2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification string from 202.116.160.75 2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast address from master interface 2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. • Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255 netname: SCAU-CN descr: ~{;*DOE)R54sQ'~} descr: South China Agricultural University descr: Guangzhou, Guangdong 510642, China country: CN 23
Next Gathering: • Mu Dynamics has been very supportive. • Location and time. • SCADA CYBER SECURITY WORKSHOP November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration • Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists. • Gather data on other user-provided devices. • Work on CSET validation software. • Discuss theoretical and practical issues with devices we test. 24
Conclusion • Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more. • So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC) • Allen-Bradley (aka Rockwell) • Rockwell Automation • Siemens • Electro Industries / Gaugetech (EIG) 25
Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 26

Recommandé

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 

Recommandé

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingVi Tính Hoàng Nam
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismetChris Hammond-Thrasher
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 

Contenu connexe

Tendances

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingVi Tính Hoàng Nam
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 

Tendances (20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testing
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 

Similaire à ACS-2010

BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 

Similaire à ACS-2010 (20)

BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 

Plus de Bob Radvanovsky

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Bob Radvanovsky
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Bob Radvanovsky
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE PresentationBob Radvanovsky
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...Bob Radvanovsky
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'Bob Radvanovsky
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionBob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)Bob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)Bob Radvanovsky
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Bob Radvanovsky
 

Plus de Bob Radvanovsky (11)

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran Mission
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
ABA-ISC-2009
ABA-ISC-2009ABA-ISC-2009
ABA-ISC-2009
 

Dernier

Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
DEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxDEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxRodelinaLaud
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 

Dernier (20)

Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
DEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docxDEPED Work From Home WORKWEEK-PLAN.docx
DEPED Work From Home WORKWEEK-PLAN.docx
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 

ACS-2010

  • 1. SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Enumerating and Validating ICS Devices Creative Commons License v3.0. 1
  • 2. Who and what is “Infracritical”? • Leading industry and business in Critical Infrastructure Protection (CIP). – Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’. – Established open public discussion forums on current and relevant topics and affairs. – Defines strategic vision of ‘future thought’ in infrastructure development and support. • Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list. 2
  • 3. Presentation Agenda • Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects: – Enumerate and validate industrial automation/control systems devices (fingerprint). – Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository. – Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the Hirschmann ICS firewall (Hirschmann EAGLE TX/TX). 3
  • 4. Outline Results from ‘The Gathering’ (May 2010) • Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement. • Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared. • Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely. 4
  • 5. Reasons for Having ‘The Gathering’ • Need based on a “show ‘n tell” principle. • Allows participants to see, work and handle ICS equipment that would otherwise not be possible. • Allow and share ideas, concepts, ideologies between participants. • Discuss methods of improvement of performance of shared ICS equipment. • Write recommendations for manufacturers. 5
  • 6. Other Discoveries • We are limiting public discussion on these discoveries. • Schweitzer SEL-3620: – SSL interface survived the overnight assault from the Mu Dynamics fuzzer device. – No problems found. • Another popular industrial switch TELNET interface: – 158 problems found. • Write recommendations for manufacturers. 6
  • 7. Project ‘Enlightenment’ • Validate CSET/CS2SAT network maps. • Develop and exercise controlled methods of enumerating ICS equipment and appliances. • Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators. • Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc. – control system protocols: Modbus, Profibus, DNP, EthernetIP, etc. 7
  • 8. Project ‘NINJA’ Network INtelligence Joint Analysis • Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’. • Centralize data repository for public viewing (vetted). • Provide sensitive intelligence for dissemination through encrypted methods. – encrypted email (automatic) – encrypted web portal(s) • Website: www.thinklikeninja.com 8
  • 9. Current Enumeration: Hirschmann EAGLE TX/TX • One of the more recognized industrial automation firewalls. • Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007. • Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies. • Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008. image is actual model of device tested  9
  • 10. Hirschmann Enumeration: Discoveries Found with Firewall • Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies. • Software from Innominate can interchangeably be used between Hirschmann and Innominate versions. • Software and firmware would be synchronized. • Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1). • Firmware after v4.2.3 had similar requirements. 10
  • 11. Hirschmann Enumeration: Discoveries Found with Firewall • Actual ICS screen shot. • Tests were performed against two (2) firewalls. • Firewall #1: Innominate • Firewall #2: Hirschmann 11
  • 12. Hirschmann Enumeration: Discoveries Found with Firewall • F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall. • F/W v4.0.4 (and higher) did not drop ARP tables. • However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint. • NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router. 12
  • 13. Hirschmann Enumeration: Discoveries Found with Firewall Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT … Device type: WAP|specialized|print server|storage-misc|general purpose|broadband router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded (94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec embedded (93%), Fortinet embedded (91%), Google embedded (91%) OS fingerprint not ideal because: Timing level 3 (Normal) used Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded) (95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance) model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%), MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux 2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search appliance (91%) No exact OS matches for host (test conditions non-ideal). … 13
  • 14. Hirschmann Enumeration: Discoveries Found with Firewall • Ports open on INTERNAL network interface include: - 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323) • Enumeration utilized for device included testing from: - SNMP and HTTPS connections - Enumeration method utilizes an ‘open source’ tool. - One tool that will be heavily utilized is NMAP v5 (and newer). - NMAP (as of Version 4) allows integration of a scripting language. - The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc). - Over 150 (and growing) common scripts available from Insecure. 14
  • 15. Hirschmann Enumeration: Discoveries Found with Firewall • During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36). • Device is currently available for evaluation for the general public. • Access has been granted to the INTERNAL network interface. • Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script. • Script written specifically for enumerating the Hirschmann. • Script is currently in ‘draft mode’, and is being finalized. • Current version of enumeration script is ‘mguard-10091201.nse’. 15
  • 16. Hirschmann Enumeration: Discoveries Found with Firewall If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this: # nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT Nmap scan report for xxx (1.1.1.1) Host is up (0.0096s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Flash ID : 420401db459c83e7  NOTE the flash ID number; |_............Manufacturer of device : Hirschmann ID obtained via SSL certificate. 1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds 16
  • 17. Hirschmann Enumeration: Discoveries Found with Firewall If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized: # nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:24 Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed Initiating Connect Scan at 10:24 Scanning xxxx (1.1.1.1) [1000 ports] Discovered open port 53/tcp on 1.1.1.1 Discovered open port 22/tcp on 1.1.1.1 Discovered open port 443/tcp on 1.1.1.1 Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports) NSE: Script scanning 1.1.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:24 Completed NSE at 10:25, 6.06s elapsed ... 17
  • 18. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.17) Nmap scan report for xxx (1.1.1.1) Host is up (0.096s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** PHASE 1: TLS/SSL certificate verification | ....Step 1: SSL certificate info : CONFIRMED | ....Step 2: SSL certificate MD5 hash information | ............Flash ID : 420401db459c83e7 | ............Organization name : Hirschmann Automation and Control GmbH | ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5 | ............SSL certificate version: 4.2.1 or newer 18
  • 19. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.18) | ** PHASE 2: File presence verification | ....Step 1: Existence of "/favicon.ico" | ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207 | ............Server type/version : 4.2.1 or newer | ....Step 2: Existence of "/gai.js" | ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b | ............Server type/version : 4.2.1 | ....Step 3: Existence of "/style.css" | ............File style.css MD5 : d71581409253d54902bea82107a1abb2 | ............Server type/version : 4.2.1 | ** PHASE 3: HTML pattern matching verification | ....Step 1: Confirmation of HTML code per version | ............HTML code verified : CONFIRMED | ............HTML code variant : Hirschmann | ....Step 2: Confirmation web server verification | ............Web server verified : CONFIRMED | ............Web server name/type : fnord | ............Web server version : 1.6 19
  • 20. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.19) | ** PHASE 4: Documentation | ....Step 1: Documentation exist? : YES |.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf |_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds 20
  • 21. Hirschmann Enumeration: Discoveries Found with Firewall The following is a sample taken from the startup log while connected to the console: ... Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary See http://www.tux.org/lkml/#export-tainted for information about tainted modules Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o Warning: loading power will taint the kernel: non-GPL license – Proprietary Eagle: PHY sysctl directory registered. See http://www.tux.org/lkml/#export-tainted for information about tainted modules ... Thoughts about this? 21
  • 22. Hirschmann Enumeration: Summary of the Unit • This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable. - Malware that gets inside secured networks can still cause damage. - Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc. - Need out-of-band commands of the firewall. • Licensing problems could make unit a deliberate target. • ARP table ought to have hard-wired option. • Not a stateful firewall; not aware of industrial protocols. 22
  • 23. One More Thing… Interesting Coincidence? • At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast address to master interface 2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification string from 202.116.160.75 2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast address from master interface 2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. • Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255 netname: SCAU-CN descr: ~{;*DOE)R54sQ'~} descr: South China Agricultural University descr: Guangzhou, Guangdong 510642, China country: CN 23
  • 24. Next Gathering: • Mu Dynamics has been very supportive. • Location and time. • SCADA CYBER SECURITY WORKSHOP November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration • Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists. • Gather data on other user-provided devices. • Work on CSET validation software. • Discuss theoretical and practical issues with devices we test. 24
  • 25. Conclusion • Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more. • So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC) • Allen-Bradley (aka Rockwell) • Rockwell Automation • Siemens • Electro Industries / Gaugetech (EIG) 25
  • 26. Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 26