SlideShare uma empresa Scribd logo

ACS-2010

Bob Radvanovsky
Bob Radvanovsky

SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference

Negócios
1 de 26
Baixar para ler offline
SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Enumerating and Validating ICS Devices Creative Commons License v3.0. 1
Who and what is “Infracritical”? • Leading industry and business in Critical Infrastructure Protection (CIP). – Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’. – Established open public discussion forums on current and relevant topics and affairs. – Defines strategic vision of ‘future thought’ in infrastructure development and support. • Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list. 2
Presentation Agenda • Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects: – Enumerate and validate industrial automation/control systems devices (fingerprint). – Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository. – Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the Hirschmann ICS firewall (Hirschmann EAGLE TX/TX). 3
Outline Results from ‘The Gathering’ (May 2010) • Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement. • Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared. • Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely. 4
Reasons for Having ‘The Gathering’ • Need based on a “show ‘n tell” principle. • Allows participants to see, work and handle ICS equipment that would otherwise not be possible. • Allow and share ideas, concepts, ideologies between participants. • Discuss methods of improvement of performance of shared ICS equipment. • Write recommendations for manufacturers. 5
Other Discoveries • We are limiting public discussion on these discoveries. • Schweitzer SEL-3620: – SSL interface survived the overnight assault from the Mu Dynamics fuzzer device. – No problems found. • Another popular industrial switch TELNET interface: – 158 problems found. • Write recommendations for manufacturers. 6
Project ‘Enlightenment’ • Validate CSET/CS2SAT network maps. • Develop and exercise controlled methods of enumerating ICS equipment and appliances. • Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators. • Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc. – control system protocols: Modbus, Profibus, DNP, EthernetIP, etc. 7
Project ‘NINJA’ Network INtelligence Joint Analysis • Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’. • Centralize data repository for public viewing (vetted). • Provide sensitive intelligence for dissemination through encrypted methods. – encrypted email (automatic) – encrypted web portal(s) • Website: www.thinklikeninja.com 8
Current Enumeration: Hirschmann EAGLE TX/TX • One of the more recognized industrial automation firewalls. • Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007. • Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies. • Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008. image is actual model of device tested  9
Hirschmann Enumeration: Discoveries Found with Firewall • Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies. • Software from Innominate can interchangeably be used between Hirschmann and Innominate versions. • Software and firmware would be synchronized. • Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1). • Firmware after v4.2.3 had similar requirements. 10
Hirschmann Enumeration: Discoveries Found with Firewall • Actual ICS screen shot. • Tests were performed against two (2) firewalls. • Firewall #1: Innominate • Firewall #2: Hirschmann 11
Hirschmann Enumeration: Discoveries Found with Firewall • F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall. • F/W v4.0.4 (and higher) did not drop ARP tables. • However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint. • NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router. 12
Hirschmann Enumeration: Discoveries Found with Firewall Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT … Device type: WAP|specialized|print server|storage-misc|general purpose|broadband router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded (94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec embedded (93%), Fortinet embedded (91%), Google embedded (91%) OS fingerprint not ideal because: Timing level 3 (Normal) used Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded) (95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance) model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%), MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux 2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search appliance (91%) No exact OS matches for host (test conditions non-ideal). … 13
Hirschmann Enumeration: Discoveries Found with Firewall • Ports open on INTERNAL network interface include: - 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323) • Enumeration utilized for device included testing from: - SNMP and HTTPS connections - Enumeration method utilizes an ‘open source’ tool. - One tool that will be heavily utilized is NMAP v5 (and newer). - NMAP (as of Version 4) allows integration of a scripting language. - The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc). - Over 150 (and growing) common scripts available from Insecure. 14
Hirschmann Enumeration: Discoveries Found with Firewall • During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36). • Device is currently available for evaluation for the general public. • Access has been granted to the INTERNAL network interface. • Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script. • Script written specifically for enumerating the Hirschmann. • Script is currently in ‘draft mode’, and is being finalized. • Current version of enumeration script is ‘mguard-10091201.nse’. 15
Hirschmann Enumeration: Discoveries Found with Firewall If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this: # nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT Nmap scan report for xxx (1.1.1.1) Host is up (0.0096s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Flash ID : 420401db459c83e7  NOTE the flash ID number; |_............Manufacturer of device : Hirschmann ID obtained via SSL certificate. 1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds 16
Hirschmann Enumeration: Discoveries Found with Firewall If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized: # nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:24 Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed Initiating Connect Scan at 10:24 Scanning xxxx (1.1.1.1) [1000 ports] Discovered open port 53/tcp on 1.1.1.1 Discovered open port 22/tcp on 1.1.1.1 Discovered open port 443/tcp on 1.1.1.1 Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports) NSE: Script scanning 1.1.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:24 Completed NSE at 10:25, 6.06s elapsed ... 17
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.17) Nmap scan report for xxx (1.1.1.1) Host is up (0.096s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** PHASE 1: TLS/SSL certificate verification | ....Step 1: SSL certificate info : CONFIRMED | ....Step 2: SSL certificate MD5 hash information | ............Flash ID : 420401db459c83e7 | ............Organization name : Hirschmann Automation and Control GmbH | ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5 | ............SSL certificate version: 4.2.1 or newer 18
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.18) | ** PHASE 2: File presence verification | ....Step 1: Existence of "/favicon.ico" | ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207 | ............Server type/version : 4.2.1 or newer | ....Step 2: Existence of "/gai.js" | ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b | ............Server type/version : 4.2.1 | ....Step 3: Existence of "/style.css" | ............File style.css MD5 : d71581409253d54902bea82107a1abb2 | ............Server type/version : 4.2.1 | ** PHASE 3: HTML pattern matching verification | ....Step 1: Confirmation of HTML code per version | ............HTML code verified : CONFIRMED | ............HTML code variant : Hirschmann | ....Step 2: Confirmation web server verification | ............Web server verified : CONFIRMED | ............Web server name/type : fnord | ............Web server version : 1.6 19
Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.19) | ** PHASE 4: Documentation | ....Step 1: Documentation exist? : YES |.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf |_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds 20
Hirschmann Enumeration: Discoveries Found with Firewall The following is a sample taken from the startup log while connected to the console: ... Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary See http://www.tux.org/lkml/#export-tainted for information about tainted modules Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o Warning: loading power will taint the kernel: non-GPL license – Proprietary Eagle: PHY sysctl directory registered. See http://www.tux.org/lkml/#export-tainted for information about tainted modules ... Thoughts about this? 21
Hirschmann Enumeration: Summary of the Unit • This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable. - Malware that gets inside secured networks can still cause damage. - Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc. - Need out-of-band commands of the firewall. • Licensing problems could make unit a deliberate target. • ARP table ought to have hard-wired option. • Not a stateful firewall; not aware of industrial protocols. 22
One More Thing… Interesting Coincidence? • At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast address to master interface 2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification string from 202.116.160.75 2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast address from master interface 2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. • Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255 netname: SCAU-CN descr: ~{;*DOE)R54sQ'~} descr: South China Agricultural University descr: Guangzhou, Guangdong 510642, China country: CN 23
Next Gathering: • Mu Dynamics has been very supportive. • Location and time. • SCADA CYBER SECURITY WORKSHOP November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration • Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists. • Gather data on other user-provided devices. • Work on CSET validation software. • Discuss theoretical and practical issues with devices we test. 24
Conclusion • Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more. • So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC) • Allen-Bradley (aka Rockwell) • Rockwell Automation • Siemens • Electro Industries / Gaugetech (EIG) 25
Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 26

Recomendados

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 

Recomendados

Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingVi Tính Hoàng Nam
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismetChris Hammond-Thrasher
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 

Mais conteúdo relacionado

Mais procurados

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3Muhammad Denis Iqbal
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingVi Tính Hoàng Nam
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 

Mais procurados (20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testing
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 

Semelhante a ACS-2010

BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 

Semelhante a ACS-2010 (20)

BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 

Mais de Bob Radvanovsky

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Bob Radvanovsky
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Bob Radvanovsky
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE PresentationBob Radvanovsky
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...Bob Radvanovsky
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'Bob Radvanovsky
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionBob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)Bob Radvanovsky
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)Bob Radvanovsky
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Bob Radvanovsky
 

Mais de Bob Radvanovsky (11)

Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
 
CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'CIA Former Chief using Stuxnet a 'good idea'
CIA Former Chief using Stuxnet a 'good idea'
 
U.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran MissionU.S. Knew of CIA Covert Iran Mission
U.S. Knew of CIA Covert Iran Mission
 
CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)CIA Knew About Stuxnet over a Decade Ago (Google search results)
CIA Knew About Stuxnet over a Decade Ago (Google search results)
 
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
CIA Knew About Stuxnet over a Decade Ago (current page, Part 2)
 
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
ABA-ISC-2009
ABA-ISC-2009ABA-ISC-2009
ABA-ISC-2009
 

Último

Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Sheetaleventcompany
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...lizamodels9
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 

Último (20)

Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 

ACS-2010

  • 1. SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Enumerating and Validating ICS Devices Creative Commons License v3.0. 1
  • 2. Who and what is “Infracritical”? • Leading industry and business in Critical Infrastructure Protection (CIP). – Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’. – Established open public discussion forums on current and relevant topics and affairs. – Defines strategic vision of ‘future thought’ in infrastructure development and support. • Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list. 2
  • 3. Presentation Agenda • Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects: – Enumerate and validate industrial automation/control systems devices (fingerprint). – Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository. – Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the Hirschmann ICS firewall (Hirschmann EAGLE TX/TX). 3
  • 4. Outline Results from ‘The Gathering’ (May 2010) • Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement. • Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared. • Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely. 4
  • 5. Reasons for Having ‘The Gathering’ • Need based on a “show ‘n tell” principle. • Allows participants to see, work and handle ICS equipment that would otherwise not be possible. • Allow and share ideas, concepts, ideologies between participants. • Discuss methods of improvement of performance of shared ICS equipment. • Write recommendations for manufacturers. 5
  • 6. Other Discoveries • We are limiting public discussion on these discoveries. • Schweitzer SEL-3620: – SSL interface survived the overnight assault from the Mu Dynamics fuzzer device. – No problems found. • Another popular industrial switch TELNET interface: – 158 problems found. • Write recommendations for manufacturers. 6
  • 7. Project ‘Enlightenment’ • Validate CSET/CS2SAT network maps. • Develop and exercise controlled methods of enumerating ICS equipment and appliances. • Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators. • Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc. – control system protocols: Modbus, Profibus, DNP, EthernetIP, etc. 7
  • 8. Project ‘NINJA’ Network INtelligence Joint Analysis • Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’. • Centralize data repository for public viewing (vetted). • Provide sensitive intelligence for dissemination through encrypted methods. – encrypted email (automatic) – encrypted web portal(s) • Website: www.thinklikeninja.com 8
  • 9. Current Enumeration: Hirschmann EAGLE TX/TX • One of the more recognized industrial automation firewalls. • Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007. • Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies. • Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008. image is actual model of device tested  9
  • 10. Hirschmann Enumeration: Discoveries Found with Firewall • Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies. • Software from Innominate can interchangeably be used between Hirschmann and Innominate versions. • Software and firmware would be synchronized. • Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1). • Firmware after v4.2.3 had similar requirements. 10
  • 11. Hirschmann Enumeration: Discoveries Found with Firewall • Actual ICS screen shot. • Tests were performed against two (2) firewalls. • Firewall #1: Innominate • Firewall #2: Hirschmann 11
  • 12. Hirschmann Enumeration: Discoveries Found with Firewall • F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall. • F/W v4.0.4 (and higher) did not drop ARP tables. • However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint. • NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router. 12
  • 13. Hirschmann Enumeration: Discoveries Found with Firewall Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT … Device type: WAP|specialized|print server|storage-misc|general purpose|broadband router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded (94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec embedded (93%), Fortinet embedded (91%), Google embedded (91%) OS fingerprint not ideal because: Timing level 3 (Normal) used Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded) (95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance) model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%), MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux 2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search appliance (91%) No exact OS matches for host (test conditions non-ideal). … 13
  • 14. Hirschmann Enumeration: Discoveries Found with Firewall • Ports open on INTERNAL network interface include: - 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323) • Enumeration utilized for device included testing from: - SNMP and HTTPS connections - Enumeration method utilizes an ‘open source’ tool. - One tool that will be heavily utilized is NMAP v5 (and newer). - NMAP (as of Version 4) allows integration of a scripting language. - The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc). - Over 150 (and growing) common scripts available from Insecure. 14
  • 15. Hirschmann Enumeration: Discoveries Found with Firewall • During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36). • Device is currently available for evaluation for the general public. • Access has been granted to the INTERNAL network interface. • Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script. • Script written specifically for enumerating the Hirschmann. • Script is currently in ‘draft mode’, and is being finalized. • Current version of enumeration script is ‘mguard-10091201.nse’. 15
  • 16. Hirschmann Enumeration: Discoveries Found with Firewall If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this: # nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT Nmap scan report for xxx (1.1.1.1) Host is up (0.0096s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Flash ID : 420401db459c83e7  NOTE the flash ID number; |_............Manufacturer of device : Hirschmann ID obtained via SSL certificate. 1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds 16
  • 17. Hirschmann Enumeration: Discoveries Found with Firewall If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized: # nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:24 Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed Initiating Connect Scan at 10:24 Scanning xxxx (1.1.1.1) [1000 ports] Discovered open port 53/tcp on 1.1.1.1 Discovered open port 22/tcp on 1.1.1.1 Discovered open port 443/tcp on 1.1.1.1 Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports) NSE: Script scanning 1.1.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:24 Completed NSE at 10:25, 6.06s elapsed ... 17
  • 18. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.17) Nmap scan report for xxx (1.1.1.1) Host is up (0.096s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** PHASE 1: TLS/SSL certificate verification | ....Step 1: SSL certificate info : CONFIRMED | ....Step 2: SSL certificate MD5 hash information | ............Flash ID : 420401db459c83e7 | ............Organization name : Hirschmann Automation and Control GmbH | ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5 | ............SSL certificate version: 4.2.1 or newer 18
  • 19. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.18) | ** PHASE 2: File presence verification | ....Step 1: Existence of "/favicon.ico" | ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207 | ............Server type/version : 4.2.1 or newer | ....Step 2: Existence of "/gai.js" | ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b | ............Server type/version : 4.2.1 | ....Step 3: Existence of "/style.css" | ............File style.css MD5 : d71581409253d54902bea82107a1abb2 | ............Server type/version : 4.2.1 | ** PHASE 3: HTML pattern matching verification | ....Step 1: Confirmation of HTML code per version | ............HTML code verified : CONFIRMED | ............HTML code variant : Hirschmann | ....Step 2: Confirmation web server verification | ............Web server verified : CONFIRMED | ............Web server name/type : fnord | ............Web server version : 1.6 19
  • 20. Hirschmann Enumeration: Discoveries Found with Firewall (continued from p.19) | ** PHASE 4: Documentation | ....Step 1: Documentation exist? : YES |.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf |_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds 20
  • 21. Hirschmann Enumeration: Discoveries Found with Firewall The following is a sample taken from the startup log while connected to the console: ... Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary See http://www.tux.org/lkml/#export-tainted for information about tainted modules Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o Warning: loading power will taint the kernel: non-GPL license – Proprietary Eagle: PHY sysctl directory registered. See http://www.tux.org/lkml/#export-tainted for information about tainted modules ... Thoughts about this? 21
  • 22. Hirschmann Enumeration: Summary of the Unit • This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable. - Malware that gets inside secured networks can still cause damage. - Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc. - Need out-of-band commands of the firewall. • Licensing problems could make unit a deliberate target. • ARP table ought to have hard-wired option. • Not a stateful firewall; not aware of industrial protocols. 22
  • 23. One More Thing… Interesting Coincidence? • At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast address to master interface 2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification string from 202.116.160.75 2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast address from master interface 2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. • Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255 netname: SCAU-CN descr: ~{;*DOE)R54sQ'~} descr: South China Agricultural University descr: Guangzhou, Guangdong 510642, China country: CN 23
  • 24. Next Gathering: • Mu Dynamics has been very supportive. • Location and time. • SCADA CYBER SECURITY WORKSHOP November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration • Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists. • Gather data on other user-provided devices. • Work on CSET validation software. • Discuss theoretical and practical issues with devices we test. 24
  • 25. Conclusion • Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more. • So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC) • Allen-Bradley (aka Rockwell) • Rockwell Automation • Siemens • Electro Industries / Gaugetech (EIG) 25
  • 26. Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 26