SlideShare ist ein Scribd-Unternehmen logo

Project Basecamp: News From Camp 4

Digital Bond
Digital Bond

Reid Wightman's presentation at AppSec DC 2012. Reid provides background and the lates on Digital Bond's Project Basecamp. New PLC exploit modules include a Stuxnet-type attack on the Modicon Quantum.

Technologie
1 von 63
News from Camp 4 Reid Wightman wightman@digitalbond.com AppSecDC, 2012
Today •! Quick Recap •! New ‘sploits •! Dear Vendor
What’s a PLC •! Programmable Logic Controller •! Inputs and Outputs –! Input example: thermometer in a mash tun –! Output example: heater element and pump motor on a mash tun •! Program sez: –! Keep the temperature @ 153-156F for one hour –! After the timer expires, turn on the pump on to move the mash to fermentation tank •! PLC reports to HMI: How is the beer coming?
Quick recap •! GE D20 –! Security via one protocol (TELNET) but not another (TFTP, LogicLinx) –! Bad guys get full access (read/write) to configuration, plus plaintext passwords, ability to write new ladder logic, etc
Quick Recap 2 •! Schneider Modicon –! Security via one protocol (HTTP) but not others (FTP/ TELNET/Modbus) –! Bad guys get full access (read/write) to configuration, plus plaintext passwords
Quick Recap 3 •! Koyo ECOM100 –! Security via one protocol (HAP) but not another (HTTP) –! HAP protocol features small password space, easy to bruteforce
Quick Recap 4 •! Rockwell ControlLogix –! Security via one protocol (EIP) but not another (err… EIP) –! Bad guys can kill controller remotely
<3 Metasploit •! Building as many vulnerability demonstrations as possible into MSF •! Let everybody see just how easy it is to kill controllers
D20 Modules •! d20tftpbd – provides asyncronous command line via TFTP •! d20pass – retrieves configuration via TFTP, parses config, stores usernames + passwords as loot •! d20_tftp_overflow – triggers buffer overflow in TFTP service. Currently DoS, likely RCE.
Modicon Modules •! modicon_password_recovery – retrieve passwords –! HTTP, Write Password are plaintext –! FTP Password uses vxworks loginDefaultEncrypt() – easily reversed •! Two new modules today…wait for it.
Allen-Bradley ControlLogix •! multi_cip_command – Three payloads derived from Rubén Santamarta’s C code –! STOP the CPU –! Crash the CPU –! Crash the Ethernet card
Koyo •! koyo_login – Brute-force Koyo ECOM passwords
Inconsistent Security
The search for more exploits
Stuxnet + Beresford Fun •! Stuxnet showed ladder-logic ‘hooking’ •! Beresford showed weakness in Siemens controllers that ‘bad guys’ could use •! Most PLCs have the ‘Beresford/Stuxnet’ vuln –! Download ladder logic without authentication –! Upload ladder logic without authentication –! Code-hooking can combine the two with a simple Langner-style ‘logic time bomb’
Modicon •! Modbus used for Engineering Access •! Special Function Code 90: “Unity” –! Lets us STOP the CPU –! Lets us retrieve/overwrite ladder logic
Modicon •! No authentication for any operation, but… •! …Unity == Chatty •! Quick Python code to isolate packets –! Walk through .pcap, find unique packets –! Analyze in Wireshark –! Find Ladder Logic Upload/Download –! Find CPU STOP •! Replay commands
Modicon – CPU STOP •! ~100 packets to initialize conversation •! One packet to STOP CPU –! FC 90 –! Payload 0x01, 0x41, 0xff, 0x00 –! (Start is 0x01, 0x40, 0xff, 0x00)
Modicon – Logic Upload •! ~100 packets to initialize (same) •! Split into ~240 byte blocks (max size of Modbus packet + some overhead bytes) •! Second block must be sent twice –! No idea why –! Repeated testing
Modicon – Logic Upload …But…what file do we transfer? Great question!
Back to the PCAP Block 7 contains strings to search for
Files •! APX == STL (Statement List) •! APB == FBD (Function Block Diagram) •! Multiple blocks become one file •! Both types may be used at once
Simple attack: Overwrite •! Overwrite a remote Modicon to do nothing •! Alt: randomly operate outputs •! Metasploit module shows how it’s done
More complicated: Stuxnet •! Retrieve logic from remote system •! Parse it and wrap it –! Parsing the output probably the hardest step –! Alt: Just use Unity to edit the file (it’s what the pros would do) •! Re-upload
Time spent •! Level of difficulty: miniscule •! < 8 hours from first packet capture to successful file upload/download
Password (Un)protection •! Password protection applies to APX and APB files •! Does not prevent overwrite of existing files •! Does prevent Unity from opening the ‘source code’ •! Protection is really crappy
Password (Un)protection
Password (Un)protection
Back to the PCAP Block 7 contains strings to search for
349 DLLs!
Password (Un)protection •! Password stored in .APX and .APB files •! Offset ~0x4C8 •! Password in plaintext is…plaintext •! Password ‘encrypted’: –! aaaa => YCOG –! aaab => 5BB1 –! aaba => 5BDA –! abaa => 5U1B –! baaa => 5BBU
Password (Un)protection •! Project is not encrypted, only password is •! Change password to known-value (hexedit) •! Modicon “Password Proxy” could strip password
Password (Un)protection Modicon password is dumb no matter who you are: –! Hate security? It’s annoying! –! Love security? It doesn’t do anything!
</Modicon> •! ‘modiconstux’ and ‘modiconstop’ available today –! Overwrite the ladder logic in that pesky controller –! STOP or RUN your (least) favorite controller •! Password proxy stripper TBA •! Aside from that, it’s been p0wn3d enough •! What I want: Schneider -- give me a security roadmap so that I can start recommending your products.
More New Stuff: WAGO •! Russian group DsecRG released vulns with Basecamp –! CSRF –! default credentials •! Lots of other vulns + backdoors + FUN!
WAGO •! My model: IPC 758-870 •! 266Mhz x86, 32MB flash, 32MB ram •! Linux 2.4.31
WAGO •! Hard-Coded user accounts –! guest/guest –! user/user00 –! root/ko2003wa (requires su) •! Open telnet, ftp services –! Upload files and run them –! Just like any other Linux box –! Successfully compiled tinyproxy, tor
WAGO Ladder Logic 3S-Software CoDeSys –! Most amazing ladder logic implementation ever –! Used by hundreds of manufacturers –! Security--
CoDeSys – How it works 1) Engineer writes their logic 2) Engineering software compiles binary 3) Binary transferred to PLC (no authentication!) 4) PLC loads binary into memory, jumps inside
Remember PLC Notes? •! Very few PLCs use MMU •! WAGO does (Linux on x86, yay) •! …But the CoDeSys process runs as root
CoDeSys Project Format •! Header •! X86 binary •! Footer •! Don’t really need to understand it to exploit it
CoDeSys Project Format •! World’s longest NOP-sled? •! ~750kb of NOPs followed by a bind shell •! Uploaded to WAGO •! Sadly, FAIL – CRC failure •! Need to RE the CRC (32-bit CRC, stored as .CHK file on filesystem) •! Expect an update and metasploit poc in a few weeks
Dear 3S-Software •! You are in an amazing position to promote secure ladder logic transfer •! A little goes a long way in this area
Basecamp responses •! A-B decent –! gave quick mitigation information –! provided Snort signatures –! …still waiting for long-term fix for CIP •! Schneider has said little since Rubén’s backdoor disclosure –! “We take security seriously…” –! (Nevermind the backdoors + other flaws) •! GE has shared nothing •! Koyo has shared nothing

Empfohlen

Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
Salt at school
Salt at schoolSalt at school
Salt at schoolFlavio Castelli
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 

Empfohlen

Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
Salt at school
Salt at schoolSalt at school
Salt at schoolFlavio Castelli
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
 
Fastsocket Linxiaofeng
Fastsocket LinxiaofengFastsocket Linxiaofeng
Fastsocket LinxiaofengMichael Zhang
 
Linux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversLinux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversVladimir Shakhov
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
SDAccel Design Contest: Vivado
SDAccel Design Contest: VivadoSDAccel Design Contest: Vivado
SDAccel Design Contest: VivadoNECST Lab @ Politecnico di Milano
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSNECST Lab @ Politecnico di Milano
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
 
OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and PerlDean Hamstead
 
SDAccel Design Contest: Intro
SDAccel Design Contest: IntroSDAccel Design Contest: Intro
SDAccel Design Contest: IntroNECST Lab @ Politecnico di Milano
 
BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64Linaro
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Post production
Post productionPost production
Post productionrachel17lloyd
 
Post production
Post productionPost production
Post productionleilaalimadadi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
 
Fastsocket Linxiaofeng
Fastsocket LinxiaofengFastsocket Linxiaofeng
Fastsocket LinxiaofengMichael Zhang
 
Linux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversLinux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversVladimir Shakhov
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
 
BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64Linaro
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 

Was ist angesagt? (20)

Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
 
Fastsocket Linxiaofeng
Fastsocket LinxiaofengFastsocket Linxiaofeng
Fastsocket Linxiaofeng
 
Linux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy serversLinux firmware for iRMC controller on Fujitsu Primergy servers
Linux firmware for iRMC controller on Fujitsu Primergy servers
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
SDAccel Design Contest: Vivado
SDAccel Design Contest: VivadoSDAccel Design Contest: Vivado
SDAccel Design Contest: Vivado
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
 
OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and Perl
 
SDAccel Design Contest: Intro
SDAccel Design Contest: IntroSDAccel Design Contest: Intro
SDAccel Design Contest: Intro
 
BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64BKK16-305B ILP32 Performance on AArch64
BKK16-305B ILP32 Performance on AArch64
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 

Andere mochten auch

Post Production AS
Post Production ASPost Production AS
Post Production AStigersushi
 
Post production presentation
Post production presentationPost production presentation
Post production presentationshaunie_mellor
 
Post production
Post productionPost production
Post productionrachelCJ
 
Presentation1
Presentation1Presentation1
Presentation1winwell
 
Post Production Plan
Post Production PlanPost Production Plan
Post Production Planlexibenson123
 
Post production (pp)
Post production (pp)Post production (pp)
Post production (pp)divamabika2
 
Audience theories
Audience theoriesAudience theories
Audience theoriesKim Fyson
 
Question 1a presentation task
Question 1a presentation taskQuestion 1a presentation task
Question 1a presentation taskjonreigatemedia
 
Post production story board
Post production story boardPost production story board
Post production story boardlucybrenner19
 
G325 a2 q1 a revision part1
G325 a2 q1 a revision part1G325 a2 q1 a revision part1
G325 a2 q1 a revision part1Kim Fyson
 
Post production
Post productionPost production
Post productionhammonda
 
Pre-production, Production & Post-production Process in 3D Animation
Pre-production, Production & Post-production Process in 3D Animation Pre-production, Production & Post-production Process in 3D Animation
Pre-production, Production & Post-production Process in 3D Animation Veetil Digital Service
 
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution ready
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution readyASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution ready
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution readyMilesWeb
 
Film Production Workflow
Film Production WorkflowFilm Production Workflow
Film Production WorkflowJohn Grace
 

Andere mochten auch (17)

Post production
Post productionPost production
Post production
 
Post production
Post productionPost production
Post production
 
Post Production AS
Post Production ASPost Production AS
Post Production AS
 
Post production presentation
Post production presentationPost production presentation
Post production presentation
 
Post production
Post productionPost production
Post production
 
Presentation1
Presentation1Presentation1
Presentation1
 
Postproduction
PostproductionPostproduction
Postproduction
 
Post Production Plan
Post Production PlanPost Production Plan
Post Production Plan
 
Post production (pp)
Post production (pp)Post production (pp)
Post production (pp)
 
Audience theories
Audience theoriesAudience theories
Audience theories
 
Question 1a presentation task
Question 1a presentation taskQuestion 1a presentation task
Question 1a presentation task
 
Post production story board
Post production story boardPost production story board
Post production story board
 
G325 a2 q1 a revision part1
G325 a2 q1 a revision part1G325 a2 q1 a revision part1
G325 a2 q1 a revision part1
 
Post production
Post productionPost production
Post production
 
Pre-production, Production & Post-production Process in 3D Animation
Pre-production, Production & Post-production Process in 3D Animation Pre-production, Production & Post-production Process in 3D Animation
Pre-production, Production & Post-production Process in 3D Animation
 
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution ready
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution readyASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution ready
ASSIGNMENT A - Special Subject Investigation for Creative Media Prodcution ready
 
Film Production Workflow
Film Production WorkflowFilm Production Workflow
Film Production Workflow
 

Ähnlich wie Project Basecamp: News From Camp 4

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
LCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot SoftwareLCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot SoftwareAndy Gelme
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Marcus Tarquinio
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Docker, Inc.
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Network insecuritysimplehackscortexm jonnydoin
Network insecuritysimplehackscortexm jonnydoinNetwork insecuritysimplehackscortexm jonnydoin
Network insecuritysimplehackscortexm jonnydoinJonny Doin
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 

Ähnlich wie Project Basecamp: News From Camp 4 (20)

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
LCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot SoftwareLCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot Software
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Network insecuritysimplehackscortexm jonnydoin
Network insecuritysimplehackscortexm jonnydoinNetwork insecuritysimplehackscortexm jonnydoin
Network insecuritysimplehackscortexm jonnydoin
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 

Mehr von Digital Bond

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 

Mehr von Digital Bond (20)

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Project Basecamp: News From Camp 4

  • 1. News from Camp 4 Reid Wightman wightman@digitalbond.com AppSecDC, 2012
  • 2. Today •! Quick Recap •! New ‘sploits •! Dear Vendor
  • 3. What’s a PLC •! Programmable Logic Controller •! Inputs and Outputs –! Input example: thermometer in a mash tun –! Output example: heater element and pump motor on a mash tun •! Program sez: –! Keep the temperature @ 153-156F for one hour –! After the timer expires, turn on the pump on to move the mash to fermentation tank •! PLC reports to HMI: How is the beer coming?
  • 4. Quick recap •! GE D20 –! Security via one protocol (TELNET) but not another (TFTP, LogicLinx) –! Bad guys get full access (read/write) to configuration, plus plaintext passwords, ability to write new ladder logic, etc
  • 5. Quick Recap 2 •! Schneider Modicon –! Security via one protocol (HTTP) but not others (FTP/ TELNET/Modbus) –! Bad guys get full access (read/write) to configuration, plus plaintext passwords
  • 6. Quick Recap 3 •! Koyo ECOM100 –! Security via one protocol (HAP) but not another (HTTP) –! HAP protocol features small password space, easy to bruteforce
  • 7. Quick Recap 4 •! Rockwell ControlLogix –! Security via one protocol (EIP) but not another (err… EIP) –! Bad guys can kill controller remotely
  • 8. <3 Metasploit •! Building as many vulnerability demonstrations as possible into MSF •! Let everybody see just how easy it is to kill controllers
  • 9. D20 Modules •! d20tftpbd – provides asyncronous command line via TFTP •! d20pass – retrieves configuration via TFTP, parses config, stores usernames + passwords as loot •! d20_tftp_overflow – triggers buffer overflow in TFTP service. Currently DoS, likely RCE.
  • 10. Modicon Modules •! modicon_password_recovery – retrieve passwords –! HTTP, Write Password are plaintext –! FTP Password uses vxworks loginDefaultEncrypt() – easily reversed •! Two new modules today…wait for it.
  • 11. Allen-Bradley ControlLogix •! multi_cip_command – Three payloads derived from Rubén Santamarta’s C code –! STOP the CPU –! Crash the CPU –! Crash the Ethernet card
  • 12. Koyo •! koyo_login – Brute-force Koyo ECOM passwords
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. The search for more exploits
  • 20. Stuxnet + Beresford Fun •! Stuxnet showed ladder-logic ‘hooking’ •! Beresford showed weakness in Siemens controllers that ‘bad guys’ could use •! Most PLCs have the ‘Beresford/Stuxnet’ vuln –! Download ladder logic without authentication –! Upload ladder logic without authentication –! Code-hooking can combine the two with a simple Langner-style ‘logic time bomb’
  • 21.
  • 22. Modicon •! Modbus used for Engineering Access •! Special Function Code 90: “Unity” –! Lets us STOP the CPU –! Lets us retrieve/overwrite ladder logic
  • 23.
  • 24.
  • 25.
  • 26. Modicon •! No authentication for any operation, but… •! …Unity == Chatty •! Quick Python code to isolate packets –! Walk through .pcap, find unique packets –! Analyze in Wireshark –! Find Ladder Logic Upload/Download –! Find CPU STOP •! Replay commands
  • 27. Modicon – CPU STOP •! ~100 packets to initialize conversation •! One packet to STOP CPU –! FC 90 –! Payload 0x01, 0x41, 0xff, 0x00 –! (Start is 0x01, 0x40, 0xff, 0x00)
  • 28.
  • 29.
  • 30. Modicon – Logic Upload •! ~100 packets to initialize (same) •! Split into ~240 byte blocks (max size of Modbus packet + some overhead bytes) •! Second block must be sent twice –! No idea why –! Repeated testing
  • 31. Modicon – Logic Upload …But…what file do we transfer? Great question!
  • 32.
  • 33.
  • 34.
  • 35. Back to the PCAP Block 7 contains strings to search for
  • 36.
  • 37. Files •! APX == STL (Statement List) •! APB == FBD (Function Block Diagram) •! Multiple blocks become one file •! Both types may be used at once
  • 38. Simple attack: Overwrite •! Overwrite a remote Modicon to do nothing •! Alt: randomly operate outputs •! Metasploit module shows how it’s done
  • 39. More complicated: Stuxnet •! Retrieve logic from remote system •! Parse it and wrap it –! Parsing the output probably the hardest step –! Alt: Just use Unity to edit the file (it’s what the pros would do) •! Re-upload
  • 40. Time spent •! Level of difficulty: miniscule •! < 8 hours from first packet capture to successful file upload/download
  • 41. Password (Un)protection •! Password protection applies to APX and APB files •! Does not prevent overwrite of existing files •! Does prevent Unity from opening the ‘source code’ •! Protection is really crappy
  • 44. Back to the PCAP Block 7 contains strings to search for
  • 46. Password (Un)protection •! Password stored in .APX and .APB files •! Offset ~0x4C8 •! Password in plaintext is…plaintext •! Password ‘encrypted’: –! aaaa => YCOG –! aaab => 5BB1 –! aaba => 5BDA –! abaa => 5U1B –! baaa => 5BBU
  • 47. Password (Un)protection •! Project is not encrypted, only password is •! Change password to known-value (hexedit) •! Modicon “Password Proxy” could strip password
  • 48. Password (Un)protection Modicon password is dumb no matter who you are: –! Hate security? It’s annoying! –! Love security? It doesn’t do anything!
  • 49. </Modicon> •! ‘modiconstux’ and ‘modiconstop’ available today –! Overwrite the ladder logic in that pesky controller –! STOP or RUN your (least) favorite controller •! Password proxy stripper TBA •! Aside from that, it’s been p0wn3d enough •! What I want: Schneider -- give me a security roadmap so that I can start recommending your products.
  • 50. More New Stuff: WAGO •! Russian group DsecRG released vulns with Basecamp –! CSRF –! default credentials •! Lots of other vulns + backdoors + FUN!
  • 51. WAGO •! My model: IPC 758-870 •! 266Mhz x86, 32MB flash, 32MB ram •! Linux 2.4.31
  • 52. WAGO •! Hard-Coded user accounts –! guest/guest –! user/user00 –! root/ko2003wa (requires su) •! Open telnet, ftp services –! Upload files and run them –! Just like any other Linux box –! Successfully compiled tinyproxy, tor
  • 53.
  • 54. WAGO Ladder Logic 3S-Software CoDeSys –! Most amazing ladder logic implementation ever –! Used by hundreds of manufacturers –! Security--
  • 55. CoDeSys – How it works 1) Engineer writes their logic 2) Engineering software compiles binary 3) Binary transferred to PLC (no authentication!) 4) PLC loads binary into memory, jumps inside
  • 56. Remember PLC Notes? •! Very few PLCs use MMU •! WAGO does (Linux on x86, yay) •! …But the CoDeSys process runs as root
  • 57.
  • 58.
  • 59. CoDeSys Project Format •! Header •! X86 binary •! Footer •! Don’t really need to understand it to exploit it
  • 60. CoDeSys Project Format •! World’s longest NOP-sled? •! ~750kb of NOPs followed by a bind shell •! Uploaded to WAGO •! Sadly, FAIL – CRC failure •! Need to RE the CRC (32-bit CRC, stored as .CHK file on filesystem) •! Expect an update and metasploit poc in a few weeks
  • 61.
  • 62. Dear 3S-Software •! You are in an amazing position to promote secure ladder logic transfer •! A little goes a long way in this area
  • 63. Basecamp responses •! A-B decent –! gave quick mitigation information –! provided Snort signatures –! …still waiting for long-term fix for CIP •! Schneider has said little since Rubén’s backdoor disclosure –! “We take security seriously…” –! (Nevermind the backdoors + other flaws) •! GE has shared nothing •! Koyo has shared nothing