Cupfighter.net

By Jonathan Pollet

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

Read more…

By Nicholas J. Percoco (@c7five) and Jibran Ilyas

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

Read more…

By Christiaan Beek

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Read more…

By David Lindsay & Eduardo Vela Nava

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.
Read more…

By Christian Papathanasiou

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.
Read more…

By Andre Adelsbach

Image from christianmeichtry's Flickr photostream. Creative Commons license

The talk starts with explaining the properties of Satellite ISPs. Due to the nature of satellite communication, high latency, high downstream bandwidth, the ISPs often use performance enhancing proxies. Often the satellite ISPs use asymmetric links, using a local uplink in combination with the satellite downlink, but symmetric communication, where the uplink also is sent via the satellite is possible too.

The performance enhancing proxy on the local machine has to breaks some of the basic TCP/IP properties to enhance performance, in this also breaking some of the basic security measures.

Read more…

By Enno Rey & Daniel Mende
erey@ernw.de
dmende@ernw.de

When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.

First part of the presentation focuses on what a typical implementation looks like.

There are three generations:
1.    Structured Wireless-Aware Networks (SWAN)
2.    Based on managed APs and LWAPP (After acquiring Airport)
3.    Cisco Unified Wireless Network

The talk focuses on generation one and three.
Read more…

By James Arlen (@myrcurial, james.arlen@pushthestack.com)

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.

By Stephan Chenette (schenette@websense.com)

This talk is accompanied with the release of Fireshark, a Firefox plugin. It can be downloaded here: fireshark.org

Compromised legitimate websites have increased 225% in the last 12 months.

Stephan wrote the Fireshark too to address the problem of analyzing malware serving legitimate site. He found that to date there was no tools that are available today gave him the information that he needed.

Most malware landing pages use exploit kits that will try to use about 25 exploits. These kids are highly obfuscated. Most analysis tools are well known by the bad guys and are thus protected against de-obfuscation.

What is Fireshark?
Read more…

By Felix FX Lindner (Twitter: @41414141, fx@recurity-lab.com)

Image from http://de.wikipedia.org/wiki/Blitzableiter

Felix’s talk is about defending against Flash based web application exploits

This talk is about a tool he developed called “Blitzableiter” (Lightning rod) can be found at http://blitzableiter.recurity.com/. Felix is very much looking for feedback.

Felix has been playing offense for quite some time, but is now playing defense, which he said turns out to be harder then offense.

The motivation for Felix’ work comes form the German government agency BSI who found out that Adobe Flash is way behind the security curve in comparison to other technology.
Read more…