0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/96 Thanks! 1 00:00:08,940 --> 00:00:11,219 It's a great pleasure to introduce 2 00:00:11,220 --> 00:00:13,289 Sergei and Ghaleb, who will 3 00:00:13,290 --> 00:00:15,749 now tell you some more about 4 00:00:15,750 --> 00:00:17,939 why Scott, it is important for us and why 5 00:00:17,940 --> 00:00:19,109 it's deeply broken. 6 00:00:19,110 --> 00:00:20,110 Thanks. 7 00:00:28,020 --> 00:00:29,459 Hello, Congress. 8 00:00:29,460 --> 00:00:31,949 Nice to meet you again. 9 00:00:31,950 --> 00:00:34,319 Here we are, Mr Gay and 10 00:00:34,320 --> 00:00:35,340 Ghaleb. But 11 00:00:36,540 --> 00:00:39,519 as well as usual, we only fragments 12 00:00:39,520 --> 00:00:42,209 of strange golf team. 13 00:00:42,210 --> 00:00:44,280 Here's our team and 14 00:00:45,570 --> 00:00:47,729 I ask you to applaud those guys 15 00:00:47,730 --> 00:00:49,439 who work with us. 16 00:00:49,440 --> 00:00:50,440 Thank you, guys. 17 00:00:56,290 --> 00:00:58,659 Last year, we have a very good time here 18 00:00:58,660 --> 00:01:00,819 in Congress, and 19 00:01:00,820 --> 00:01:02,349 after this we decided to 20 00:01:03,580 --> 00:01:05,589 spend more time. 21 00:01:05,590 --> 00:01:07,779 How can I say our system has scarred 22 00:01:07,780 --> 00:01:10,029 the system to get some 23 00:01:10,030 --> 00:01:12,729 new materials to talk here again? 24 00:01:12,730 --> 00:01:15,009 So here we are, and we are talking 25 00:01:15,010 --> 00:01:17,649 about our first release. 26 00:01:17,650 --> 00:01:20,289 Our first release is new business 27 00:01:20,290 --> 00:01:23,289 metric to 28 00:01:23,290 --> 00:01:25,769 estimate cost of vulnerability, 29 00:01:27,340 --> 00:01:29,199 how to estimate it. 30 00:01:29,200 --> 00:01:31,719 You can now 31 00:01:31,720 --> 00:01:33,430 to find any vulnerabilities 32 00:01:34,510 --> 00:01:36,849 to find vulnerability in this year's 33 00:01:36,850 --> 00:01:38,169 environment. 34 00:01:38,170 --> 00:01:40,239 You need not so much 35 00:01:40,240 --> 00:01:43,659 money you can download 36 00:01:43,660 --> 00:01:45,969 already to passing stuff from 37 00:01:45,970 --> 00:01:48,639 scans DOT Iowa 38 00:01:48,640 --> 00:01:51,579 gripped by ElasticSearch. 39 00:01:51,580 --> 00:01:52,580 And 40 00:01:53,710 --> 00:01:56,229 if you want to put it in Excel, 41 00:01:56,230 --> 00:01:58,329 it's most expensive part for 42 00:01:58,330 --> 00:02:01,089 me. It's cost more than 43 00:02:01,090 --> 00:02:03,519 9000 because I hate it. 44 00:02:03,520 --> 00:02:05,769 But if 45 00:02:05,770 --> 00:02:07,899 you have, I don't know the student, 46 00:02:07,900 --> 00:02:10,269 you can ask to do it by himself. 47 00:02:17,810 --> 00:02:19,519 Why are we talking about it? 48 00:02:19,520 --> 00:02:21,859 Because for last year, things 49 00:02:21,860 --> 00:02:24,469 change it in 2012, 50 00:02:24,470 --> 00:02:27,349 we have Google Showdown 51 00:02:27,350 --> 00:02:29,539 and the voice was very slow 52 00:02:29,540 --> 00:02:30,679 and boring. 53 00:02:30,680 --> 00:02:31,699 And now we have 54 00:02:32,810 --> 00:02:35,449 that mob massacre on special 55 00:02:35,450 --> 00:02:37,999 homebrew scanner for Industrial Protocol. 56 00:02:38,000 --> 00:02:40,099 And it's what is simple to 57 00:02:40,100 --> 00:02:42,229 get the new information up to 58 00:02:42,230 --> 00:02:44,299 date information about Ikea's 59 00:02:44,300 --> 00:02:46,399 system in internet. 60 00:02:46,400 --> 00:02:48,289 Here it is. 61 00:02:48,290 --> 00:02:51,259 So at a moment 62 00:02:51,260 --> 00:02:53,449 in our knowledge base, we have 63 00:02:53,450 --> 00:02:55,909 more than 60000 64 00:02:55,910 --> 00:02:58,519 of different ices devices. 65 00:02:58,520 --> 00:03:01,159 Of course, most of the devices 66 00:03:01,160 --> 00:03:02,599 in the U.S. 67 00:03:02,600 --> 00:03:05,029 but Germany on second 68 00:03:05,030 --> 00:03:07,279 place and on fifth place is 69 00:03:07,280 --> 00:03:09,199 Italy, not Vif 70 00:03:12,110 --> 00:03:13,669 pizza owns only. 71 00:03:15,290 --> 00:03:17,359 And if you will check 72 00:03:17,360 --> 00:03:19,759 this statistic about by vendors, 73 00:03:19,760 --> 00:03:20,990 we will find out. But 74 00:03:22,220 --> 00:03:23,220 uh. 75 00:03:23,780 --> 00:03:25,129 Mhm. 76 00:03:25,130 --> 00:03:27,319 On the fifth place, 77 00:03:27,320 --> 00:03:29,449 we can find not very common 78 00:03:29,450 --> 00:03:31,609 vendors not, I don't know, Siemens 79 00:03:31,610 --> 00:03:33,289 or ABB. 80 00:03:33,290 --> 00:03:35,719 Why? Because a lot of Ikea's 81 00:03:35,720 --> 00:03:37,909 devices connected to internet 82 00:03:37,910 --> 00:03:40,009 not directly, but via 83 00:03:40,010 --> 00:03:42,409 special network devices, 84 00:03:42,410 --> 00:03:44,509 which can be fingerprinted 85 00:03:44,510 --> 00:03:46,159 by common methods. 86 00:03:47,450 --> 00:03:49,460 If you check our statistics 87 00:03:52,280 --> 00:03:54,559 for top 10 devices, 88 00:03:54,560 --> 00:03:55,849 we will find 89 00:03:57,580 --> 00:03:59,929 a wind cube on the first place. 90 00:03:59,930 --> 00:04:02,839 What is what is it? 91 00:04:02,840 --> 00:04:04,999 This is smart grid device. 92 00:04:05,000 --> 00:04:06,500 They use it to control 93 00:04:07,670 --> 00:04:10,009 solar and wind 94 00:04:10,010 --> 00:04:11,120 power generation 95 00:04:12,560 --> 00:04:14,749 stuff. So for me, 96 00:04:14,750 --> 00:04:16,969 Smart Grid its next big 97 00:04:16,970 --> 00:04:19,039 thing in Ikea's security 98 00:04:19,040 --> 00:04:21,409 because many people buying 99 00:04:23,720 --> 00:04:25,819 some devices install it 100 00:04:25,820 --> 00:04:28,249 at home connected to internet to 101 00:04:28,250 --> 00:04:31,099 control power, to understand 102 00:04:31,100 --> 00:04:33,469 how many energy were generated, 103 00:04:33,470 --> 00:04:35,179 and these 104 00:04:37,280 --> 00:04:39,589 create additional vulnerabilities 105 00:04:39,590 --> 00:04:41,990 in such devices. 106 00:04:43,190 --> 00:04:45,949 Finally, things related to protocol 107 00:04:45,950 --> 00:04:48,229 you can see on this slide with only 108 00:04:48,230 --> 00:04:50,329 two per cent of 109 00:04:50,330 --> 00:04:52,489 the all exposed 110 00:04:52,490 --> 00:04:54,709 devices was fingerprinted 111 00:04:54,710 --> 00:04:56,929 by using industrial protocol like 112 00:04:56,930 --> 00:04:58,760 a seven mode bus olara 113 00:05:00,620 --> 00:05:03,259 ninety eight person, 114 00:05:03,260 --> 00:05:05,719 a person eats 8TB, 115 00:05:05,720 --> 00:05:08,239 SMTP and all other stuff which 116 00:05:08,240 --> 00:05:11,329 most needed by Ikea's 117 00:05:11,330 --> 00:05:12,500 devices to 118 00:05:13,790 --> 00:05:16,189 work too. 119 00:05:16,190 --> 00:05:18,319 I don't know to what 120 00:05:18,320 --> 00:05:19,820 to do things, which was 121 00:05:24,020 --> 00:05:26,179 so they're there just for 122 00:05:26,180 --> 00:05:28,159 communicating with operators, for 123 00:05:28,160 --> 00:05:30,619 monitoring, for like management, 124 00:05:30,620 --> 00:05:31,879 configuration and so on. 125 00:05:31,880 --> 00:05:34,009 But they're they're just there 126 00:05:34,010 --> 00:05:36,169 for us to make this stat.. 127 00:05:36,170 --> 00:05:37,170 Yeah. 128 00:05:38,210 --> 00:05:40,579 Think of lab from 129 00:05:40,580 --> 00:05:41,689 industrial protocol. 130 00:05:41,690 --> 00:05:43,879 Point of view of most common protocol is 131 00:05:43,880 --> 00:05:47,239 a seven and mode bus, but 132 00:05:47,240 --> 00:05:49,519 this only because we 133 00:05:49,520 --> 00:05:52,069 have tools to fingerprint this protocol. 134 00:05:52,070 --> 00:05:54,229 And maybe this statistic 135 00:05:54,230 --> 00:05:56,419 will change next 136 00:05:56,420 --> 00:05:58,729 time because we will create 137 00:05:58,730 --> 00:06:01,099 additional toolkit. 138 00:06:01,100 --> 00:06:03,919 So our first special 139 00:06:03,920 --> 00:06:05,959 release for Congress. 140 00:06:05,960 --> 00:06:07,519 It's a list of 141 00:06:08,930 --> 00:06:11,089 dogs and fingerprints 142 00:06:11,090 --> 00:06:12,499 you can use to find 143 00:06:13,790 --> 00:06:15,889 Ikea's devices in your network 144 00:06:15,890 --> 00:06:18,079 or in or in 145 00:06:18,080 --> 00:06:19,579 internet. 146 00:06:19,580 --> 00:06:21,470 Please enjoy responsibly 147 00:06:24,410 --> 00:06:25,759 why it's important. 148 00:06:25,760 --> 00:06:27,859 You know, we for 149 00:06:27,860 --> 00:06:30,229 finding devices in the internet, not 150 00:06:30,230 --> 00:06:32,449 just for Putin in 151 00:06:32,450 --> 00:06:34,999 Excel and to visit Congress. 152 00:06:35,000 --> 00:06:37,819 We are working with different 153 00:06:37,820 --> 00:06:38,939 sorts of 154 00:06:40,160 --> 00:06:42,529 international agency like impact 155 00:06:42,530 --> 00:06:44,599 of ENISA to 156 00:06:44,600 --> 00:06:46,699 remove these devices from 157 00:06:46,700 --> 00:06:47,809 internet. 158 00:06:47,810 --> 00:06:50,689 So I think if you will launch 159 00:06:50,690 --> 00:06:53,029 that map next time to find one 160 00:06:53,030 --> 00:06:54,109 or two, I don't know. 161 00:06:54,110 --> 00:06:56,599 Power grid, device and internet, you will 162 00:06:56,600 --> 00:06:58,819 behave in a similar way. 163 00:06:58,820 --> 00:07:00,679 And maybe we have our jerks, they will do 164 00:07:00,680 --> 00:07:02,149 it by themselves next time. 165 00:07:03,830 --> 00:07:05,719 But you know, all these statistics, it's 166 00:07:05,720 --> 00:07:07,879 only part of the full 167 00:07:07,880 --> 00:07:09,949 picture because very 168 00:07:09,950 --> 00:07:12,259 often during security assessment, 169 00:07:12,260 --> 00:07:13,260 you can find 170 00:07:14,360 --> 00:07:15,499 a remote desktop. 171 00:07:15,500 --> 00:07:17,779 Or Arab men on the perimeter. 172 00:07:17,780 --> 00:07:20,239 And of I see us network. 173 00:07:20,240 --> 00:07:22,429 And if you will guess password one 174 00:07:22,430 --> 00:07:24,859 two three four five you will find 175 00:07:24,860 --> 00:07:25,860 with this 176 00:07:27,020 --> 00:07:29,209 device, which you can connect with 177 00:07:29,210 --> 00:07:31,219 via a remote management protocol. 178 00:07:31,220 --> 00:07:33,289 It's engineering station, 179 00:07:33,290 --> 00:07:35,479 which was exposed to internet 180 00:07:35,480 --> 00:07:37,849 by operator to 181 00:07:37,850 --> 00:07:39,919 simplify his day by 182 00:07:39,920 --> 00:07:41,059 day work. 183 00:07:41,060 --> 00:07:43,369 This very common situation, 184 00:07:43,370 --> 00:07:45,589 but things can be 185 00:07:45,590 --> 00:07:46,609 more interesting. 186 00:07:47,780 --> 00:07:49,610 For instance, during the assessment of 187 00:07:50,870 --> 00:07:53,419 transportation system, we 188 00:07:53,420 --> 00:07:54,739 found that 189 00:07:55,850 --> 00:07:57,949 one genius during 190 00:07:57,950 --> 00:07:59,059 deployment of 191 00:08:01,850 --> 00:08:04,969 train entertainment system 192 00:08:04,970 --> 00:08:05,970 plug 193 00:08:08,900 --> 00:08:11,059 broadband internet from train 194 00:08:11,060 --> 00:08:13,369 to internet access from 195 00:08:13,370 --> 00:08:15,649 the train to the same 196 00:08:15,650 --> 00:08:17,779 switch, which 197 00:08:17,780 --> 00:08:20,119 connected to computer based interlocking 198 00:08:20,120 --> 00:08:22,249 system and process or 199 00:08:22,250 --> 00:08:24,349 always transportation stuff, 200 00:08:24,350 --> 00:08:26,989 you know, signaling and so on. 201 00:08:26,990 --> 00:08:29,269 So if you connect something 202 00:08:29,270 --> 00:08:31,549 to internet, when internet can 203 00:08:31,550 --> 00:08:32,550 connect to you? 204 00:08:41,100 --> 00:08:43,349 So what about industrial protocols? 205 00:08:43,350 --> 00:08:45,119 There are a lot of different information 206 00:08:45,120 --> 00:08:47,309 about this, and we have a lot of 207 00:08:47,310 --> 00:08:48,779 dedicated talks about industrial 208 00:08:48,780 --> 00:08:51,149 protocols by Scott Strangelove. 209 00:08:52,740 --> 00:08:54,839 In short, there are a lot 210 00:08:54,840 --> 00:08:55,949 of them. 211 00:08:55,950 --> 00:08:57,069 Some of them are easy. 212 00:08:57,070 --> 00:08:59,309 Some of them are more complex, 213 00:08:59,310 --> 00:09:01,379 like not only manipulating some 214 00:09:01,380 --> 00:09:03,239 tax on policies and changing the state, 215 00:09:03,240 --> 00:09:05,939 for example, of some turbine, 216 00:09:05,940 --> 00:09:08,339 they also can reconfigure devices. 217 00:09:08,340 --> 00:09:10,559 They also can refresh the devices 218 00:09:10,560 --> 00:09:12,719 and so on. And most of the stuff nowadays 219 00:09:12,720 --> 00:09:14,849 you can find on the internet like things 220 00:09:14,850 --> 00:09:17,399 for fingerprints and black things, or 221 00:09:17,400 --> 00:09:19,619 even even the libraries to communicate 222 00:09:19,620 --> 00:09:20,879 with the different devices. 223 00:09:20,880 --> 00:09:22,979 Wireless protocols, but 224 00:09:22,980 --> 00:09:26,339 not everything is is research nowadays. 225 00:09:26,340 --> 00:09:28,469 Like, for example, anyway is fault 226 00:09:28,470 --> 00:09:30,179 tolerant as a protocol. 227 00:09:31,560 --> 00:09:34,019 It's not even detected by Wireshark, 228 00:09:34,020 --> 00:09:36,449 and it's a lot of 229 00:09:36,450 --> 00:09:38,519 similarities we've broken at GCP 230 00:09:38,520 --> 00:09:41,139 protocol in terms of broadcasting 231 00:09:42,210 --> 00:09:44,369 requests in the subnet and given all 232 00:09:44,370 --> 00:09:46,499 the components to 233 00:09:46,500 --> 00:09:48,389 start the communication between them. 234 00:09:48,390 --> 00:09:50,489 And this is just 235 00:09:50,490 --> 00:09:52,649 a work in progress, and 236 00:09:52,650 --> 00:09:54,789 we hope that's soon 237 00:09:54,790 --> 00:09:57,659 Alexander more and will share with us 238 00:09:57,660 --> 00:09:58,679 what assuring the sector. 239 00:09:59,970 --> 00:10:02,069 So here comes the first 240 00:10:02,070 --> 00:10:03,989 special release for this anniversary to 241 00:10:03,990 --> 00:10:06,509 free its 242 00:10:06,510 --> 00:10:09,089 brute force of semen spiels sees 243 00:10:09,090 --> 00:10:11,249 as free as 244 00:10:11,250 --> 00:10:12,269 a model for Hydra. 245 00:10:17,840 --> 00:10:18,980 We will run at them on. 246 00:10:29,980 --> 00:10:32,349 We can keep introduction. 247 00:10:32,350 --> 00:10:34,389 I think everybody here can use a map. 248 00:10:37,970 --> 00:10:40,189 To find devices on 249 00:10:40,190 --> 00:10:42,419 a 100 on Portal 250 00:10:42,420 --> 00:10:44,479 102, it's. 251 00:10:46,270 --> 00:10:47,270 Seven protocol 252 00:10:49,080 --> 00:10:51,809 after you can use, for instance, 253 00:10:51,810 --> 00:10:52,950 abuse is come to 254 00:10:54,210 --> 00:10:56,309 its open source tool, you can easily 255 00:10:56,310 --> 00:10:58,029 contributed. 256 00:10:58,030 --> 00:11:00,280 To check 257 00:11:02,080 --> 00:11:04,690 this sport against seven fingerprints. 258 00:11:18,090 --> 00:11:20,639 Yep. Here is the list 259 00:11:20,640 --> 00:11:22,809 of the devices and one of device 260 00:11:22,810 --> 00:11:23,810 written. 261 00:11:24,690 --> 00:11:27,089 It's got the capability and we can 262 00:11:27,090 --> 00:11:29,819 see what this is a seven 263 00:11:29,820 --> 00:11:31,110 three handed you'll see. 264 00:11:33,280 --> 00:11:35,469 So after you 265 00:11:35,470 --> 00:11:36,470 can use 266 00:11:37,750 --> 00:11:39,969 new hydro 267 00:11:39,970 --> 00:11:42,049 thing to one Houser who built 268 00:11:42,050 --> 00:11:43,050 it. 269 00:11:44,440 --> 00:11:45,440 To. 270 00:11:46,340 --> 00:11:48,559 Fine to check this device 271 00:11:48,560 --> 00:11:50,510 against the most common. 272 00:11:54,030 --> 00:11:55,030 Passwords. 273 00:11:57,110 --> 00:11:59,209 They also got it during our penetration 274 00:11:59,210 --> 00:12:00,210 test. 275 00:12:09,760 --> 00:12:11,889 And here is a magic, it's worth 276 00:12:11,890 --> 00:12:14,190 it should work for sure, it's video 277 00:12:16,450 --> 00:12:17,859 assistance. 278 00:12:17,860 --> 00:12:18,860 So 279 00:12:20,050 --> 00:12:21,050 here it is. 280 00:12:23,080 --> 00:12:25,209 And once again, thank you for 281 00:12:25,210 --> 00:12:27,399 one thousand the hikers chased him. 282 00:12:45,720 --> 00:12:47,789 So again, 283 00:12:47,790 --> 00:12:49,889 about last year, last year, we 284 00:12:49,890 --> 00:12:51,989 talked a lot about different 285 00:12:51,990 --> 00:12:54,059 vulnerabilities, and we 286 00:12:54,060 --> 00:12:55,889 had no ability to disclose a lot of 287 00:12:55,890 --> 00:12:56,969 details. 288 00:12:56,970 --> 00:12:59,189 But this year 289 00:12:59,190 --> 00:13:01,259 we can try to 290 00:13:01,260 --> 00:13:03,389 put some some things about 291 00:13:03,390 --> 00:13:06,329 these vulnerabilities and 292 00:13:06,330 --> 00:13:07,330 at. 293 00:13:08,850 --> 00:13:11,009 Talking about them, we will try to build 294 00:13:11,010 --> 00:13:13,289 some attack vector on 295 00:13:13,290 --> 00:13:14,910 Simmons to see installation. 296 00:13:16,600 --> 00:13:19,049 Let's just assume we're somehow 297 00:13:19,050 --> 00:13:21,389 I have an access 298 00:13:21,390 --> 00:13:24,509 to the subnets with Simmons 299 00:13:24,510 --> 00:13:26,789 to see my pills cease and shared 300 00:13:26,790 --> 00:13:29,219 a server and 301 00:13:29,220 --> 00:13:31,349 here it goes. Where and off to rest 302 00:13:31,350 --> 00:13:32,350 and. 303 00:13:33,910 --> 00:13:36,369 Well, first of all, in their ability, 304 00:13:36,370 --> 00:13:38,559 it's actually it's actually 305 00:13:38,560 --> 00:13:40,839 very bad because it's very easy 306 00:13:40,840 --> 00:13:42,189 to use. 307 00:13:42,190 --> 00:13:45,039 It gives you a lot of 308 00:13:45,040 --> 00:13:47,139 privileges and there are 309 00:13:47,140 --> 00:13:49,489 too many devices facing the internet 310 00:13:49,490 --> 00:13:50,490 right now. 311 00:13:51,100 --> 00:13:53,379 Well, we will just not talk about 312 00:13:53,380 --> 00:13:54,380 it, but 313 00:13:55,480 --> 00:13:57,969 we will give a small challenge. 314 00:13:57,970 --> 00:14:00,999 First one who will guess the protocol, 315 00:14:01,000 --> 00:14:03,279 who will get a free T-shirt out of free 316 00:14:03,280 --> 00:14:05,349 beer after this talk 317 00:14:05,350 --> 00:14:08,439 or that during tomorrow's workshop? 318 00:14:08,440 --> 00:14:10,509 So we are 319 00:14:10,510 --> 00:14:11,510 waiting. 320 00:14:14,100 --> 00:14:15,359 OK, here is the guy. 321 00:14:15,360 --> 00:14:16,360 OK, I will. 322 00:14:17,700 --> 00:14:20,009 So we we did not 323 00:14:20,010 --> 00:14:22,169 get told and told you anything 324 00:14:22,170 --> 00:14:23,609 about this vulnerability. 325 00:14:23,610 --> 00:14:24,780 But now when we have 326 00:14:25,890 --> 00:14:27,899 a remote A.C. 327 00:14:27,900 --> 00:14:30,299 gates, it's access to the database. 328 00:14:31,320 --> 00:14:32,949 OK, what? 329 00:14:32,950 --> 00:14:34,709 What next should we do? 330 00:14:34,710 --> 00:14:37,109 Are we to 331 00:14:37,110 --> 00:14:39,119 develop our attack vector? 332 00:14:39,120 --> 00:14:42,729 We should think about post exploitation 333 00:14:42,730 --> 00:14:45,239 just about once we can 334 00:14:45,240 --> 00:14:47,399 get on the compromised cost. 335 00:14:47,400 --> 00:14:49,469 And there 336 00:14:49,470 --> 00:14:52,169 is a next vulnerability. 337 00:14:52,170 --> 00:14:54,449 Next vulnerability is about the 338 00:14:54,450 --> 00:14:57,359 encryption of passwords. 339 00:14:57,360 --> 00:14:59,459 Scale up. Scan the user's passwords in 340 00:14:59,460 --> 00:15:00,480 the project database. 341 00:15:02,010 --> 00:15:04,229 This decryption model is 342 00:15:04,230 --> 00:15:06,959 in the in our Metasploit model 343 00:15:06,960 --> 00:15:09,089 that can harvest a lot of different 344 00:15:09,090 --> 00:15:11,549 valuable information from this database. 345 00:15:11,550 --> 00:15:13,619 And the last year, 346 00:15:13,620 --> 00:15:15,629 we actually wasn't that responsible 347 00:15:15,630 --> 00:15:17,849 because we didn't told 348 00:15:17,850 --> 00:15:18,850 a lot about this 349 00:15:20,220 --> 00:15:22,409 decryption, about this encryption. 350 00:15:22,410 --> 00:15:24,479 But actually, as it was on the 351 00:15:24,480 --> 00:15:26,609 slide, it just if 352 00:15:26,610 --> 00:15:29,159 you make an exclusive 353 00:15:29,160 --> 00:15:31,619 or of ciphertext plus user 354 00:15:31,620 --> 00:15:33,779 plus this encryption key, 355 00:15:33,780 --> 00:15:35,999 then you will get the passwords in 356 00:15:36,000 --> 00:15:37,379 clear text. 357 00:15:37,380 --> 00:15:38,380 Well, 358 00:15:39,570 --> 00:15:40,589 yeah, that's it. 359 00:15:40,590 --> 00:15:43,019 Actually, most of the last 360 00:15:43,020 --> 00:15:45,089 system they like follows the 361 00:15:45,090 --> 00:15:47,429 trend of using saw and 362 00:15:47,430 --> 00:15:50,159 exclusive for and it comes in many faces 363 00:15:50,160 --> 00:15:52,439 like they're trying to rotate 364 00:15:52,440 --> 00:15:54,779 something to use like 365 00:15:54,780 --> 00:15:57,059 some tables as a key, 366 00:15:57,060 --> 00:15:59,249 which is more like most serious 367 00:15:59,250 --> 00:16:00,250 encryption, but 368 00:16:01,410 --> 00:16:02,489 still bets. 369 00:16:02,490 --> 00:16:04,829 And actually, what 370 00:16:04,830 --> 00:16:06,929 else what 371 00:16:06,930 --> 00:16:08,609 what are the things that we saw in icier 372 00:16:08,610 --> 00:16:11,189 systems this year is a 373 00:16:11,190 --> 00:16:13,259 real, simple substitution 374 00:16:13,260 --> 00:16:14,489 encryption. 375 00:16:14,490 --> 00:16:17,069 So guys were storing 376 00:16:17,070 --> 00:16:19,139 passwords like we have a simple 377 00:16:19,140 --> 00:16:21,299 table of substitution of 378 00:16:21,300 --> 00:16:22,439 chars. 379 00:16:22,440 --> 00:16:25,439 But on the other hand, 380 00:16:25,440 --> 00:16:28,049 not everybody is that bets and 381 00:16:28,050 --> 00:16:30,329 sometimes like Simon still 382 00:16:30,330 --> 00:16:32,489 portal. We see this thinks 383 00:16:32,490 --> 00:16:34,649 this is the project file, and 384 00:16:34,650 --> 00:16:37,169 this is like 385 00:16:37,170 --> 00:16:39,629 a very good hashing of 386 00:16:39,630 --> 00:16:40,919 skin, a user password. 387 00:16:42,480 --> 00:16:44,819 It's not even MD5. 388 00:16:44,820 --> 00:16:46,949 And we were like, What the hell? 389 00:16:46,950 --> 00:16:48,329 What we are going to do? 390 00:16:48,330 --> 00:16:50,429 But next thing is that they roll 391 00:16:50,430 --> 00:16:52,619 down their password length 392 00:16:52,620 --> 00:16:54,689 and this and this the same file, 393 00:16:54,690 --> 00:16:56,789 which simplifies the cracking 394 00:16:56,790 --> 00:16:59,819 process a lot, actually. 395 00:16:59,820 --> 00:17:01,889 Actually, there are two 396 00:17:01,890 --> 00:17:02,939 hints. 397 00:17:02,940 --> 00:17:04,290 The next hint is 398 00:17:05,550 --> 00:17:07,649 is some structure that 399 00:17:07,650 --> 00:17:10,318 represents the password itself 400 00:17:10,319 --> 00:17:13,289 itself, but somehow hidden by 401 00:17:13,290 --> 00:17:15,868 by by eBay unique bytes. 402 00:17:15,869 --> 00:17:18,059 Yeah, it seems like it was here, 403 00:17:18,060 --> 00:17:19,709 but now it's overwritten. 404 00:17:22,720 --> 00:17:25,029 So and now we're 405 00:17:25,030 --> 00:17:27,099 on the scatter server, and 406 00:17:28,390 --> 00:17:30,819 we are not, for example, we are not 407 00:17:30,820 --> 00:17:32,439 a privileged user. 408 00:17:32,440 --> 00:17:34,569 We're like an operator that 409 00:17:34,570 --> 00:17:36,909 can control some things 410 00:17:36,910 --> 00:17:39,009 like he can monitor processes so 411 00:17:39,010 --> 00:17:41,769 maybe he can react in some 412 00:17:41,770 --> 00:17:43,869 situations, but he has no 413 00:17:43,870 --> 00:17:46,029 complete access to the process. 414 00:17:46,030 --> 00:17:47,110 So what should we do? 415 00:17:48,640 --> 00:17:50,919 We should analyze the windows 416 00:17:50,920 --> 00:17:52,779 to see architecture itself. 417 00:17:52,780 --> 00:17:55,089 So if we look a little deeper, 418 00:17:55,090 --> 00:17:56,889 then much deeper. 419 00:17:56,890 --> 00:17:59,259 OK, so 420 00:17:59,260 --> 00:18:01,349 we can see that there is a core 421 00:18:01,350 --> 00:18:03,759 service on this kind of server 422 00:18:03,760 --> 00:18:05,859 that that is working with 423 00:18:05,860 --> 00:18:08,439 several internal Vince's protocols like 424 00:18:08,440 --> 00:18:10,599 CLB, Alisher says, and 425 00:18:10,600 --> 00:18:11,499 so on. 426 00:18:11,500 --> 00:18:14,759 And what's this protocol 427 00:18:14,760 --> 00:18:16,629 course service does? 428 00:18:16,630 --> 00:18:18,729 She's working with components, so this 429 00:18:18,730 --> 00:18:21,099 service is managing 430 00:18:21,100 --> 00:18:23,019 the communications between different 431 00:18:23,020 --> 00:18:24,879 components and components alike. 432 00:18:24,880 --> 00:18:27,339 It's from IPL policy and so on. 433 00:18:27,340 --> 00:18:28,480 So and 434 00:18:29,530 --> 00:18:32,229 this components, they should call 435 00:18:32,230 --> 00:18:34,749 some function from the service 436 00:18:34,750 --> 00:18:37,059 to register itself, and 437 00:18:37,060 --> 00:18:38,739 this is the function they need to call. 438 00:18:38,740 --> 00:18:40,689 And the first argument is very 439 00:18:40,690 --> 00:18:42,309 interesting. It's called components 440 00:18:42,310 --> 00:18:43,269 goods. 441 00:18:43,270 --> 00:18:45,430 So right now, to access 442 00:18:46,960 --> 00:18:49,509 any components from unprivileged user, 443 00:18:49,510 --> 00:18:51,789 we should somehow control this 444 00:18:51,790 --> 00:18:53,509 component goods and what? 445 00:18:53,510 --> 00:18:55,689 See if we can send it in our 446 00:18:55,690 --> 00:18:56,690 user package. 447 00:18:57,850 --> 00:18:58,809 Yes. 448 00:18:58,810 --> 00:19:01,209 Well, sending it to our user packets. 449 00:19:01,210 --> 00:19:03,579 And now, like, 450 00:19:03,580 --> 00:19:05,739 I don't know how operator will do it, 451 00:19:05,740 --> 00:19:08,169 but somehow, if 452 00:19:08,170 --> 00:19:10,249 have some skills can manage to craft 453 00:19:10,250 --> 00:19:12,879 the special packets of special payload 454 00:19:12,880 --> 00:19:15,129 to control pulses from 455 00:19:15,130 --> 00:19:17,259 very low profile accounts on 456 00:19:17,260 --> 00:19:18,260 the set of. 457 00:19:21,880 --> 00:19:23,829 Next, vulnerability now 458 00:19:25,060 --> 00:19:27,129 was presented by two more 459 00:19:27,130 --> 00:19:29,349 units of legacy of Black 460 00:19:29,350 --> 00:19:30,579 Hat. 461 00:19:30,580 --> 00:19:32,649 It's a exosphere 462 00:19:32,650 --> 00:19:34,749 out of battle, a very straight forward 463 00:19:34,750 --> 00:19:37,029 vulnerability, so you can 464 00:19:37,030 --> 00:19:39,219 send to better example 465 00:19:39,220 --> 00:19:41,649 file, which will trigger 466 00:19:41,650 --> 00:19:43,929 a server to request 467 00:19:43,930 --> 00:19:46,209 additional look among file, which 468 00:19:46,210 --> 00:19:47,979 gives you a process about server. 469 00:19:47,980 --> 00:19:50,139 And after this server 470 00:19:50,140 --> 00:19:51,140 will 471 00:19:52,990 --> 00:19:55,209 send in some information 472 00:19:55,210 --> 00:19:57,669 from file system by 473 00:19:57,670 --> 00:19:59,889 HTTP or SMB 474 00:19:59,890 --> 00:20:02,289 or other protocol 475 00:20:02,290 --> 00:20:03,460 you can manipulate with it. 476 00:20:04,480 --> 00:20:05,979 This is very interesting one 477 00:20:05,980 --> 00:20:08,380 vulnerability because a lot of guys 478 00:20:10,600 --> 00:20:12,159 have a vulnerability. 479 00:20:12,160 --> 00:20:14,570 Even Trustwave for more security 480 00:20:17,080 --> 00:20:18,609 have this issue. 481 00:20:18,610 --> 00:20:19,610 You know, in 482 00:20:21,540 --> 00:20:24,039 a ruse to protect you against 483 00:20:24,040 --> 00:20:25,089 zero day exploit. 484 00:20:26,920 --> 00:20:29,409 But when we start to check 485 00:20:29,410 --> 00:20:32,109 this vulnerability against ISIS's 486 00:20:32,110 --> 00:20:34,419 environment, we 487 00:20:34,420 --> 00:20:36,640 start to thinking how we can 488 00:20:38,080 --> 00:20:40,779 apply this vulnerability to ISIS. 489 00:20:40,780 --> 00:20:43,179 And one of the target, of course, 490 00:20:43,180 --> 00:20:44,169 project. 491 00:20:44,170 --> 00:20:46,119 You know what is a project in this case? 492 00:20:46,120 --> 00:20:47,120 It's a 493 00:20:48,970 --> 00:20:50,839 type of development project. 494 00:20:50,840 --> 00:20:52,759 So you have a program, you have 495 00:20:52,760 --> 00:20:55,269 additional configuration and typically 496 00:20:55,270 --> 00:20:57,369 configuration storage in X amount 497 00:20:57,370 --> 00:20:58,359 files. 498 00:20:58,360 --> 00:21:00,819 So we decided to research can project 499 00:21:00,820 --> 00:21:03,249 be trusted and 500 00:21:03,250 --> 00:21:05,499 can project can be 501 00:21:05,500 --> 00:21:08,289 used to spread malware 502 00:21:08,290 --> 00:21:11,109 like a dope file 503 00:21:11,110 --> 00:21:12,669 use at that moment. 504 00:21:12,670 --> 00:21:14,859 Unfortunately, Project 505 00:21:14,860 --> 00:21:17,019 cannot be trusted because most 506 00:21:17,020 --> 00:21:19,269 of the ICAC system don't 507 00:21:19,270 --> 00:21:22,209 have built-in integrity control 508 00:21:22,210 --> 00:21:24,729 features. So if somebody 509 00:21:24,730 --> 00:21:26,799 can modify 510 00:21:26,800 --> 00:21:29,049 project vs Project 511 00:21:29,050 --> 00:21:31,569 View, use it on different 512 00:21:32,920 --> 00:21:34,929 scale the system and can 513 00:21:36,130 --> 00:21:38,739 be used to execute, for instance, 514 00:21:38,740 --> 00:21:41,559 any code and to patch system. 515 00:21:41,560 --> 00:21:44,019 So how it can be abused 516 00:21:44,020 --> 00:21:46,179 when it's it's very trivial 517 00:21:46,180 --> 00:21:47,180 task. 518 00:21:49,060 --> 00:21:51,349 You can simply patch even 519 00:21:51,350 --> 00:21:53,619 handlers. For instance, if you have even 520 00:21:53,620 --> 00:21:56,619 handlers on mouse, click 521 00:21:56,620 --> 00:21:58,719 on your ICSA 522 00:21:58,720 --> 00:22:00,789 project when somebody's clicking 523 00:22:00,790 --> 00:22:02,589 on the button. I don't know how to launch 524 00:22:02,590 --> 00:22:03,590 a rocket. 525 00:22:06,220 --> 00:22:07,220 You can 526 00:22:08,350 --> 00:22:10,449 watch it and add 527 00:22:10,450 --> 00:22:12,489 something like create, text, file and 528 00:22:12,490 --> 00:22:14,429 write your memoir here. 529 00:22:14,430 --> 00:22:15,969 Of course, you should convert it to ask 530 00:22:15,970 --> 00:22:17,769 him, but this is not a challenge. 531 00:22:19,240 --> 00:22:21,489 But, you know, sometimes we have 532 00:22:21,490 --> 00:22:23,889 a question, of course. 533 00:22:23,890 --> 00:22:26,410 But you know, and there keep 534 00:22:27,610 --> 00:22:29,289 require to have 535 00:22:30,370 --> 00:22:33,159 anti-virus on the Scotland network, 536 00:22:33,160 --> 00:22:34,270 so you should 537 00:22:35,530 --> 00:22:37,719 make your malware invisible 538 00:22:37,720 --> 00:22:39,249 for antivirus. 539 00:22:39,250 --> 00:22:40,250 It was a joke. 540 00:22:41,830 --> 00:22:42,830 But the 541 00:22:44,830 --> 00:22:47,139 oh here is typical 542 00:22:47,140 --> 00:22:48,249 setup of 543 00:22:49,360 --> 00:22:52,269 antivirus in Scotland at work. 544 00:22:52,270 --> 00:22:54,609 As you can see, 545 00:22:54,610 --> 00:22:56,889 where there's exceptions 546 00:22:56,890 --> 00:22:59,019 and exceptions 547 00:22:59,020 --> 00:23:01,419 include all scarred the stuff 548 00:23:01,420 --> 00:23:03,400 sky, the installation of Sky, 549 00:23:04,480 --> 00:23:06,130 Project Path and so on. 550 00:23:12,510 --> 00:23:14,609 And, you know, this scarred 551 00:23:14,610 --> 00:23:17,259 the system never seemed compliant. 552 00:23:17,260 --> 00:23:18,260 Why? 553 00:23:18,840 --> 00:23:21,119 Because this is 554 00:23:21,120 --> 00:23:22,769 when the requirement. 555 00:23:25,470 --> 00:23:27,539 So if you work 556 00:23:27,540 --> 00:23:30,449 against if you want to 557 00:23:30,450 --> 00:23:31,829 hack, I don't know. 558 00:23:31,830 --> 00:23:34,259 I see a system sometimes is very useful 559 00:23:34,260 --> 00:23:35,670 to read documentation. 560 00:23:46,650 --> 00:23:48,869 So now we will talk about 561 00:23:48,870 --> 00:23:49,870 vulnerabilities again. 562 00:23:50,940 --> 00:23:52,979 Now you can see on the slides. 563 00:23:52,980 --> 00:23:55,169 This is the statistics of 564 00:23:55,170 --> 00:23:57,089 vulnerabilities by a scholar, Strangelove 565 00:23:57,090 --> 00:23:59,159 by all this people you saw on the second 566 00:23:59,160 --> 00:24:00,089 slide. 567 00:24:00,090 --> 00:24:02,339 And now 568 00:24:02,340 --> 00:24:04,589 we have like more than 569 00:24:04,590 --> 00:24:06,029 one hundred and fifty different 570 00:24:06,030 --> 00:24:07,439 vulnerabilities. 571 00:24:07,440 --> 00:24:09,689 And if 572 00:24:09,690 --> 00:24:11,849 we see this, we see 573 00:24:11,850 --> 00:24:12,809 by type. 574 00:24:12,810 --> 00:24:15,029 You can see that most of them are 575 00:24:15,030 --> 00:24:17,309 easy to use and easy to find cross-site 576 00:24:17,310 --> 00:24:19,529 scripting attacks by. 577 00:24:19,530 --> 00:24:21,809 But next is a remote code 578 00:24:21,810 --> 00:24:22,859 execution. 579 00:24:22,860 --> 00:24:25,889 And that's not your Windows server 580 00:24:25,890 --> 00:24:28,289 like from from this year. 581 00:24:28,290 --> 00:24:30,539 This is old hardware and 582 00:24:30,540 --> 00:24:33,659 software, and this software 583 00:24:33,660 --> 00:24:35,489 does not have a. 584 00:24:35,490 --> 00:24:37,559 Most of the time, most of the 585 00:24:37,560 --> 00:24:39,429 time it does not have that. 586 00:24:39,430 --> 00:24:40,529 The execution prevention. 587 00:24:40,530 --> 00:24:42,749 So exploitation is very, very 588 00:24:42,750 --> 00:24:43,709 easy. 589 00:24:43,710 --> 00:24:46,049 And you don't 590 00:24:46,050 --> 00:24:48,269 see from this diagram the 591 00:24:48,270 --> 00:24:50,429 whole picture like this 592 00:24:50,430 --> 00:24:52,499 called choices that were made by 593 00:24:52,500 --> 00:24:54,809 different vendors, like 594 00:24:54,810 --> 00:24:57,629 how cool it would be to write your own 595 00:24:57,630 --> 00:24:59,759 server. And this of the statistics 596 00:24:59,760 --> 00:25:01,560 of appreciation to be server 597 00:25:02,580 --> 00:25:04,679 and maybe to write your 598 00:25:04,680 --> 00:25:06,209 own DNS server. 599 00:25:06,210 --> 00:25:08,129 Also, this is the statistics for, I say, 600 00:25:08,130 --> 00:25:11,429 has been, well, these vulnerabilities. 601 00:25:11,430 --> 00:25:12,389 Well, I don't know. 602 00:25:12,390 --> 00:25:14,759 This software can be fixed because 603 00:25:14,760 --> 00:25:16,979 they will have again vulnerabilities for 604 00:25:16,980 --> 00:25:18,269 20 years. 605 00:25:18,270 --> 00:25:20,429 They're only the only fix 606 00:25:20,430 --> 00:25:22,769 is actually to use some 607 00:25:22,770 --> 00:25:24,719 existing software. 608 00:25:24,720 --> 00:25:26,849 And I think actually it 609 00:25:26,850 --> 00:25:27,850 would be easier. 610 00:25:30,360 --> 00:25:33,209 So why the fixing 611 00:25:33,210 --> 00:25:35,699 is it's so hard process 612 00:25:35,700 --> 00:25:37,409 also, because 613 00:25:38,760 --> 00:25:40,849 as you see, this is Vince's 614 00:25:40,850 --> 00:25:42,240 C HMRC 615 00:25:44,040 --> 00:25:46,709 software and this is the dates when 616 00:25:46,710 --> 00:25:48,779 different libraries and code was 617 00:25:48,780 --> 00:25:49,739 compiled. 618 00:25:49,740 --> 00:25:51,629 Actually, most of the code was compiled 619 00:25:51,630 --> 00:25:53,279 before the Stuxnet. 620 00:25:53,280 --> 00:25:56,129 So we can see like 621 00:25:56,130 --> 00:25:58,679 how, how, how small 622 00:25:58,680 --> 00:26:00,089 part of things have changed. 623 00:26:03,460 --> 00:26:06,759 So how cold this bugs are found 624 00:26:06,760 --> 00:26:09,429 here is muffin, you just 625 00:26:09,430 --> 00:26:11,529 take some solution, you just drip 626 00:26:11,530 --> 00:26:13,479 it on components like it. 627 00:26:13,480 --> 00:26:15,399 You might be able to see sketches of 628 00:26:15,400 --> 00:26:17,439 several juicy server and so on. 629 00:26:17,440 --> 00:26:20,169 You understand how they communicate, 630 00:26:20,170 --> 00:26:22,059 how they process data, how they store 631 00:26:22,060 --> 00:26:22,989 data. 632 00:26:22,990 --> 00:26:25,209 Then you find a number 633 00:26:25,210 --> 00:26:27,489 of entry points and try to analyze 634 00:26:27,490 --> 00:26:30,099 it with a black box of gray box. 635 00:26:30,100 --> 00:26:32,769 Reverse engineering, so on and so on. 636 00:26:32,770 --> 00:26:33,770 What? 637 00:26:35,000 --> 00:26:37,569 Well, let's assume, for example, 638 00:26:37,570 --> 00:26:39,969 you see well, 639 00:26:39,970 --> 00:26:42,069 when you found like entry points, 640 00:26:42,070 --> 00:26:43,689 you see something like this. 641 00:26:43,690 --> 00:26:46,029 And most of the time when they found 642 00:26:46,030 --> 00:26:48,039 different vulnerabilities, we see these 643 00:26:48,040 --> 00:26:50,319 things, all these things, I bet 644 00:26:50,320 --> 00:26:52,029 they are not actually read your 645 00:26:52,030 --> 00:26:53,889 vulnerabilities you can exploit. 646 00:26:53,890 --> 00:26:56,529 But this is like a small signs 647 00:26:56,530 --> 00:26:58,799 that you can somehow control the memory 648 00:26:58,800 --> 00:27:01,299 of the code and so on and so on. 649 00:27:01,300 --> 00:27:04,059 And this is not 650 00:27:04,060 --> 00:27:06,639 the picture from the real world because 651 00:27:06,640 --> 00:27:08,709 the data like receiving 652 00:27:08,710 --> 00:27:11,439 and data processing, they're usually 653 00:27:11,440 --> 00:27:13,389 in different libraries, in different 654 00:27:13,390 --> 00:27:15,220 objects and so on structures. 655 00:27:16,420 --> 00:27:19,359 So looking at this picture, 656 00:27:19,360 --> 00:27:21,189 we thought that we built a small 657 00:27:21,190 --> 00:27:23,859 challenge called friends 658 00:27:23,860 --> 00:27:26,319 modeling abilities with simple 659 00:27:26,320 --> 00:27:27,549 rogue access. 660 00:27:27,550 --> 00:27:29,709 And what we did with the compiled 661 00:27:29,710 --> 00:27:31,839 one of a binary and 662 00:27:31,840 --> 00:27:34,179 gripped it for rest coal. 663 00:27:34,180 --> 00:27:36,429 And we saw something like this. 664 00:27:36,430 --> 00:27:39,069 And then we gripped the same function 665 00:27:39,070 --> 00:27:40,720 for the users of this 666 00:27:41,800 --> 00:27:42,789 or this variable. 667 00:27:42,790 --> 00:27:45,429 Of course, you can see 668 00:27:45,430 --> 00:27:47,619 that we can see the cold picture like 669 00:27:47,620 --> 00:27:49,149 one of the builds in the sea of geo 670 00:27:49,150 --> 00:27:50,049 geology. 671 00:27:50,050 --> 00:27:52,149 So the assignments we can see, 672 00:27:52,150 --> 00:27:54,669 like other variables, we can see 673 00:27:54,670 --> 00:27:56,539 the goals nearby. 674 00:27:56,540 --> 00:27:57,849 But but we can see this. 675 00:27:59,230 --> 00:28:01,809 Well, as I said, 676 00:28:01,810 --> 00:28:03,909 this wasn't going to 677 00:28:03,910 --> 00:28:06,279 work in the real world 678 00:28:06,280 --> 00:28:09,669 until we actually 679 00:28:09,670 --> 00:28:12,019 took one solution the compiled to 680 00:28:12,020 --> 00:28:14,079 the call code libraries 681 00:28:14,080 --> 00:28:16,299 and so on, and then 682 00:28:16,300 --> 00:28:18,519 work well. We wrote a 683 00:28:18,520 --> 00:28:20,859 script like 50 684 00:28:20,860 --> 00:28:21,860 50 lines 685 00:28:23,290 --> 00:28:25,359 like not not not only to grab 686 00:28:25,360 --> 00:28:27,099 just on the lines, all the data. 687 00:28:27,100 --> 00:28:28,629 And this is one of the example. 688 00:28:28,630 --> 00:28:30,699 So there are a lot of 689 00:28:30,700 --> 00:28:32,769 output like this that 690 00:28:32,770 --> 00:28:34,869 was and surely 691 00:28:34,870 --> 00:28:35,950 these things should be 692 00:28:37,030 --> 00:28:39,399 reviewed by fans and so on. 693 00:28:39,400 --> 00:28:41,619 But the results 694 00:28:43,900 --> 00:28:46,179 verified results were amazing. 695 00:28:46,180 --> 00:28:49,089 We found seven remote code execution 696 00:28:49,090 --> 00:28:51,249 executions and four doses 697 00:28:51,250 --> 00:28:53,409 with this cheap script, 698 00:28:53,410 --> 00:28:55,329 not like all those 699 00:28:56,890 --> 00:29:00,219 pricey static analyzers. 700 00:29:00,220 --> 00:29:02,439 Imagine what Leanne Lynskey can 701 00:29:02,440 --> 00:29:03,909 do with this. 702 00:29:03,910 --> 00:29:06,039 So who is 703 00:29:06,040 --> 00:29:06,969 this? 704 00:29:06,970 --> 00:29:08,409 We don't know yet. 705 00:29:08,410 --> 00:29:10,149 Maybe next year. 706 00:29:10,150 --> 00:29:11,150 Well, 707 00:29:12,280 --> 00:29:14,439 let's think about the way 708 00:29:14,440 --> 00:29:16,539 these things can actually 709 00:29:16,540 --> 00:29:18,999 happen, because that's that's 710 00:29:19,000 --> 00:29:20,289 that's very much. 711 00:29:20,290 --> 00:29:23,049 And maybe the programmers, 712 00:29:23,050 --> 00:29:25,239 they don't know about security a lot, 713 00:29:25,240 --> 00:29:27,399 but this is the piece of code 714 00:29:27,400 --> 00:29:28,920 in between those risks. 715 00:29:30,190 --> 00:29:32,169 The they're checking the buffer for some 716 00:29:32,170 --> 00:29:34,539 limits and they're printing the string. 717 00:29:34,540 --> 00:29:36,519 That's OK. 718 00:29:36,520 --> 00:29:38,139 Here is the buffer overflow. 719 00:29:38,140 --> 00:29:40,209 But next thing they do is they 720 00:29:40,210 --> 00:29:42,339 allocate the memory and copy the buffer. 721 00:29:54,110 --> 00:29:56,089 And though sometimes internet is a very 722 00:29:56,090 --> 00:29:57,439 dangerous place. 723 00:29:57,440 --> 00:29:59,329 And one day during the Twitter 724 00:29:59,330 --> 00:30:01,549 conversation, we understood that all 725 00:30:01,550 --> 00:30:03,829 things we're doing does 726 00:30:03,830 --> 00:30:04,830 not exist. 727 00:30:05,610 --> 00:30:07,739 Because there are no penetration 728 00:30:07,740 --> 00:30:10,779 testing in, say, this environment. 729 00:30:10,780 --> 00:30:13,479 And so 730 00:30:13,480 --> 00:30:14,369 was very bad. 731 00:30:14,370 --> 00:30:16,619 So we decided to share with 732 00:30:16,620 --> 00:30:19,589 you, mine secret of Ikea's security 733 00:30:19,590 --> 00:30:20,999 when you go in to 734 00:30:22,530 --> 00:30:23,939 make. 735 00:30:23,940 --> 00:30:25,019 I see a spin test. 736 00:30:25,020 --> 00:30:26,280 Please remember 737 00:30:27,390 --> 00:30:29,759 for ITP Test, your goal 738 00:30:29,760 --> 00:30:32,039 is to break stuff for 739 00:30:32,040 --> 00:30:34,469 I see a spin. Test your goal 740 00:30:34,470 --> 00:30:35,670 not to break stuff. 741 00:30:45,760 --> 00:30:47,650 Or you will be fired. 742 00:30:50,410 --> 00:30:52,539 So life at your 743 00:30:52,540 --> 00:30:54,639 home, your favorite zero 744 00:30:54,640 --> 00:30:56,919 to keep your Kali Linux 745 00:30:56,920 --> 00:30:59,079 and take 746 00:30:59,080 --> 00:31:00,519 your camera. 747 00:31:00,520 --> 00:31:03,249 Because in most cases, assessment, 748 00:31:03,250 --> 00:31:05,470 we call with paparazzi style assessment 749 00:31:06,730 --> 00:31:07,730 of you. 750 00:31:09,160 --> 00:31:11,529 And sometimes you even don't touch 751 00:31:11,530 --> 00:31:13,929 keyboard. You ask an operator 752 00:31:13,930 --> 00:31:16,419 to provide information 753 00:31:16,420 --> 00:31:18,939 for you. So you say, OK, guys, let's 754 00:31:18,940 --> 00:31:20,709 let's open registry editor. 755 00:31:20,710 --> 00:31:22,869 Let's find these like these line and so 756 00:31:22,870 --> 00:31:23,949 on. 757 00:31:23,950 --> 00:31:26,679 Especially for production environment. 758 00:31:26,680 --> 00:31:28,749 So how to work in this 759 00:31:28,750 --> 00:31:30,249 situation? 760 00:31:30,250 --> 00:31:32,469 Most important thing is to have 761 00:31:32,470 --> 00:31:33,819 a job. 762 00:31:33,820 --> 00:31:36,279 If you don't have a lab, 763 00:31:36,280 --> 00:31:38,739 you have you believe 764 00:31:38,740 --> 00:31:40,779 you free your system in real environment 765 00:31:40,780 --> 00:31:43,149 and this will be, you 766 00:31:43,150 --> 00:31:45,249 know, be dangerous. 767 00:31:45,250 --> 00:31:46,250 So 768 00:31:48,010 --> 00:31:50,259 the brain part 769 00:31:50,260 --> 00:31:52,659 of the lab here and tomorrow, 770 00:31:52,660 --> 00:31:54,549 we will have a small workshop, 771 00:31:55,570 --> 00:31:57,519 if you will join. 772 00:31:57,520 --> 00:31:58,869 We will be happier. 773 00:31:58,870 --> 00:32:00,969 And the police sorry 774 00:32:00,970 --> 00:32:03,219 for this promotion, but 775 00:32:03,220 --> 00:32:05,289 if you will join us, please bring in 776 00:32:05,290 --> 00:32:07,569 some network devices like virus 777 00:32:07,570 --> 00:32:09,849 access point and switches, because 778 00:32:09,850 --> 00:32:11,979 we don't have it here in Germany 779 00:32:11,980 --> 00:32:12,980 too much. 780 00:32:13,870 --> 00:32:15,999 And if one 781 00:32:16,000 --> 00:32:18,399 thing about this is 782 00:32:18,400 --> 00:32:20,359 sometimes when you are doing assessments 783 00:32:20,360 --> 00:32:22,449 with a good cold, it's simple for us. 784 00:32:22,450 --> 00:32:24,579 Style, though show showing 785 00:32:24,580 --> 00:32:26,829 actually operators, for example, how to 786 00:32:26,830 --> 00:32:29,099 escape kiosk mode on their 787 00:32:29,100 --> 00:32:31,419 eyes so they can access file system, 788 00:32:31,420 --> 00:32:33,489 they can access and so 789 00:32:33,490 --> 00:32:35,229 on. And actually, 790 00:32:37,930 --> 00:32:40,209 almost all customers have 791 00:32:40,210 --> 00:32:41,499 their own laboratories. 792 00:32:41,500 --> 00:32:43,689 So when your unless 793 00:32:43,690 --> 00:32:45,789 you are doing for the first 794 00:32:45,790 --> 00:32:47,889 party, are doing a TPM test and then the 795 00:32:47,890 --> 00:32:49,390 scheduling expand test 796 00:32:51,070 --> 00:32:52,119 in the lab. 797 00:32:52,120 --> 00:32:54,219 And then with this paparazzi style, 798 00:32:54,220 --> 00:32:56,799 you can connect all this results 799 00:32:56,800 --> 00:32:59,409 and it's not always celebratory 800 00:32:59,410 --> 00:33:01,959 because things are changing all the time. 801 00:33:01,960 --> 00:33:04,059 And for example, 802 00:33:04,060 --> 00:33:07,029 some parts of this data is just 803 00:33:07,030 --> 00:33:09,129 in the process of integrating with the 804 00:33:09,130 --> 00:33:11,259 call. For example, plans some 805 00:33:11,260 --> 00:33:13,299 parts of the system, like the turbine is 806 00:33:13,300 --> 00:33:15,819 broken and it's on repair. 807 00:33:15,820 --> 00:33:18,399 And sometimes it's, you know, somewhere 808 00:33:18,400 --> 00:33:20,469 and some thermal power plants, you 809 00:33:20,470 --> 00:33:22,809 don't need so much energy and some parts 810 00:33:22,810 --> 00:33:25,419 are turned off. So it's all about 811 00:33:25,420 --> 00:33:28,389 proper methodology and time 812 00:33:28,390 --> 00:33:29,439 and project management. 813 00:33:29,440 --> 00:33:30,440 Sometimes it's 814 00:33:31,600 --> 00:33:33,249 so important. 815 00:33:33,250 --> 00:33:34,250 Part of 816 00:33:35,800 --> 00:33:36,999 I see is security. 817 00:33:37,000 --> 00:33:39,069 It's fixing stuff not to break and 818 00:33:39,070 --> 00:33:41,829 stuff about fixing stuff, and 819 00:33:41,830 --> 00:33:44,379 we want to share our experience. 820 00:33:44,380 --> 00:33:46,629 Here's a typical fix 821 00:33:46,630 --> 00:33:49,059 in timeline in 822 00:33:49,060 --> 00:33:50,940 2010 11. 823 00:33:52,090 --> 00:33:55,149 Somebody put in block 824 00:33:55,150 --> 00:33:57,309 information about zero days 825 00:33:57,310 --> 00:33:59,679 in Scott 826 00:33:59,680 --> 00:34:01,809 the system and in 827 00:34:01,810 --> 00:34:02,829 two thousand 828 00:34:04,270 --> 00:34:06,639 thirteen, it's still 829 00:34:06,640 --> 00:34:08,169 actual information. 830 00:34:08,170 --> 00:34:10,419 So vulnerabilities was 831 00:34:10,420 --> 00:34:12,879 not. Fix it and now 832 00:34:12,880 --> 00:34:13,988 available for sale. 833 00:34:13,989 --> 00:34:14,989 I think 834 00:34:16,659 --> 00:34:18,849 one more example of our 835 00:34:18,850 --> 00:34:19,850 experience 836 00:34:21,969 --> 00:34:24,579 we trying to reach one 837 00:34:24,580 --> 00:34:26,769 big shop and the vendor 838 00:34:26,770 --> 00:34:28,569 of Scott, the system to fix 839 00:34:28,570 --> 00:34:30,069 vulnerability. 840 00:34:30,070 --> 00:34:31,928 We spend a lot of time if you out any 841 00:34:31,929 --> 00:34:34,029 response we call in to the phone, send an 842 00:34:34,030 --> 00:34:36,158 email. No answer. 843 00:34:36,159 --> 00:34:37,539 But thanks for. 844 00:34:37,540 --> 00:34:39,669 As for conference, we met 845 00:34:39,670 --> 00:34:42,249 guys from Japan society and ask them to 846 00:34:42,250 --> 00:34:43,169 help us. 847 00:34:43,170 --> 00:34:45,218 Say, OK, connection is established. 848 00:34:45,219 --> 00:34:46,599 Please send information about 849 00:34:46,600 --> 00:34:48,789 vulnerability vitiate 850 00:34:48,790 --> 00:34:50,859 and starting 851 00:34:50,860 --> 00:34:51,939 to wait. 852 00:34:51,940 --> 00:34:54,488 And the one day guys from Japan third 853 00:34:54,489 --> 00:34:56,678 say, Guys, everything is 854 00:34:56,679 --> 00:34:57,939 fine. 855 00:34:57,940 --> 00:34:59,409 Customer list completed. 856 00:35:01,150 --> 00:35:02,889 We'll discuss them. Releases why it's so 857 00:35:02,890 --> 00:35:03,890 important. 858 00:35:04,540 --> 00:35:07,059 It's important because guys from 859 00:35:07,060 --> 00:35:09,219 this vendor decide not 860 00:35:09,220 --> 00:35:11,409 to publish information 861 00:35:11,410 --> 00:35:13,569 about weeks, but silently 862 00:35:13,570 --> 00:35:16,239 patch it without any notification. 863 00:35:16,240 --> 00:35:18,459 You know, last time I saw it in 864 00:35:18,460 --> 00:35:20,259 it evoked in the beginning of the 865 00:35:20,260 --> 00:35:22,419 century, but in this first 866 00:35:22,420 --> 00:35:24,039 vote is still come on. 867 00:35:24,040 --> 00:35:26,109 We will silently patch this 868 00:35:26,110 --> 00:35:28,539 vulnerability without any notification. 869 00:35:29,920 --> 00:35:31,629 Its moment we still don't know. 870 00:35:31,630 --> 00:35:32,920 Is it budget honored 871 00:35:35,080 --> 00:35:37,209 and postscript 872 00:35:37,210 --> 00:35:38,210 on? 873 00:35:39,330 --> 00:35:41,309 Last year, we have a question 874 00:35:42,750 --> 00:35:43,750 about Scotland, the. 875 00:36:04,890 --> 00:36:07,049 So even more bras go to 876 00:36:07,050 --> 00:36:09,249 the cloud and the 877 00:36:09,250 --> 00:36:11,649 positive crowd, you can easily find 878 00:36:11,650 --> 00:36:13,859 it in the internet if 879 00:36:13,860 --> 00:36:16,139 you need it sometimes feels 880 00:36:16,140 --> 00:36:17,309 more difficult. 881 00:36:17,310 --> 00:36:20,099 For instance, a car that 882 00:36:20,100 --> 00:36:22,169 is a crowd can mean a 883 00:36:22,170 --> 00:36:24,869 deep connection to a Utah machine 884 00:36:24,870 --> 00:36:27,749 when you can monitor 885 00:36:27,750 --> 00:36:28,750 your system. 886 00:36:29,820 --> 00:36:32,999 We try to check it how it swarms 887 00:36:33,000 --> 00:36:34,719 and find. 888 00:36:36,460 --> 00:36:37,639 I guess for you. 889 00:36:37,640 --> 00:36:38,649 Yes, I guess. 890 00:36:38,650 --> 00:36:40,179 Or maybe oil. 891 00:36:40,180 --> 00:36:42,489 I think everybody should have his 892 00:36:42,490 --> 00:36:44,379 own gas will. 893 00:36:44,380 --> 00:36:46,869 But the problem with 894 00:36:46,870 --> 00:36:49,059 its glyphosate, 895 00:36:49,060 --> 00:36:50,319 we've kiosk mode. 896 00:36:50,320 --> 00:36:52,869 But you can escape from the kiosk 897 00:36:52,870 --> 00:36:54,669 and connect to 898 00:36:56,260 --> 00:36:57,879 guests view of our guy. 899 00:36:57,880 --> 00:36:59,469 So I don't know how to manage it. 900 00:37:00,790 --> 00:37:03,099 So scarred the insect out is maybe 901 00:37:03,100 --> 00:37:05,559 a good thing, but 902 00:37:05,560 --> 00:37:07,659 still it's have a lot of 903 00:37:07,660 --> 00:37:09,069 vulnerabilities. 904 00:37:09,070 --> 00:37:10,599 And of course, funny stuff. 905 00:37:10,600 --> 00:37:12,699 We fix him when we say, 906 00:37:12,700 --> 00:37:14,830 Guys, you have a problem with your 907 00:37:16,300 --> 00:37:17,889 cloud installation. 908 00:37:17,890 --> 00:37:19,959 Somebody can escape kiosk mode and 909 00:37:19,960 --> 00:37:21,099 do bad things. 910 00:37:21,100 --> 00:37:22,209 We'll say, OK, yes, 911 00:37:23,800 --> 00:37:25,989 he can, but just don't do 912 00:37:25,990 --> 00:37:27,999 it in your environment. 913 00:37:28,000 --> 00:37:29,469 We view not. 914 00:37:29,470 --> 00:37:31,479 But somebody who knows. 915 00:37:31,480 --> 00:37:33,549 Also, this is his writing that this is 916 00:37:33,550 --> 00:37:36,009 a virtual machine, but their internal 917 00:37:36,010 --> 00:37:38,589 network interface with local IP addresses 918 00:37:38,590 --> 00:37:40,959 and so on. So we can develop and attack 919 00:37:40,960 --> 00:37:41,529 model? 920 00:37:41,530 --> 00:37:42,530 Not. No. 921 00:37:45,040 --> 00:37:47,229 So thank you and questions, 922 00:37:47,230 --> 00:37:48,230 please. 923 00:37:55,840 --> 00:37:57,759 So, yes, for the questions, I would like 924 00:37:57,760 --> 00:37:59,859 to ask you to keep your questions 925 00:37:59,860 --> 00:38:01,959 short to actually ask questions if 926 00:38:01,960 --> 00:38:03,279 you'd like to comment on something 927 00:38:03,280 --> 00:38:04,329 sentiment email. 928 00:38:04,330 --> 00:38:05,679 She'd like to give them advice. 929 00:38:05,680 --> 00:38:08,079 Set them on email tubes and questions 930 00:38:08,080 --> 00:38:09,729 can come now. Signal Angel. 931 00:38:09,730 --> 00:38:11,979 Do we have questions from the internet? 932 00:38:11,980 --> 00:38:14,139 Yes, we have one question. 933 00:38:14,140 --> 00:38:15,429 Have you seen? 934 00:38:15,430 --> 00:38:17,739 Have you seen anything like a proxy 935 00:38:17,740 --> 00:38:20,409 or translator between IEC 936 00:38:20,410 --> 00:38:22,479 101 and 104 937 00:38:22,480 --> 00:38:23,500 open on the internet? 938 00:38:25,150 --> 00:38:27,369 Because that would be 939 00:38:27,370 --> 00:38:29,829 in the legacy systems. 940 00:38:29,830 --> 00:38:31,689 Please repeat the question and hold your 941 00:38:31,690 --> 00:38:32,800 mic steady at your mouth. 942 00:38:34,000 --> 00:38:36,489 Have you seen anything like a proxy 943 00:38:36,490 --> 00:38:38,559 or translator between 944 00:38:38,560 --> 00:38:41,019 IEC 101 and 945 00:38:41,020 --> 00:38:43,329 104 open to the internet? 946 00:38:47,050 --> 00:38:48,050 Like? 947 00:38:49,690 --> 00:38:50,690 I see it. 948 00:38:52,770 --> 00:38:54,959 Like this, like 949 00:38:54,960 --> 00:38:57,419 here is IEC one 04. 950 00:38:57,420 --> 00:38:59,969 We actually don't have any 951 00:38:59,970 --> 00:39:02,159 complete information about 952 00:39:02,160 --> 00:39:04,049 what's behind this, so we're just 953 00:39:04,050 --> 00:39:06,029 fingerprinting these things. 954 00:39:06,030 --> 00:39:08,459 We can't differentiate 955 00:39:08,460 --> 00:39:10,799 sphinx like it's peroxides gateway. 956 00:39:10,800 --> 00:39:12,840 It's actually RTU or so on. 957 00:39:15,900 --> 00:39:16,979 Thank you. 958 00:39:16,980 --> 00:39:19,619 Microphone one, please ask the question 959 00:39:19,620 --> 00:39:20,789 how much of the stuff 960 00:39:20,790 --> 00:39:23,069 is which is visible on the internet, 961 00:39:23,070 --> 00:39:25,409 is some testing research 962 00:39:25,410 --> 00:39:27,629 or a honeypot stuff and how much 963 00:39:27,630 --> 00:39:29,039 of it is actual? 964 00:39:29,040 --> 00:39:30,719 I see some wrinkles with some of the 965 00:39:30,720 --> 00:39:31,769 Google Docs. 966 00:39:31,770 --> 00:39:33,539 There was stuff that just didn't look 967 00:39:33,540 --> 00:39:35,699 right. So can 968 00:39:35,700 --> 00:39:37,979 you estimate how much of them are 969 00:39:37,980 --> 00:39:39,809 just honeypots or research networks and 970 00:39:39,810 --> 00:39:42,359 how many of them are real stuff 971 00:39:42,360 --> 00:39:44,819 where we will be really thankful 972 00:39:44,820 --> 00:39:47,339 for the feedback about the dorks? 973 00:39:47,340 --> 00:39:49,619 But we like this 974 00:39:49,620 --> 00:39:51,299 like an open project, we can 975 00:39:51,300 --> 00:39:53,549 differentiate, as I said, about 976 00:39:53,550 --> 00:39:55,649 the things that's behind those IP 977 00:39:55,650 --> 00:39:57,869 addresses and debate behind the banner. 978 00:39:57,870 --> 00:40:00,179 So if you somehow managed to understand 979 00:40:00,180 --> 00:40:02,159 this and tell us that this is a false 980 00:40:02,160 --> 00:40:04,259 positive, we will delete this 981 00:40:04,260 --> 00:40:06,359 dark delete this IP address and so 982 00:40:06,360 --> 00:40:06,899 on. 983 00:40:06,900 --> 00:40:07,979 No, no. The docs are OK. 984 00:40:07,980 --> 00:40:09,959 It's just it looks weird. 985 00:40:09,960 --> 00:40:11,399 The stuff looks weird sometimes. 986 00:40:11,400 --> 00:40:13,489 Yeah, for sure. But hey, 987 00:40:13,490 --> 00:40:14,639 you know, I am not sure. 988 00:40:14,640 --> 00:40:16,719 But at 989 00:40:16,720 --> 00:40:19,119 the moment, very a lot of I can 990 00:40:19,120 --> 00:40:22,229 import maybe one thousand. 991 00:40:22,230 --> 00:40:24,329 But for these numbers, 992 00:40:24,330 --> 00:40:26,789 it's a very small, 993 00:40:26,790 --> 00:40:29,399 very little percent of false positives. 994 00:40:29,400 --> 00:40:30,329 OK, thanks. 995 00:40:30,330 --> 00:40:31,559 Thank you. Thank you. 996 00:40:31,560 --> 00:40:33,059 Microphone number two, please ask the 997 00:40:33,060 --> 00:40:34,199 question. Hello. 998 00:40:34,200 --> 00:40:36,449 I would like to know the systems 999 00:40:36,450 --> 00:40:38,099 you see on the internet. It's just like 1000 00:40:38,100 --> 00:40:38,999 monitoring stuff. 1001 00:40:39,000 --> 00:40:41,249 What can you do, for instance, control 1002 00:40:41,250 --> 00:40:42,359 atomic reactors? 1003 00:40:42,360 --> 00:40:43,799 Can you shed some light on that, how deep 1004 00:40:43,800 --> 00:40:45,419 the control goes that you can achieve 1005 00:40:45,420 --> 00:40:46,420 over these things? 1006 00:40:55,640 --> 00:40:57,139 Do you think we should put an honest 1007 00:40:57,140 --> 00:40:59,029 answer to that life on stage here or what 1008 00:40:59,030 --> 00:41:01,609 you like to ask that question again in 1009 00:41:01,610 --> 00:41:03,019 private later on? 1010 00:41:03,020 --> 00:41:05,269 Yeah, actually it would be better 1011 00:41:05,270 --> 00:41:06,270 if thank you then. 1012 00:41:08,530 --> 00:41:09,910 Are there any more questions? 1013 00:41:14,510 --> 00:41:16,249 Signal, Angel, do we have any more 1014 00:41:16,250 --> 00:41:17,510 questions from the internet? 1015 00:41:20,090 --> 00:41:21,619 They don't want to know anything. 1016 00:41:21,620 --> 00:41:23,809 So thank you for being 1017 00:41:23,810 --> 00:41:25,759 here. Thank you. So guys, thank you for 1018 00:41:25,760 --> 00:41:27,679 that astonishing great talk.