“We are not winning. I do not think we are winning · “We are not winning. I do not think we...
Transcript of “We are not winning. I do not think we are winning · “We are not winning. I do not think we...
![Page 1: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/1.jpg)
![Page 2: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/2.jpg)
“We are not winning. I do not think we are winning
globally, and I think this nature of crime is rising
exponentially”.
Commissioner Leppard, City of London Police (2014)
![Page 3: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/3.jpg)
![Page 4: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/4.jpg)
Insider Threat (2): Righteous?
![Page 5: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/5.jpg)
Understanding the Threats
Tutorial on the Cybersecurity of Safety-Critical Systems
Prof. Chris Johnson,
School of Computing Science, University of Glasgow, Scotland.
http://www.dcs.gla.ac.uk/~johnson
![Page 6: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/6.jpg)
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
![Page 7: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/7.jpg)
Sanity Check…
• This is only an initial overview…
![Page 8: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/8.jpg)
![Page 9: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/9.jpg)
![Page 10: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/10.jpg)
Previously…
Consultant with ANSPs in Austria, Belgium, China, Croatia,
Cyprus, Denmark, Estonia, Germany, Hungary, Ireland, Israel,
Luxembourg, Malta, Norway, Portugal, Slovakia, Slovenia,
Spain, Switzerland, Turkey, UK etc.
![Page 11: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/11.jpg)
SESAR, EASA and the Future of Aviation?
![Page 12: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/12.jpg)
Cybersecuirty Expert for UN CBRN Inspectors
![Page 13: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/13.jpg)
Cybersecurity Consultant to EDF
![Page 14: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/14.jpg)
Cybersecurity Consultant to SESAR JU
![Page 15: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/15.jpg)
Overview
• Nature of the Threats:
– Insider attacks;
– Crowdsourcing and Hacktivism;
– Social Attacks and Spear Phishing;
– Certification attacks; Configuration Attacks;
– Command and Control Servers,
– Stuxnet; Sniffers…
• Next: What Can We Do?
![Page 16: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/16.jpg)
Aim is to Provoke Discussion...
• Recent trends in ATM Engineering.
• Increasing complexity in software networks:
– Leads to more complex failure modes.
• Increasing use of COTS products:
– Leads to new security threats.
• Increasing use of sub-contractors.
Copyright C.W. Johnson, 2014
![Page 17: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/17.jpg)
The Future: SESAR Delivery Manager
![Page 18: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/18.jpg)
Is SESAR A Threat to Cybersecurity?
![Page 19: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/19.jpg)
Aging, Complex Critical Infrastructures...
![Page 20: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/20.jpg)
http://www.iaa.ie/files/2008/news/docs/20080919020223_ATM_Report_Final.pdf
![Page 21: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/21.jpg)
The Real Impact
• "The problem here is that you have
an autonomous semi-state
monopoly which doesn't care about
its customers or the disruption to
passengers,"
Michael O'Leary, CEO Ryanair
![Page 22: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/22.jpg)
The Real Impact
• "The problem here is that you have
an autonomous semi-state
monopoly which doesn't care about
its customers or the disruption to
passengers,"
• "Send the buggers to Shannon, if it
was a commercial company they
would have done so”
Michael O'Leary, CEO Ryanair
![Page 23: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/23.jpg)
The Real Impact
• “They're not on top of the job.
We're talking about 25 arrivals and
departures per hour. The air traffic
controllers should be capable of
handling this volume of flights”.
Michael O'Leary, CEO Ryanair
http://www.herald.ie/news/oleary-more-disruption-if-iaa-doesnt-clean-up-act-1431408.html
![Page 24: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/24.jpg)
![Page 25: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/25.jpg)
Need ATM Engineering Incident Exchange
• Fault stems from Salt Lake City:
– hardware fault on router circuit board;
– Network interface affects comms with Atlanta;
– Network owned/operated by Harris Corp...
– “We are working with the FAA to diagnose problem
and explain the failure of backup systems...”
• Sen. Charles Schumer:
“The country’s aviation system is in shambles,
the FAA needs to upgrade the system, these
technical glitches cause cascading chaos are
too regular an occurrence...’”
25
![Page 26: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/26.jpg)
NextGen: En Route Automation Modernization
• $2.1 Billion upgrade..
• Faults lead to ‘missing’ flight plans;
– Other aircraft change identity in flight;
– Again cannot transfer flight data to Atlanta etc.
– Undermines ATCO confidence in system;
– ‘fallback’ original 20 year old IBM system
– IBM contract expired, uses Jovial – rarely used.
• Test deployment to Salt Lake City:
– FAA spend $14 million, still not working.
– Salt Lake City simple compared to Chicago...
26
![Page 27: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/27.jpg)
Testing can prove the presence
of errors, but not their absence.
Copyright C.W. Johnson, 2013
Edsger W Dijkstra (1930-2002)
![Page 28: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/28.jpg)
![Page 29: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/29.jpg)
keylogger:
Predator and Reaper GCS
Creech Airforce Base
![Page 30: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/30.jpg)
Aim is to Provoke Discussion...
• Common software components into ATM:
– networks, Linux, VOIP, SBAS...
• Safety concerns everywhere:
– Huge problems of competence – incl regulators;
– Many conflicts between safety and security;
– Inconsistent, inapplicable rules (lack of HF input);
– Consistent, known violation of policies.
.
Copyright C.W. Johnson, 2014
![Page 31: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/31.jpg)
Paranoia?
• Many policies only exist on paper.
• Huge problem with complacency.
• “FAA ineffective in all critical areas including
operational systems information security,
future systems modernization security,
management structure, policy
implementation”.
• US Government Auditors Office
Copyright C.W. Johnson, 2014
![Page 32: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/32.jpg)
DoT Review of FAA CyberSecurity
DoT "unless effective action is taken quickly, it
is likely to be a matter of when, not if, ATC
systems encounter attacks that do serious
harm to ATC operations."
“Attackers can take advantage of software
vulnerabilities in commercial IP products to
exploit ATC systems, which is especially
worrisome at a time when the Nation is facing
increased threats from sophisticated nation-
state-sponsored cyber attacks"
Copyright C.W. Johnson, 2014
![Page 33: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/33.jpg)
Conflict Between Security and Safety
Copyright C.W. Johnson, 2014
• Existing safety standards eg ED153
– Focus on verification and validation;
– In proportion to SWAL/criticality.
• Anti-viral systems violate ED-153:
– Updated every 24-48 hours;
– could themselves bring down ACC;
– Cannot test anti-virus definiitons;
– Without increasing security exposure.
• Do you want safety or security:
– Can have both eg banking approach.
![Page 34: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/34.jpg)
Vulnerabilities
• ‘Mass market’ viruses.
• You cannot disconnect the Internet.
– Virtual channels from USB sticks.
• Contractors violate security policies:
– My students take the systems to pieces…
• SESAR and NextGen scare me:
– increasing traffic loads\systems integration
Copyright C.W. Johnson, 2014
![Page 35: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/35.jpg)
The Insider Threat (1): Malicious
• NIST’s US SCADA sewage system:
– 46 radio orders release 800,000l raw sewage.
• Arrested, PC with Motorola M120 radio;
– Serial numbers ordered by the company;
– PDS Compact 500 computer control device;
– Mimicked pumping station to test commands.
• Sub-contractor – disguised his attacks…
Copyright C.W. Johnson, 2012
![Page 36: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/36.jpg)
Insider Threat (2): Righteous?
![Page 37: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/37.jpg)
Insider Threat (3): Negligent
• Negligent violations (eg passwords):
– They were told GOOD rules but ignored them;
– Lack of audit or regular training;
– Management implicit support?
• Justified(?) violations:
– They were told BAD rules and had to ignore them;
– Rules couldn’t be applied (no software etc);
– Rules applicable but threaten profit/safety etc…
• Routine vs exceptional violations.
![Page 38: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/38.jpg)
Some Recent Attacks
• Never underestimate the power of evil.
– Chinese hospital Shenzhen province:
– Insiders leave backdoor;
– Remote access to electronic patient record.
• How much harm can this do?
• European General Data Protection Regs:
– Fines 2% of global annual turnover in 24 hours;
– Into force this year (Replaces 95/46/EC).
![Page 39: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/39.jpg)
Some Recent Attacks
• Extortion attack .
• Sub-contractor:
– Lack of background checks;
– Corrupted the backups (not secure);
– Waited 4 months then deleted primary copy.
• Bank asked for €2.5 million.
![Page 40: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/40.jpg)
Some Recent Attacks….
• ANSP label on13 switches from eBay:
– Flash memory for configuration data;
– Not erased prior to sale;
– ANSP have external disposal contract but…
• Used by sub-contractor at ACC:
– Supervisor login for VLAN;
– Upstream switch addresses/configs;
– VTP trunk info and password;
– SNMP community strings…
![Page 41: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/41.jpg)
Some Recent Attacks…
• Regulator receives airprox radar data.
• ANSP and regulator use same player.
• ANSP ROM contains conficker.
• Regulator warns ANSP:
– They claim player is obsolete anyway…
– `no further investigation’ at this time?
![Page 42: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/42.jpg)
Estonia, April-May 2007
• June 1940, Soviets annex Estonia.
• After independence:
– Ethnic Russians lose Estonian citizenship;
– Dispute over moves to Bronze Soldier of Tallinn;
– Riots kill one and injur more than 150 people.
• Two phase attack:
– Emotional ‘crowdsourcing’ (download scripts);
– focused attacks using criminal infrastructures.
Copyright C.W. Johnson, 2012
![Page 43: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/43.jpg)
Estonia and Paranoia?
Chatham House report:
“The severity of the attacks on one of
NATO’s most electronically connected
members put the alliance on guard.
If a highly wired small state could be
brought to its knees then what type of
havoc could be wrought upon larger states
with more heterogeneous systems and
critical infrastructure open to attack?”
Copyright C.W. Johnson, 2012
![Page 44: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/44.jpg)
Estonia, April-May 2007
• DDoS on e-banking:
– Hansapank’s 2 hours on 9-10th May;
– Eesti Ühispank’s online bank 3 hours on 15th May.
• US Computer Emergency Readiness Team:
– ‘watershed’ attack but not revolutionary.
Copyright C.W. Johnson, 2012
![Page 45: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/45.jpg)
Georgia, August 2008
• Armed conflict between Georgia & Russia:
– 1922 North Ossetia in Russia, South in Georgia;
– 1990 S. Ossetia gains de facto independence..
• Cyber-attacks prior to armed conflict:
– ICMP floods/HTTP ‘GET’ requests in July.
• But Georgian infrastructure vulnerable:
– half of 13 interconnections through Russia;
– Only 5 ISPs, 75% use Caucasus Network Tbilisi;
– Prior to war, began building link via Bulgaria…
Copyright C.W. Johnson, 2012
![Page 46: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/46.jpg)
Georgia, August 2008
• Attacks lasted 2 hours up to 6 hours
– HTTP-based botnet (sign of Russian herders).
• 5 Stage crowdsourcing similar to Estonia:
1. Encouragement to get involved in cyber war;
2. Publishing target list of Georgian government Web
sites which have been tested for access;
3. Selecting types of malware against target Web site;
4. Launching the attack and optionally,
5. Evaluating the results and iterating previous stages
Copyright C.W. Johnson, 2012
![Page 47: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/47.jpg)
![Page 48: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/48.jpg)
“Go But You Will Never Work Here Again…”
Copyright C.W. Johnson, 2012
![Page 49: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/49.jpg)
China, GhostNet and Shadow, March 2009
• Active defence and the attribution problem…
– No definitive proof of Chinese state involvement
• Use of social media and Gmail:
– Use of TOR annonymity server…
• Infection of Dalai Lama’s office:
– Tailor email so recipient opens attachment;
– Trojan horse onto victim’s machine;
– Information forwarded to control servers.
– Use genuine document on compromised machine?
Copyright C.W. Johnson, 2012
![Page 50: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/50.jpg)
W32.STUXNET, March 2010
• W32.Stuxnet multi-component malware
– Attacks Programmable Logic Controllers (PLCs);
• Stuxnet has up to 4 zero-day exploits:
– ATM very vulnerable to this…
– Unusual range of languages (C/C++) team?
– Used 2 legit Taiwanese digital signatures…
• Command & control servers identified:
– Located in Malaysia and Denmark;
– 155 countries, 40,000 IP addresses.
Copyright C.W. Johnson, 2012
![Page 51: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/51.jpg)
W32.STUXNET, March 2010
• Monitors frequency of attached
– attacks systems operating 807-1210 Hz.
• Triggers a state machine to hide ‘sabotage’;
1. Wait13 days;
2. Set maximum frequency to 1410 Hz;
3. Wait 27 days
4. Set maximum frequency to 2 Hz;
5. Set maximum frequency to 1064 Hz;
6. Go to 1.
• Comparison with Dublin Airport.
Copyright C.W. Johnson, 2012
![Page 52: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/52.jpg)
W32.STUXNET, March 2010
• Symantec:
– Need 5-30 people for 6 months;
– Elite hactivist group? State lab or agency?
– Social networking with state encouragement?
• But STUXNET didn’t work…
– around 900 centrifuges damaged;
– replaced in months not years.
• Iranian Technology Council worried:
– New anti-virus software was also infected..
Copyright C.W. Johnson, 2012
![Page 53: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/53.jpg)
W32.Duqu
• Written by the same ‘team’ as STUXNET?
– Or by a team with access to the source code.
• Remote Access Trojan (RAT).
– Industrial infrastructure and manufacturers;
– Playing a similar role to Siemens and Step-7;
– Intelligence gathering for attack on 3rd parties;
• Email Word document, 0-day kernel exploit;
– Contains an installer and uses process injection.
![Page 54: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/54.jpg)
W32.Duqu: C&C Breaking Firewalls
Corporate
Network
Operational
Network
![Page 55: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/55.jpg)
W32.Duqu
• Duqu will inject malware into:
– Internet Explorer; Firefox;
– Trend Micro PC-cillin AntiVirus Real-time Monitor.
• Checks for anti-viral products:
– avp.exe, Mcshield.exe, avguard.exe, bdagent.exe,
UmxCfg.exe, fsdfwd.exe, rtvscan.exe,
ccSvcHst.exe, ekrn.exe, tmproxy.exe,
RavMonD.exe.
• Extends Stuxnet to deal with Kaspersky…
![Page 56: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/56.jpg)
W32.Duqu: C&C Linux Server Deletion
![Page 57: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/57.jpg)
Operation Black Tulip
• DigiNotar, digital certificate authority (CA):
– cyber-attack eventually led to bankruptcy;
– false certificates to 100s of websites Google & Skype.
• Did not report incident to CERT etc:
– for 2 months there were false DigiNotar certificates;
– used to eavesdrop on email and web browsing in Iran.
• Once incident made public:
– Dutch government & browser vendors limit impact.
![Page 58: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/58.jpg)
Overview
• Now: Background:
– Is it a bug or an attack? Dijkstra…
• Now: Nature of the Threats:
– Crowdsourcing and Hacktivism;
– Social Attacks and Spear Phishing;
– Certification attacks; Configuration Attacks;
– Command and Control Servers,
– Stuxnet; Sniffers…
• Next: What Can We Do?
![Page 59: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/59.jpg)
What Can Be Done: Cyber Exercises…
![Page 60: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/60.jpg)
What Can Be Done Cyber Execises…
![Page 61: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/61.jpg)
What Can Be Done: Simplified Attack
![Page 62: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/62.jpg)
The Stuxnet Scenario
![Page 63: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/63.jpg)
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
![Page 64: “We are not winning. I do not think we are winning · “We are not winning. I do not think we are winning globally, and I think this nature of crime is rising ... keylogger: Predator](https://reader033.fdocuments.us/reader033/viewer/2022042011/5e7277592e456c729d4293ec/html5/thumbnails/64.jpg)
Any Questions?
Copyright C.W. Johnson, 2014