SlideShare a Scribd company logo

SCADA Software or Swiss Cheese Software?  by Celil UNUVER

CODE BLUE
CODE BLUE

The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details. The questions are; - Why are SCADA applications buggy? - What is the status and impact of the threat? - How do researchers or hackers discover these vulnerabilities? In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc. Celil UNUVER Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.

Technology
1 of 52
Download to read offline
SCADA  So'ware  or  Swiss   Cheese  So'ware?   Code  Blue  2014  ,  Tokyo   Celil  ÜNÜVER,  SignalSEC  Ltd.  
Agenda   •  About  me   •  How  it  started?   •  Why    are  SCADA  apps  so  BUGGY?   •  HunGng  SCADA  vulnerabiliGes   •  Analysis  of  the  vulnerabiliGes  
About  me   •  Co-­‐founder  and  Researcher  @  SignalSEC  Ltd.   •  Organizer  of  NOPcon  Hacker  Conference   (Istanbul,Turkey)   •  Interested  in  vulnerability  research  ,  reversing   •  Hunted  a  lot  of  bugs  affect  Adobe,  IBM,  Microso',   Facebook,  Novell  ,  SCADA  vendors  etc.   •  Has  been  a  speaker  at  CONFidence,  Swiss  Cyber   Storm,  c0c0n  etc.  
How  it  started?   •  SCADA  systems  are  in  our  daily  life  for  long   years!   •  There  was  not  too  much  interest  in  SCADA   Security  
Milestone   •  Stuxnet  and  Duqu  a^acks  in  2010  –  2011   •  SCADA  systems  got  a^enGon  of  hackers  and   researchers  a'er  these  a^acks.   •  CriGcal  systems  ,  fame,  profit  etc..   •  They  are  all  JUICY  target   •  Lots  of  SCADA  systems  are  open  to  INTERNET  
No  more  stuxnet   •  Sure  ,  all  of  us  know  about  stuxnet!  
SCADA  Overview  
ICS  VulnerabiliGes   •  Hardware/Firmware  VulnerabiliGes:    Vulns  in  PLC  &  RTU  devices   •  So'ware  VulnerabiliGes:          Vulns  in  Control  System  So'ware(HMI)  but   also  affects  PLC/RTU  devices  
                                     TWO  DOZEN  BUGS  IN  A  FEW  HOURS  
           Trust  me  ,  it’s  easy!   Actually,  it’s  really  easy  to  hunt  SCADA  BUGS!!!  
Why  it’s  easy?   There  wasn’t  a  real  threat  for  SCADA  soEware   unFll  2010   So  the  developers  were  not  aware  of  SECURE   Development  
HunGng  VulnerabiliGes   •  Simple  reversing  rocks!   •  1-­‐)  Analyze  the  target  so'ware  (PotentaGal   inputs;  communicaGon  protocols,  acGvex  etc.)   •  2-­‐)  Discover  &  trace  the  input   •  3-­‐)  Hunt  the  bugs.  
HunGng  VulnerabiliGes   “You  must  understand  that  there  is  more  than   one  path  to  the  top  of  the  mountain.”   -­‐  Miyamoto  Musashi  -­‐    
Case-­‐1:  CoDeSys  Gateway  Vuln   •   CoDeSys  is  development  environment  for   industrial  control  systems  used  by  lots  of   manufacturers.   •  Aaron  Portnoy  from  Exodus  discovered  these   vulnerabiliGes.   •  Status:  Patched  
Case-­‐1  :  CoDeSys  -­‐  RECON   •  Listening  PORT  
Case-­‐1:  CoDeSys  -­‐  Debug   •  Breakpoint  on  recv()   •  Send  junk  bytes   •  Breapoint  Access  on  recv’s    ‘buf’  parameter  
Case-­‐1:  CoDeSys  -­‐  Debug   •  Comparing  
Case-­‐1:  CoDeSys  –  Switch  Cases  /   Opcodes   •  A'er  we  pass  the  comparison  
Case-­‐1:  CoDeSys  –  Switch  Cases   •  Let’s  find  the  bugs  
Case-­‐1:  CoDeSys  –  Delete  File   •  Opcode  :  13  
Case-­‐1:  CoDeSys  –  Upload  File   •  Opcode:  6  
Case-­‐1:  RecommendaGon   •  Actually,  file  remove  /  upload  bugs  are   ‘feature’  of  this  applicaGon  ☺   •  But  there  is  no  authenGcaGon  for  these   operaGons.  Somebody  can  reverse  the  packet   structure  and  use  these  features  for  evil!     •  To  solve  this  kind  of  bugs,  developers  should   add  an  “authenGcaGon”  step  before  execuGg   opcodes.     •  Patched  in  2013  
 An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  sGll  0day   “When  a  patch  doesn’t  patch  anything!”   •  23  Nov  2013:  I’ve  discovered  some  vulnerabiliGes  on  the   latest  version  of  Progea  MOVICON  HMI  so'ware   •  24  Nov  2013:  We’ve  published  a  short  analysis  on  Pastebin     •  3  Dec  2013:  ICS-­‐CERT  contacted  us  about  the  post  on   Pastebin.    They  asked  details  ,  we  sent  informaGon  etc.  
 An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  5  Dec  2013:     •  from  ICS-­‐CERT  to  me;  
An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  THEY  SAY  :    The  bugs  you  discovered  are  SIMILAR  to  a  bunch   of  OLDER  BUGS  and  PATCHED  IN  2011.       •  ICSA-­‐11-­‐056;   •  My  findings  looks  exactly  same!!!!  But  I  am  able  to  reproduce   on  the  latest  version!!    
 An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  These  bugs  are  similar  to  the  bugs  that  we  analyzed   in  Case-­‐1:CoDeSys   •  There  is  NO  authenGcaGon  to  call  some  funcGons  ,   operaGons  in  the  so'ware.    Somebody  can  reverse   the  packet  structure  and  use  these  features  for  evil!   •  A"er  a  conversa,on  with  Code  Blue  staff,  we  have   decided  to  mask  some  details  of  this  zero-­‐day   vulnerability.  
 An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day  
An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Remote  InformaGon  Disclosure:  opcode  [-­‐censored-­‐]  
An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Opcode  [-­‐censored-­‐]    calls    GetVersionExA      API  and  sends   output  to  the  client  
An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Here  is  a  simple  PoC  for  this  bug;  
An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  When  we  run  it  and  call  opcode  [-­‐censored-­‐]:   •  6th  byte  in  printed  data  is  "dwMajorVersion"  which  is  a  return   value  of  GetVersionExA  and  gives  informaGon  about  the  OS.   •  Status:  PATCHED(!)  in  2011    but  we  are  able  to  exploit  it  in   2014!  
 An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  So  what  is  the  problem?  Why  old  bugs  are  sGll  there  !?   •  A'er  comparing  the  older  version  and  the  latest  version  ,   I  understood  that  actually  vendor  didn’t  patch  anything.   •  Instead  of  fixing  vulnerabiliGes,  they  just  changed   “opcodes”  of    the  funcGons  in  new  version!   •  Older  version:    Opcode  7  causes  info  disclosure   vulnerability  by  calling  GetVersionEx  API   •   New  version:    They  just  changed  opcode  “7”  to  “X”  for   calling  GetversionEx  API    
 PROGEA,  your  fail  is  unbelievable!  
Temporary  soluGon   •  Block  remote  connecGons  to  TCP:10651   •  If  you  contact  me  in  personal  ,  I  can  share  vulnerability   signatures  that  you  can  use  in  your  IDS/IPS  (snort  etc.)  
Case-­‐3:  CoDeSys  WebVisu   •  CodeSys  WebVisu  uses  a  webserver  which  is   usually  open  to  Internet  for  visualizaGon  of   PLC   •  Discovered  by  me   •  Status:  Patched  
Case-­‐3:  CoDeSys  Vulnerability   •  Buffer  overflow  vulnerability  when  parsing   long  h^p  requests  due  to  an  unsafe  funcGon.   •  It  uses  “vsprinv”  to  print  which  file  is   requested.  
Case-­‐4:  Schneider  IGSS  Vulnerability   •  Gas  DistrubuFon  in  Europe   •  Airport  in  Asia   •  Traffic  Control  Center  in  Europe  
Case-­‐4:  Schneider  IGSS  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  IGSS    listens  12399  and  12397  ports  in  runGme   •  A  simple  bunch  of  code  causes  to  DoS    use  IO::Socket;    $host  =  "localhost";    $port  =  12399;    $port2  =  12397;    $first  =  "x01x01x00x00";    $second  =  "x02x01x00x00";  
Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability   Buffer  overflow  vulnerability  when  parsing  long  h^p  requests   due  to  an  unsafe  funcGon   Status:  Patched  
Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
Case-­‐3:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
Case-­‐6:  Pwning  the  Operator  
Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  Killing  five  birds  with  one  stone  ☺  
Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  An  AcGveX  Buffer  Overflow  vulnerability   •  Just  found  by  AcGveX  fuzzing...   •  Send  the  exploit  URL  to  HMI  Operator   •  Click  and  pwn  !    
Case-­‐7:  InduSo'  HMI  Bugs  
Case-­‐7:  InduSo'  HMI  Bugs   •  This  is  really  creepy!   •  This  so'ware  doesn’t  check  even  any  “magic”   value  of  incoming  packets.  There  is  no  custom   packet  structure!   •  Sending  1  byte  to  TCP:4322    is  enough  to  jump   a  switch  case  
Case-­‐7:  InduSo'  HMI  Exploit   ☺  
Finding  Targets   •  Banner  InformaGon:  “3S_WebServer”   •  Let’s  search  it  on  SHODAN!  ☺  
CoDeSys  WebServer  on  SHODAN   Server’s  Banner  :  “3S_WebServer”   Shodan  Results:  151  
Demo   •  DEMO  
   Conclusion   •  CriGcal  Infrastructures  are  juicy  targets!   •  HackGvists  are  interested  in  SCADA  Hacking   too.  Not  only  government  intelligence   agencies.   •  ApplicaFons  are  insecure!  
D                    Thank  you!   •  Contact:   •  cunuver@signalsec.com   •  Twicer:  @celilunuver   •  www.signalsec.com       •  www.securityarchitect.org    

Recommended

SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 

Recommended

SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan NovikovOWASP Russia
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Guy Podjarny
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTCodemotion
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
PLC and SCADA training.
PLC and SCADA training.PLC and SCADA training.
PLC and SCADA training.Ishank Ranjan
 
automation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scadaautomation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scadaChowdary Babu Bandarupalli
 

More Related Content

What's hot

The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Guy Podjarny
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTCodemotion
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 

What's hot (20)

The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 

Viewers also liked

PLC and SCADA training.
PLC and SCADA training.PLC and SCADA training.
PLC and SCADA training.Ishank Ranjan
 
automation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scadaautomation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scadaChowdary Babu Bandarupalli
 
Web Uygulamalarının Hacklenmesi
Web Uygulamalarının HacklenmesiWeb Uygulamalarının Hacklenmesi
Web Uygulamalarının HacklenmesiÖmer Çıtak
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 
Scada
ScadaScada
ScadaTribi
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikAlper Başaran
 
Scada and power system automation
Scada and power system automationScada and power system automation
Scada and power system automationShubham Kapoor
 
Basics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADABasics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADAIndira Kundu
 

Viewers also liked (14)

PLC and SCADA training.
PLC and SCADA training.PLC and SCADA training.
PLC and SCADA training.
 
automation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scadaautomation of milk process in dairy field using plc and scada
automation of milk process in dairy field using plc and scada
 
Scada course
Scada courseScada course
Scada course
 
Web Uygulamalarının Hacklenmesi
Web Uygulamalarının HacklenmesiWeb Uygulamalarının Hacklenmesi
Web Uygulamalarının Hacklenmesi
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Scada System
Scada SystemScada System
Scada System
 
Scada classification
Scada classificationScada classification
Scada classification
 
Scada
ScadaScada
Scada
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber Güvenlik
 
Scada and power system automation
Scada and power system automationScada and power system automation
Scada and power system automation
 
Basics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADABasics of Automation, PLC and SCADA
Basics of Automation, PLC and SCADA
 

Similar to SCADA Software or Swiss Cheese Software?  by Celil UNUVER

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 

Similar to SCADA Software or Swiss Cheese Software?  by Celil UNUVER (20)

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

SCADA Software or Swiss Cheese Software?  by Celil UNUVER

  • 1. SCADA  So'ware  or  Swiss   Cheese  So'ware?   Code  Blue  2014  ,  Tokyo   Celil  ÜNÜVER,  SignalSEC  Ltd.  
  • 2. Agenda   •  About  me   •  How  it  started?   •  Why    are  SCADA  apps  so  BUGGY?   •  HunGng  SCADA  vulnerabiliGes   •  Analysis  of  the  vulnerabiliGes  
  • 3. About  me   •  Co-­‐founder  and  Researcher  @  SignalSEC  Ltd.   •  Organizer  of  NOPcon  Hacker  Conference   (Istanbul,Turkey)   •  Interested  in  vulnerability  research  ,  reversing   •  Hunted  a  lot  of  bugs  affect  Adobe,  IBM,  Microso',   Facebook,  Novell  ,  SCADA  vendors  etc.   •  Has  been  a  speaker  at  CONFidence,  Swiss  Cyber   Storm,  c0c0n  etc.  
  • 4. How  it  started?   •  SCADA  systems  are  in  our  daily  life  for  long   years!   •  There  was  not  too  much  interest  in  SCADA   Security  
  • 5. Milestone   •  Stuxnet  and  Duqu  a^acks  in  2010  –  2011   •  SCADA  systems  got  a^enGon  of  hackers  and   researchers  a'er  these  a^acks.   •  CriGcal  systems  ,  fame,  profit  etc..   •  They  are  all  JUICY  target   •  Lots  of  SCADA  systems  are  open  to  INTERNET  
  • 6. No  more  stuxnet   •  Sure  ,  all  of  us  know  about  stuxnet!  
  • 8. ICS  VulnerabiliGes   •  Hardware/Firmware  VulnerabiliGes:    Vulns  in  PLC  &  RTU  devices   •  So'ware  VulnerabiliGes:          Vulns  in  Control  System  So'ware(HMI)  but   also  affects  PLC/RTU  devices  
  • 9.                                      TWO  DOZEN  BUGS  IN  A  FEW  HOURS  
  • 10.            Trust  me  ,  it’s  easy!   Actually,  it’s  really  easy  to  hunt  SCADA  BUGS!!!  
  • 11. Why  it’s  easy?   There  wasn’t  a  real  threat  for  SCADA  soEware   unFll  2010   So  the  developers  were  not  aware  of  SECURE   Development  
  • 12. HunGng  VulnerabiliGes   •  Simple  reversing  rocks!   •  1-­‐)  Analyze  the  target  so'ware  (PotentaGal   inputs;  communicaGon  protocols,  acGvex  etc.)   •  2-­‐)  Discover  &  trace  the  input   •  3-­‐)  Hunt  the  bugs.  
  • 13. HunGng  VulnerabiliGes   “You  must  understand  that  there  is  more  than   one  path  to  the  top  of  the  mountain.”   -­‐  Miyamoto  Musashi  -­‐    
  • 14. Case-­‐1:  CoDeSys  Gateway  Vuln   •   CoDeSys  is  development  environment  for   industrial  control  systems  used  by  lots  of   manufacturers.   •  Aaron  Portnoy  from  Exodus  discovered  these   vulnerabiliGes.   •  Status:  Patched  
  • 15. Case-­‐1  :  CoDeSys  -­‐  RECON   •  Listening  PORT  
  • 16. Case-­‐1:  CoDeSys  -­‐  Debug   •  Breakpoint  on  recv()   •  Send  junk  bytes   •  Breapoint  Access  on  recv’s    ‘buf’  parameter  
  • 17. Case-­‐1:  CoDeSys  -­‐  Debug   •  Comparing  
  • 18. Case-­‐1:  CoDeSys  –  Switch  Cases  /   Opcodes   •  A'er  we  pass  the  comparison  
  • 19. Case-­‐1:  CoDeSys  –  Switch  Cases   •  Let’s  find  the  bugs  
  • 20. Case-­‐1:  CoDeSys  –  Delete  File   •  Opcode  :  13  
  • 21. Case-­‐1:  CoDeSys  –  Upload  File   •  Opcode:  6  
  • 22. Case-­‐1:  RecommendaGon   •  Actually,  file  remove  /  upload  bugs  are   ‘feature’  of  this  applicaGon  ☺   •  But  there  is  no  authenGcaGon  for  these   operaGons.  Somebody  can  reverse  the  packet   structure  and  use  these  features  for  evil!     •  To  solve  this  kind  of  bugs,  developers  should   add  an  “authenGcaGon”  step  before  execuGg   opcodes.     •  Patched  in  2013  
  • 23.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  sGll  0day   “When  a  patch  doesn’t  patch  anything!”   •  23  Nov  2013:  I’ve  discovered  some  vulnerabiliGes  on  the   latest  version  of  Progea  MOVICON  HMI  so'ware   •  24  Nov  2013:  We’ve  published  a  short  analysis  on  Pastebin     •  3  Dec  2013:  ICS-­‐CERT  contacted  us  about  the  post  on   Pastebin.    They  asked  details  ,  we  sent  informaGon  etc.  
  • 24.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  5  Dec  2013:     •  from  ICS-­‐CERT  to  me;  
  • 25. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  THEY  SAY  :    The  bugs  you  discovered  are  SIMILAR  to  a  bunch   of  OLDER  BUGS  and  PATCHED  IN  2011.       •  ICSA-­‐11-­‐056;   •  My  findings  looks  exactly  same!!!!  But  I  am  able  to  reproduce   on  the  latest  version!!    
  • 26.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  These  bugs  are  similar  to  the  bugs  that  we  analyzed   in  Case-­‐1:CoDeSys   •  There  is  NO  authenGcaGon  to  call  some  funcGons  ,   operaGons  in  the  so'ware.    Somebody  can  reverse   the  packet  structure  and  use  these  features  for  evil!   •  A"er  a  conversa,on  with  Code  Blue  staff,  we  have   decided  to  mask  some  details  of  this  zero-­‐day   vulnerability.  
  • 27.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day  
  • 28. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Remote  InformaGon  Disclosure:  opcode  [-­‐censored-­‐]  
  • 29. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Opcode  [-­‐censored-­‐]    calls    GetVersionExA      API  and  sends   output  to  the  client  
  • 30. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Here  is  a  simple  PoC  for  this  bug;  
  • 31. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  When  we  run  it  and  call  opcode  [-­‐censored-­‐]:   •  6th  byte  in  printed  data  is  "dwMajorVersion"  which  is  a  return   value  of  GetVersionExA  and  gives  informaGon  about  the  OS.   •  Status:  PATCHED(!)  in  2011    but  we  are  able  to  exploit  it  in   2014!  
  • 32.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  So  what  is  the  problem?  Why  old  bugs  are  sGll  there  !?   •  A'er  comparing  the  older  version  and  the  latest  version  ,   I  understood  that  actually  vendor  didn’t  patch  anything.   •  Instead  of  fixing  vulnerabiliGes,  they  just  changed   “opcodes”  of    the  funcGons  in  new  version!   •  Older  version:    Opcode  7  causes  info  disclosure   vulnerability  by  calling  GetVersionEx  API   •   New  version:    They  just  changed  opcode  “7”  to  “X”  for   calling  GetversionEx  API    
  • 33.  PROGEA,  your  fail  is  unbelievable!  
  • 34. Temporary  soluGon   •  Block  remote  connecGons  to  TCP:10651   •  If  you  contact  me  in  personal  ,  I  can  share  vulnerability   signatures  that  you  can  use  in  your  IDS/IPS  (snort  etc.)  
  • 35. Case-­‐3:  CoDeSys  WebVisu   •  CodeSys  WebVisu  uses  a  webserver  which  is   usually  open  to  Internet  for  visualizaGon  of   PLC   •  Discovered  by  me   •  Status:  Patched  
  • 36. Case-­‐3:  CoDeSys  Vulnerability   •  Buffer  overflow  vulnerability  when  parsing   long  h^p  requests  due  to  an  unsafe  funcGon.   •  It  uses  “vsprinv”  to  print  which  file  is   requested.  
  • 37. Case-­‐4:  Schneider  IGSS  Vulnerability   •  Gas  DistrubuFon  in  Europe   •  Airport  in  Asia   •  Traffic  Control  Center  in  Europe  
  • 38. Case-­‐4:  Schneider  IGSS  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  IGSS    listens  12399  and  12397  ports  in  runGme   •  A  simple  bunch  of  code  causes  to  DoS    use  IO::Socket;    $host  =  "localhost";    $port  =  12399;    $port2  =  12397;    $first  =  "x01x01x00x00";    $second  =  "x02x01x00x00";  
  • 39. Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability   Buffer  overflow  vulnerability  when  parsing  long  h^p  requests   due  to  an  unsafe  funcGon   Status:  Patched  
  • 40. Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
  • 41. Case-­‐3:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
  • 43. Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  Killing  five  birds  with  one  stone  ☺  
  • 44. Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  An  AcGveX  Buffer  Overflow  vulnerability   •  Just  found  by  AcGveX  fuzzing...   •  Send  the  exploit  URL  to  HMI  Operator   •  Click  and  pwn  !    
  • 46. Case-­‐7:  InduSo'  HMI  Bugs   •  This  is  really  creepy!   •  This  so'ware  doesn’t  check  even  any  “magic”   value  of  incoming  packets.  There  is  no  custom   packet  structure!   •  Sending  1  byte  to  TCP:4322    is  enough  to  jump   a  switch  case  
  • 47. Case-­‐7:  InduSo'  HMI  Exploit   ☺  
  • 48. Finding  Targets   •  Banner  InformaGon:  “3S_WebServer”   •  Let’s  search  it  on  SHODAN!  ☺  
  • 49. CoDeSys  WebServer  on  SHODAN   Server’s  Banner  :  “3S_WebServer”   Shodan  Results:  151  
  • 51.    Conclusion   •  CriGcal  Infrastructures  are  juicy  targets!   •  HackGvists  are  interested  in  SCADA  Hacking   too.  Not  only  government  intelligence   agencies.   •  ApplicaFons  are  insecure!  
  • 52. D                    Thank  you!   •  Contact:   •  cunuver@signalsec.com   •  Twicer:  @celilunuver   •  www.signalsec.com       •  www.securityarchitect.org