SlideShare a Scribd company logo

Embedded government espionage

Muts Byte
Muts Byte

This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.

Technology
1 of 31
Download to read offline
EMBEDDED GOVERNMENT ESPIONAGE AND CYBER CRIME Ronald Nsale
Disclaimer There is a need to discuss the problems in order to find solutions This doesn’t represent the current status of malware/ security trends I don’t know everything !!!!
Agenda Motivation: State Level Back dooring? X86 architecture National Level attacks Cyber criminal advantage Introducing plasnito Why cryptography won’t save us
Who am I? Security Consultant (EY) MSc. Security and Mobile computing (University of Massachusetts-Boston) Author: Blindsecurity2010 (A hacker’s perspective) Projects: BlueRonv0.1 Backtrack 2 and OwaspWeb Exploitation. Google can list the rest 
. Motivation: State Level Back dooring?
Could Chinaa state backdoor all new computers on earth?
Creating 16:9 Presentations
Creating 16:9 Presentations
Creating 16:9 Presentations
Creating 16:9 Presentations
A bit of X86 architecture
A bit of X86 architecture
Previous Early 80s : Brain virus, targets the MBR 80s, 90s : thousands of such viruses 2007, John Heasman(NGS Software) BlackhatUS: backdoor EFI bootloader 2009, Anibal Saco and Alfredo Ortega (Core security), CanSecWest: patch/flash a Pheonix-Award BiosWindows, Truecrypt. Load arbitrary unsigned kernel module. 2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7. Piotr Bania, Konboot : bootkit any Windows (32/64b) 2012 : Snare (Blackhat 2012) : UEFI rootkitting
Previous Persistent Stealth (0 hostile code on the machine) Portable (OS independent) Remote access, remote updates State level quality : plausible deniability, non attribution Cross network perimeters (firewalls, authproxy) Redundancy Non detectable by AV (goes without saying...)
National Level attacks
Firewalls: JETPLOW Cisco 500 series PIX firewall, ASA (5505,5510,5520,5540,5550)
Routers: HEADWATER •HEADWATER PBD transferred remotely over internet to target router •PBD is installed in the router’s boot ROM via upgrade command •PBD activated after a system boot NOTE: HEADWATER is the cover term for the PBD for Huawei Technologies routers. This was adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment under project name TURBOPANDA
Servers: IRONCHEF HP Proliant380DL G5 server
Computers: GINSU Installed as a PCI bus hardware implant
Cyber criminal advantage
Cyber criminal advantage Default usernames and passwords Unsecured Debugging ports Unencrypted Trojans and Back doors
Introduction to Plasnito
DEMO
Reality This is not a vulnerability : It is sheer bad design due to legacy. Don't expect a patch. Fixing those issues will probably require breaking backward compatibility with most standards (PCI, PCIe, TPM).
Why crypto won't save you We can fake the bootking/password prompt by booting a remote OS (Truecrypt/Bitlocker) Once we know the password, the BIOS backdoor can emulate keyboard typing in 16bit real mode by programming the keyboard/motherboard PIC microcontrollers If necessary, patch back original BIOS/firmwaresremotely.
Why crypto won't save you TPM + full disk encryption won't save you either : It's a passive chip : if the backdoor doesn't want explicit access to data on the HD, it can simply ignore TPM. Your HD is never encrypted when delivered to you. You seal the TPM when you encrypt your HD only. So TPM doesn't prevent backdooringfrom anyone in the supply chain.
How about Antivirus????? Putting an AV on a server to protect against unknown threats is purely cosmetic. You may as well put lipstick on your servers...
Example: 3 year old bootkit
Example: 3 year old bootkit
Remediation Flash any firmware upon reception of new hardware with open source software you can verify Perform checksums of all firmwaresby physically extracting them (FPGA..) : costly ! Verify the integrity of all firmwaresfrom time to time Update forensics best practices : 1) Include firmwaresin SoW 2) Throw away your computer in case of intrusion Even then... not entirely satisfying : the backdoor can flash the original firmwaresback remotely.
Questions ? Contact me Ronald.Nsale@ug.ey.com

Recommended

勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the Tpinkflawd
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Teensy Preso
Teensy PresoTeensy Preso
Teensy PresoWardell Motley, NSA IAM\IEM
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 

Recommended

勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the Tpinkflawd
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Teensy Preso
Teensy PresoTeensy Preso
Teensy PresoWardell Motley, NSA IAM\IEM
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Symantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon PhiNaoto MATSUMOTO
 
Hta t17
Hta t17Hta t17
Hta t17SelectedPresentations
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Leeme
LeemeLeeme
LeemeJohan Vasco
 
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011Filip Maertens
 
Exploits
ExploitsExploits
ExploitsTylor Shellenberger
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】Hacks in Taiwan (HITCON)
 
Frog cipher
Frog cipherFrog cipher
Frog cipherHasan Hamad
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Eric Romang
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
 
Virus prevention
Virus preventionVirus prevention
Virus preventionTech Bikram
 
Sandboxing
SandboxingSandboxing
SandboxingNSConclave
 
Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2Eric Romang
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...OWASP Ottawa
 

More Related Content

What's hot

Symantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon PhiNaoto MATSUMOTO
 
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011Filip Maertens
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】Hacks in Taiwan (HITCON)
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Eric Romang
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
 
Virus prevention
Virus preventionVirus prevention
Virus preventionTech Bikram
 
Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2Eric Romang
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 

What's hot (20)

Symantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec Freak Vulnerability Infographic
Symantec Freak Vulnerability Infographic
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon Phi
 
Hta t17
Hta t17Hta t17
Hta t17
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
 
Leeme
LeemeLeeme
Leeme
 
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
 
Exploits
ExploitsExploits
Exploits
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
 
Frog cipher
Frog cipherFrog cipher
Frog cipher
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
 
Virus prevention
Virus preventionVirus prevention
Virus prevention
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2Metasploit Exploitation Scenarios -EN : Scenario 2
Metasploit Exploitation Scenarios -EN : Scenario 2
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 

Viewers also liked

201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...OWASP Ottawa
 
Cyber Espionage: A Digital License To Kill?
Cyber Espionage: A Digital License To Kill?Cyber Espionage: A Digital License To Kill?
Cyber Espionage: A Digital License To Kill?F-Secure Corporation
 
Tracking GhostNet: Investigating a Cyber Espionage Network
Tracking GhostNet: Investigating a Cyber Espionage NetworkTracking GhostNet: Investigating a Cyber Espionage Network
Tracking GhostNet: Investigating a Cyber Espionage Networkguesta33b66
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & moreChristiaan Beek
 

Viewers also liked (7)

201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
 
Cyber Espionage: A Digital License To Kill?
Cyber Espionage: A Digital License To Kill?Cyber Espionage: A Digital License To Kill?
Cyber Espionage: A Digital License To Kill?
 
Tracking GhostNet: Investigating a Cyber Espionage Network
Tracking GhostNet: Investigating a Cyber Espionage NetworkTracking GhostNet: Investigating a Cyber Espionage Network
Tracking GhostNet: Investigating a Cyber Espionage Network
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
 

Similar to Embedded government espionage

[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernelguestf1a032
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsB.A.
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 

Similar to Embedded government espionage (20)

[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Understand study
Understand studyUnderstand study
Understand study
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Embedded government espionage

  • 1. EMBEDDED GOVERNMENT ESPIONAGE AND CYBER CRIME Ronald Nsale
  • 2. Disclaimer There is a need to discuss the problems in order to find solutions This doesn’t represent the current status of malware/ security trends I don’t know everything !!!!
  • 3. Agenda Motivation: State Level Back dooring? X86 architecture National Level attacks Cyber criminal advantage Introducing plasnito Why cryptography won’t save us
  • 4. Who am I? Security Consultant (EY) MSc. Security and Mobile computing (University of Massachusetts-Boston) Author: Blindsecurity2010 (A hacker’s perspective) Projects: BlueRonv0.1 Backtrack 2 and OwaspWeb Exploitation. Google can list the rest 
  • 5. . Motivation: State Level Back dooring?
  • 6. Could Chinaa state backdoor all new computers on earth?
  • 11. A bit of X86 architecture
  • 12. A bit of X86 architecture
  • 13. Previous Early 80s : Brain virus, targets the MBR 80s, 90s : thousands of such viruses 2007, John Heasman(NGS Software) BlackhatUS: backdoor EFI bootloader 2009, Anibal Saco and Alfredo Ortega (Core security), CanSecWest: patch/flash a Pheonix-Award BiosWindows, Truecrypt. Load arbitrary unsigned kernel module. 2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7. Piotr Bania, Konboot : bootkit any Windows (32/64b) 2012 : Snare (Blackhat 2012) : UEFI rootkitting
  • 14. Previous Persistent Stealth (0 hostile code on the machine) Portable (OS independent) Remote access, remote updates State level quality : plausible deniability, non attribution Cross network perimeters (firewalls, authproxy) Redundancy Non detectable by AV (goes without saying...)
  • 16. Firewalls: JETPLOW Cisco 500 series PIX firewall, ASA (5505,5510,5520,5540,5550)
  • 17. Routers: HEADWATER •HEADWATER PBD transferred remotely over internet to target router •PBD is installed in the router’s boot ROM via upgrade command •PBD activated after a system boot NOTE: HEADWATER is the cover term for the PBD for Huawei Technologies routers. This was adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment under project name TURBOPANDA
  • 18. Servers: IRONCHEF HP Proliant380DL G5 server
  • 19. Computers: GINSU Installed as a PCI bus hardware implant
  • 21. Cyber criminal advantage Default usernames and passwords Unsecured Debugging ports Unencrypted Trojans and Back doors
  • 23. DEMO
  • 24. Reality This is not a vulnerability : It is sheer bad design due to legacy. Don't expect a patch. Fixing those issues will probably require breaking backward compatibility with most standards (PCI, PCIe, TPM).
  • 25. Why crypto won't save you We can fake the bootking/password prompt by booting a remote OS (Truecrypt/Bitlocker) Once we know the password, the BIOS backdoor can emulate keyboard typing in 16bit real mode by programming the keyboard/motherboard PIC microcontrollers If necessary, patch back original BIOS/firmwaresremotely.
  • 26. Why crypto won't save you TPM + full disk encryption won't save you either : It's a passive chip : if the backdoor doesn't want explicit access to data on the HD, it can simply ignore TPM. Your HD is never encrypted when delivered to you. You seal the TPM when you encrypt your HD only. So TPM doesn't prevent backdooringfrom anyone in the supply chain.
  • 27. How about Antivirus????? Putting an AV on a server to protect against unknown threats is purely cosmetic. You may as well put lipstick on your servers...
  • 28. Example: 3 year old bootkit
  • 29. Example: 3 year old bootkit
  • 30. Remediation Flash any firmware upon reception of new hardware with open source software you can verify Perform checksums of all firmwaresby physically extracting them (FPGA..) : costly ! Verify the integrity of all firmwaresfrom time to time Update forensics best practices : 1) Include firmwaresin SoW 2) Throw away your computer in case of intrusion Even then... not entirely satisfying : the backdoor can flash the original firmwaresback remotely.
  • 31. Questions ? Contact me Ronald.Nsale@ug.ey.com