Ralph Langner’s Stuxnet Deep Dive is the definitive technical presentation on the PLC attack portion of Stuxnet. He did a good job of showing very technical details in a readable and logical presentation that you can follow in the video if you know something about programming and PLC’s.
A lengthy but good video about Stuxnet and its capabilities. Worth watching.
Jim and I carefully approached the parking lot. It was almost 6:30 PM.
We found a vantage point near a restaurant right across the street from the parking lot, we climbed onto a container located on side of the restaurant and we prepared our gear. We had with us a couple of BARSKA Blackhawk scopes with tripods. At this distance those scopes were more than enough. We also had with us a night vision scope, however since the building was well lit we didn’t need it.
We were performing recon for a customer that wanted to test whether his control center was vulnerable. Their control center housed all the company’s servers, communication boxes (telephones switches, VoIP boxes, etc) and the data farm where they kept all their customer’s sensitive information. Phase one of the project was a physical pentest. Phase two would be a digital vulnerability assessment and at a later stage a full penetration test.
We were observing the building at night, trying to learn as much as we could in 2 nights: what was the normal activity around the building, etc. Once this part was completed we performed a daytime recon that included me going into the building to recon the reception area and other possible locations. Jim also reconnoitered the building during the day but he focused on the exterior.
Back to the night. We observed the building’s front area for about two hours and we had a very good sketch of the area with car and people movement, lights on and off in the different windows and how often their security performed the routine checks. We did this the following night as well and then compared notes. Once we were done with this, we climbed down the container and proceeded to walk around the perimeter of the building. We wanted to see first hand whether there was any way in other than the main gate.
We walked very slowly and tried to maintain a low profile. We knew there were cameras, we just didn’t know where, so until we could map them we needed to remain as much in the dark as possible.
After the first round we found out that the building had a fence with barbwire on the sides, including the front where there main gate was with its entrance to the parking lot. The 4th side, the left side of the building, was guarded by another building, a smaller three stories high one. This smaller building housed an architecture studio and a lawyer’s firm. The door was locked and I am sure there was some security measures inside. We noted this building to be checked during the day recon.
We spent the rest of the night observing from the container near the restaurant. Nothing worth mentioned happened. Until 6 AM.
At 6 AM we observed a group of people parking near the smaller building at the left side of our target. They began taking cleaning supplies out of a van and moving them into the building. We climbed down and walked towards them. I was dressed in semi-tactical gear so I approached them and told them that I was one of the security personnel of the my customer and I needed to verify that they had permission to be in this building. The guy clearly was part of the cleaning stuff and didn’t know anything about a permit and told me to talk to his supervisor. I went into the building, all the while making mental notes of any security devices - other than a camera at the entrance I saw none - and headed for the cleaning and supplies room. The supervisor wasn’t there and when I asked the cleaning person where was he, he just replied “somewhere”. I took the stairs and went looking for him (sort of). I managed to get to the roof and by 6:30 AM, twelve hours after we started the recon, I saw a possible way into the building. Right there, on the roof there was an escape ladder, or a fire ladder, coming out of our customer’s building and into the smaller building. I climbed up and I check the door. Of course it was locked. However I couldn’t see any signs of a security device attached to it. It might be inside though.
Anyway, this was a good way to try to break in. We still needed to perform the day recon.
To be continued…
The tools for today.
Originally posted on October 2011.
These points were taught to me while I was doing a counterterrorism course in the military and refer to physical security, however with little to no change they can also be applied to information security:
Be aware that a threat ALWAYS exist and that the target of that threat can be you. It doesn’t matter if you don’t see it or if you don’t know of a certain vulnerability, they exist. In the world of information warfare and cybersecurity you have to assume you have been penetrated and that someone is out to get you, all the time. Once you are aware of this you can prepare yourself to deal with it mentally, physically and technologically. Attackers can have a lot of reasons to target you: you might have something they want, they are getting paid by a third party to get something they want, your services / website / servers / etc are a personal threat to their business / beliefs / etc, and many other reasons. Regardless, you cannot allow yourself to think that you have no sensitive information and that it will not happen to you. All it takes is for a script kiddy to find a simple vulnerability on your network and make your whole server farm part of a bot net. Just be aware and treat everything that enters your servers / computers as a possible threat. Deal with it accordingly. Pay special attention to low-tech attacks like social engineering, before you know it you are giving all your information to a stranger.
Make the environment work for you. Controlling the environment is one of the most important aspects in physical security and it should be the same in cybersecurity. Be aware of your surroundings: each workstation and the information stored in them, servers, connection channels between them, internal networks and how they allow external data to flow in, DMZs, firewalls and routers, external networks and failure points, points of connection to the internet, ISPs and backups (internal and off-site). By knowing your environment intimately and by performing assessment and pentests often you can react to changes in it (however subtle they might be) and spot the potential (or actual) threats quickly and decisively. By knowing your environment and placing protection and defensive measures you make it harder for the attackers to operate in your environment.
Test yourself. Put yourself in the attacker’s shoes. If you were to penetrate your perimeter, knowing what you know about it (since you put all the defense mechanism in place), how would you do it? If you can find a hole so does an attacker. Constantly test your settings, configurations, detection tools, etc. Check each piece of your security measures by working in chucks. Partition each component of your defense into sections on a grid, then walk each part as a sniper would look for unknown targets on an unfamiliar terrain: start from the far left, go from left to right, once you finish with those sections of the grid move to the next below (closer to you), from right to left this time, then move closer to you and check from left to right. Do this until you finish with the whole grid and you are now standing in the inner most part of the grid: the data stored in laptops, cellphones, USB drives, etc. Don’t forget to revert the test once you finished testing from the outside sections to the inner ones. Test from the inside to the outside: how would an attacker extract information?
Change your habits. Habits play against you. An attacker can build and plan an attack based on these habits. If you are using a specific personal firewall or version of software, try changing it with the next install. If your IPs all follow a certain pattern for servers with internet connectivity and those kept out of the internet or the IPs are built in a way that might alert an attacker of what computers might have sensitive data, change it. Change the patterns, change the way you connect servers and other network elements.
Improvise, adapt and overcome. Well, you can’t really improvise in information security but you can adapt and overcome. Be aware of new threats and tendencies, adapt to them, prepare your defenses and overcome possible weak points.
I’m looking for a logo that will represent Red Teams. Some of the readers have submitted awesome logos.
So as a reminder, I am opening a contest: submit your design for a logo to be used in Red Teams. The rules are simple, the logo has to be clear enough that it could be used as the main logo for the blog and as the icon for it. Also, it is a logo, too much text will defeat the purpose.
The winner gets to choose from the following gear
The second place choose between the two remaining items and the third place gets the last remaining item.
Please submit your design to mr [dot] aleph [at] gmail [dot] com. I’ll announce the winners on March 4th.
Thanks!
Pran asked: Do you manage to do everything from a Mac?
No. Sometimes I need to use Linux. Most of the time I use Backtrack.
Taken before a recon, while I was getting ready on the parking lot.
Because a lot of people were asking the same questions. Here’s the about.
Avi Rubin - All your devices can be hacked.
Really interesting.
