Next week's Security Theater seminar

[Yossi Oren]

Title: Hardware Backdooring is Practical

Abstract:

This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.

Speaker Bio:

Jonathan Brossard is a security research engineer. Born in France, he's been living in Brazil and India, before currently working in Australia. With about 15 years of practice of assembly, he is specialised in low level security, from raw sockets to cryptography and memory corruption bugs. He is currently working as CEO and security consultant at the Toucan System security company. His clients count some of the biggest Defense and Financial Institutions worldwide. Jonathan is also the co-organiser of the Hackito Ergo Sum conference (HES) in France.

Recorded at DEFCON 20, Las Vegas USA, July 26, 2012

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Brossard

[Yossi Oren]

Next week's talk!

Title: Looking Into The Eye Of The Meter

Abstract:

When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye.

This IS the talk that was not presented at ShmooCon 2012 in response to requests from a Smart Grid vendor and the concerns of several utilities. We have worked with them. They should be okay with this.....should.....

Speaker Bio: Don C. Weber (Cutaway) is Jack of All Trades and hardware attack dog for the InGuardians founders. He specializes in physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response/digital forensics, product research, hardware research, code review, security tool development, and the list goes on. He is currently focusing on hardware research specifically in the technologies surrounding products comprising the SMART GRID with a focus on implementing Zigbee protocol API's and microprocessor disassembers/emulators for research, testing, risk assessment, and anything else you can think of with these technologies. 

Recorded at DEFCON 20, Las Vegas USA, July 26, 2012

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#Cutaway

[Yossi Oren]

Next week's talk - last one this semester

Title: SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor

Abstract: 

SCADA HMI software provides a "control panel" interface to SCADA/ICS systems, allowing system operators and engineers the capability to visually monitor and make changes to parameters in the system. Many HMI packages provide the ability to authenticate users, to allow access to dangerous or sensitive controls and data to specific users, while restricting other users to observation or less sensitive areas of the system. 

Microsoft Bob was a failed Microsoft project from 1995: an attempt to make computers easy for end-users by providing a non-technical captive interface of "rooms" that users could move around, use the launch programs, and store files. Cartoon guides helped users with every step of the way. Thanks to an overly-helpful cartoon dog that would offer to change your password for you if you forgot it, it's frequently used as an example of bad security design choices.

In this presentation, Wesley will point out the similarities and differences between Microsoft Bob and SCADA HMI software, and demonstrate previously unpublished vulnerabilities in the HMI systems that are very reminiscent of the problems with Microsoft Bob (which will also be demonstrated!). For penetration testers, the techniques used to quickly identify these vulnerabilities will be discussed, as well as mitigations for those who have to defend such systems.

Speaker Bio: Robert McGrew is currently a lecturer and researcher at Mississippi State University's National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community. He is currently expanding and exposing the rest of the security community to the SCADA HMI research he began with the release of user authentication vulnerabilities in the iFIX HMI product. 

Recorded at DEFCON 20, Las Vegas USA, July 26, 2012

https://www.defcon.org/html/defcon-20/dc-20-speakers.html#McGrewcGrew