Difference between revisions of "Episode350"

From Security Weekly Wiki
Jump to navigationJump to search
Line 94: Line 94:
  
 
# What are the gaps in SCADA security?
 
# What are the gaps in SCADA security?
 +
# Are "air gapped" systems effective or realistic with the advances of wireless and cellphone hotspots?
 +
# How does an Industrial Control System begin the approach to assess its security when the NIST SP-800-53 and related documents are so vast and complex?
 
# What systems are being targeted and why?
 
# What systems are being targeted and why?
 
# What are some examples of "bad things" happening as a result of SCADA systems becoming compromised?
 
# What are some examples of "bad things" happening as a result of SCADA systems becoming compromised?

Revision as of 01:58, 25 October 2013


Wings For Warriors

0nho01uvhhv1oqiyo4nj.png
Please help support our charity for this event, Wings For Warriors!
Donate By Clicking Here

Episode 350

October 25, 2013 9:00AM-6:00PM EDT

Welcome to our very special episode 350! We have a very special episode, all in support of wounded veterans in our armed services. Please take the time to donate using the links above. We've got an epic day in store for you, including contests, panel discussions, technical segments and more!

Intro 9:45AM-10:00AM

Crypto Challenge 10:00AM-10:10PM

Anthony Ameen - Wings for Warriors : Interview 10:10AM - 10:30AM

Anthonya.jpg

Active Defense: Taking The Fight To Attackers: Should We? 10:30AM-11:30AM

Guests

BenWright.jpg JoshCorman.jpg Dittrich dave.jpg RobGraham.png


Ben Wright:

Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With over 25 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery, outsourcing contracts and records management. Nothing Mr. Wright says in public is legal advice for your particular situation. If you need legal advice or a legal opinion, you should retain a lawyer.

"Relevant background article on Offensive Countermeasures: http://legal-beagle.typepad.com/security/2011/08/crime.html"

Josh Corman:

Joshua Corman is the Director of Security Intelligence for Akamai. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives.

Dave Dittrich:

Dave Dittrich is an Affiliated Research Scientist with the Office of the Chief Information Security Officer at the University of Washington. He is also a member of the Honeynet Project and Seattle's "Agora" computer security group.

Rob Graham:

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats.

Panel

We've all heard the term "Hacking Back". We all have mixed feelings about this term. Lets be clear, its not about feelings! The revenge-based "hacking back" was doomed for failure from the beginning. On the flip side, we're losing the battle against attackers on many fronts. What can we do? Setting traps, tracking attackers, luring them into areas of the network and systems deemed "honeypots" is on the table, or is it? What are the legal ramifications to this activity?

  1. What is "hacking back" and how does it apply to our conversation?
  2. Should we "hack back"?
  3. What types of traps are suggested? What is different about setting traps than hacking back?
  4. What is active defense? How is it different?
  5. Where are the legal lines drawn?
  6. Should everyone implement active defenses?
  7. What is the future of active defense?

SCADA: Attack & Defense: Securing Critical Infrastructure 11:30AM -12:30PM

Guests

Justinsearle.jpg Joellangil.jpg Dale peterson.jpg PatrickMiller.png

Justin Searle:

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing.

Joel Langill:

Joel Langill is the SCADAhacker. His expertise was developed over nearly 30 years through in-depth, comprehensive industrial control systems architecture, product development, implementation, upgrade and remediation in a variety of roles covering manufacturing of consumer products, oil and gas including petroleum refining, automation solution sales and development, and system engineering.

Dale Peterson:

Dale Peterson is the founder and CEO of Digital Bond, a control system consulting and research practice. He performed his first SCADA assessment in 2000, and Dale is the program chair for the S4 conference every January in Miami Beach.

Patrick C. Miller:

Patrick Miller provides services as an independent security and regulatory advisor for the Critical Infrastructure sectors as Partner and Managing Principal of the Anfield Group.

Panel

SCADA systems are being attacked and making headlines. However, this is not news, or is it? There is a lot of new found "buzz" around attacking SCADA and defending SCADA. Technology has evolved and many systems are Internet connected and more advanced than ever. Water, power, electric, manufacturing all have SCADA.

  1. What are the gaps in SCADA security?
  2. Are "air gapped" systems effective or realistic with the advances of wireless and cellphone hotspots?
  3. How does an Industrial Control System begin the approach to assess its security when the NIST SP-800-53 and related documents are so vast and complex?
  4. What systems are being targeted and why?
  5. What are some examples of "bad things" happening as a result of SCADA systems becoming compromised?
  6. What can SCADA vendors do better?
  7. How do we accurately and safely assess the security of SCADA systems?
  8. What can we do to raise awareness?

BREAK 12:30PM - 12:45PM

Stogie Geeks 12:45PM-2:00PM

Tech Segment with Greg Hetrick 2:00PM - 2:15PM

Greghetrick.jpg

Java - Can't Uninstall? Whitelist it?

As with most sizable organizations it is near impossible to uninstall or completely disable Java which sent us on a hunt for a feasible way to contain Java based attacks. What we came up with was restricting it to run only in trusted zones. This worked for APPLET tags when encountered in IE. 

What this does is block any applet from running if it is not part of a trusted internet zone. First thing is to identify all the internal trusted zones and add them. Next allow the user to trust their own zones. Most of the time it seemed they knew when there was an applet they wanted to run. To enable this there is a simple registry change value 1C00 in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 to a value of 0 

*Note: (original 10000). 

This will prohibit Java from running in the “Internet Zone.” Now for internal sites you can just whitelist them as a “Trusted Zone” for java to run properly. Of course this can be done via GPO for all internal sites and if there are some identified external sites that java is required. 

For some fun stats, an enterprise of 15,000 endpoints went from ~1.5 take aways per day down to about 1-2 per month due to Java a java drive by style attacks.

For most organizations updating java is a Herculean effort. So the whitelisting method from within Windows can be a viable alternative that can be quite effective. In recent months Oracle has released Java 1.7U40 which includes whitelisting. This is nice because it will work for browsers other than IE but odds are if you can get to 7U40 you have a good handle on patching anyway so this is less of an issue (except for 0-day).

Java calls their implementation “Deployment Rule Sets” (DRS). DRS is just a XML configuration file listing the location or hash of a jar and the action to take. You can bypass some of the pop-ups (some pop-ups can’t be disabled such as JAR unsigned), you can flat out block the jar or run the default actions as you would if DRS wasn’t defined. The XML file is parse sequentially so place your allowed jars at the top of the file and place a catch all block rule at the bottom.

Deployment of the rule set is as simple as packing in a signed (from a trusted 3rd party) jar file named DeploymentRuleSet.jar and deploying to the endpoints to be controlled.

Java based whitelisting is a very powerful feature but it is limited. With MSFT based whitelisting users can individually whitelist java for their own uses, but it is limited only to IE. Java based on the other hand does stop end users from whitelisting however it is a larger effort to whitelist and you either have to manage many lists for individual or groups of users or you have to whitelist sites for everyone, package and re-push. Also, deploy EMET

Sources:

Oracle docs on the setup.

Deployment Rule Sets (Full Doc)

Introducing Deployment Rule Sets

Push TrustedSites via GPO

Configure TrustedSites via GPO

Java Whitelisting from MSDN

Controlling Java in IE

Tech Segment Angelo & Leon from The Honeynet.org 2:15PM - 2:30PM

Honeynet.org

Biography:

Angelo:

Angelo Dell'Aera is currently employed as Information Security Officer at International Fund for Agricultural Development (IFAD), a specialized agency of the United Nations. He's currently Chief Executive Officer at Honeynet and leads the Sysenter Honeynet Project Chapter. His interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel. He's the lead developer of the low-interaction honeyclient Thug.

Leon:

Leon works an a Senior Analyst for a government based CERT team in The Netherlands. He's involved in infosec for more then 13 years. He likes to catch and analyse malware. He tries to be the Chief PR Officer and promote other peoples work :) He's been working with various type of honeypots for years.


References:

Honetnet.org

facebook TheHoneynet Project


Contacts:

lvdeijk@gmail.com

angelo.dellaera@gmail.com

They can also be reached on twitter:

@ProjectHoneynet

@angelodellaera

@lvdeijk

BREAK 2:30PM - 2:45PM

Tech Segment with Intern Dale 2:45PM - 3:00PM

Special Guest Interview: Jayson Street 3:00PM-3:30PM

JaysonStreet.jpg


Biography:

Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006. ;)


The best way to contact Jayson: @jaysonstreet

Special Guest Interview: Kevin Finisterre 3:30PM-4:00PM

KevinFinisterre.jpg


Biography:


Kevin Finisterre is a Senior Research Consultant with Accuvant, has hacked everything from utilities providers to police cars and is keen on disseminating information relating to the identification and exploitation of software vulnerabilities on many platforms.

Veteran Panel 4:00PM-5:00PM

Guests

MichaelFarnum.jpg Davekennedykatie.jpg RazorEQX.jpg

Nik Seetharaman:

Nik Seetharaman is a consultant for a government client in the DC area. He spent 11 years in the United States Air Force where he served in the intelligence and joint special operations communities.

Michael Farnum:

Michael Farnum has worked with computers since he got a Kaypro II and an Apple IIc during his middle school years. Michael served in the US Army, where he drove, loaded, and gunned on the mighty M1A1 Abrams main battle tank (which is where he got his "m1a1vet" handle).

Dave Kennedy:

Dave worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions. He also holds the World Record for most hugs given at a conference and is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio.

RazorEQX:

A CEH, OSCP certified Security professional with over 25 years’ experience and a proven leadership track record.

Experience in most aspects of Information Technology, in a wide range of industries and disciplines; specializing in in-depth Malware, intelligence collaboration the past 4 years.


Panel

Episode 350 is dedicated to Veterans, so we found it only fitting to have a panel with InfoSec individuals who are also Veterans. We want to discuss how serving in the military has helped these people in their careers.

Privacy 5:00PM - 6:00PM

Guests

RobGraham.png Dan auerbach.jpg

Rob Graham:

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats.

Dan Auerbach - EFF:

Dan is a Staff Technologist who is passionate about defending civil liberties and encouraging government transparency. Dan works on EFF's various technical projects and helps lawyers, activists, and the public understand important technologies that might threaten the privacy or security of users.

Corey Thuen:

Government Contractor uses Copyright fear

Panel