AGENDA

 Whoami blah  Paterva blah blah

Always wanted to do a talk on fun stuff

1.  It’s a security con ?   blah

2.  UAVs, laser guided munitions   The fun stuff

3.  EXCLUSIVE – hold the press !!   (South African) Facebook zero day !

 Why do you ‘hack’?   Information   Control…leads to information

 Controls are getting harder to break   In proper assessment, 80-90% of time is spent on

intelligence gathering.   Intelligence gathering is also

  A port scan   A Nessus scan…   ..because we learn more about our target

INTELLIGENCE / INFO GATHERING

  Threats are moving up the stack   Network -> OS -> Application - - -> Person

YOU ARE PART OF THE STACK!

Understand the graph – volume and frequency

  Everyone is talking malware….

  Malware -> attacking the workstation   Server in a server room vs. workstation with a person behind it   For conventional malware traditional network mapping is

worthless

  Focus in the past: find the server and perimeter (infrastructure foot print)

  Thinking needs to be updated   Now – person / company profiling -> the new foot print

PEOPLE, SOCIAL ENGINEERING AND MALWARE

 Commercializing vulnerabilities

HACKERS VS. CRIMINALS

MAKING ZA STRONGER Don’t hack ... but if you really have to:   Have good/right intentions -> !criminal

  Never ever use what you found   Don’t give SAP a reason to go look for you...

  Mail your findings so that they can learn/fix   ..not from your work - duh...   Development is NOT easy, and they are not idiots!   Treat with respect – ‘jy is volgende vettie!’

  Don’t disrupt / destroy / delete anything   (even if they gave you bad service)

  ‘Insider knowledge’ does not count...   You are just an ass

  Don’t share outside of SA   Sanitize and share the knowledge/tech – locally

  Don’t be a doos at international cons....

Slammer ‘secured’ more networks in a day than all the security consultants in a year Change only happens at the point of extinction Strongest piece of metal is at the breaking point A chain is as strong as it’s weakest member

UAVS

 UAV == Unmanned aerial vehicle  Think back to your model airplane

  Let’s put a camera in there !   Let’s put a BB gun in there !   Let’s put a Hellfire missile in there !!

 Different sizes  Fixed wing / rotary  Electrical / Fuel powered  Used to be for recon, now also armed

UAVS

UAVS

 Different altitudes   60k feet / 18km++ (Zephyr)   100 feet (hand launched)   747 flies at around 32-40k feet

 Speed (max)   747 flies at around 900 km/h   Predator MQ1 – 217 km/h   Avenger, Global Hawk 750 km/h   Prop vs. jet

 Flying time   Up to 82 hours ... Typical 30h ish

UAVS   Initial idea 1980s, serious thought in 1990s  Driving force behind it CIA

  CIA pilots  Most known / successful = General Atomic  Predator - Series A

  1995   RQ / MQ

 Reaper - Series B   MQ9   2002

 Avenger - Series C   Announced 2009

UAVS - PREDATOR

UAVS - REAPER

UAVS - AVENGER

UAVS – AVENGER SPECS

  Jet engine  Speed – 740 km/h  Fly time – 20h  Altitude – 60k feet / 18km  Stealth - internal weapons bay, shape, materials,

exhaust  RADAR / Optics / Targeting  Payload – 1.3 tons of Hellfire / Paveway II/ JDAM

UAVS – COMMAND & CONTROL

  Line of sight – C band (4 – 8 GHz)  Satellite – Ku band (11 – 15 GHz)

  Can be routed over commercial sats. NBC - 1983   3 crew members

  Pilot   Flying - looking through a straw

  2 x sensor guys   Difference in two scans :   Tire tracks, movement

CAPTURING UAVS

  If communications dies it flies home  Self destruct ?

FOOTAGE

MATCHING WAR PORN TO GOOGLE EARTH EARTH

UAVS – PROBLEMS

 Not a lot – it seems to kind of work well..

 Ku band sucks in heavy weather   Pray for rain

  Lag of up to two seconds   Like playing CS/CoD over a link made of wet towels and

barbed wire   No dog fights!

 Thus – send in the UAVs once air dominance has been established

SO, WE’RE PRETTY MUCH ...

LET’S JUST HIDE

 Optics, infra red, RADAR   Conceal, underground   Rapid change in environment?   The Chinese vs. American spy sat story   Uhmm...next...

 Weapons   Bombs, missiles

  LASER guided

So...it becomes a game of defending against laser guided munitions

HOW LASER GUIDED MUNITIONS WORK

 Understand a little about light   Light storage system == FAIL

 Terminology   Seeker = the bomb/missile   Designator = guy / plane with the laser

  ‘Painting’ the target   Invisible laser == you won’t see it..

 Bomb vs. missile   28km,60km (spice) radius

PAINTING THE TARGET

LASER ON!

ENCODING

 But - there could be multiple targets and multiple munitions

 Seeker needs to know where it should go  Thus – must be able to distinguish designators  This is done by pulsing the laser

  Fast   Very fast

  You won’t see it’s pulsing ... either.

 Encoding   PIM – Pulse Interval Module   PRF – Pulse Repetition Frequency

PIM

PRF / PIM

 Missiles are pre-programmed, or programmed on the fly.

 PRF code is 3 digits.   Does this make sense?   Everyone should now be thinking...brute force   But just hang on..

 Testing it:

BTW - HOW DOES IT GET TO THE MUNITIONS?

 Open protocol – on the ‘net   MIL-STD-3014 - MiDEF == PDF for munitions   In flight coding was introduced in 2008

DUDE, ERRR...NO.. VERY UN-COOL, DON’T PRESS THAT ...

AND THE OTHER SIDE OF THE EQUATION

DETECTION

 See the light!  We can detect the designator’s laser light

  We know we are being targeted (like in the movies)...and run

 We can decode the PIM/PRF   We might know if we are a priority target – nice...   Page 45 -6b: “Lower code numbers and faster

pulse rates are appropriate for the most important targets and the most difficult operating conditions.”

DETECTION

Laser warning sensor configured as a multi-sensor arrangement and interfaced with a suitable smoke/aerosol screening system can be used effectively on platforms

like main battle tanks, AFV, etc., to provide platform protection from laser-guided munitions. The development of this sensor is a totally indigenous effort,

both in design and implementation.

DETECTION

 Can we determine the direction of the designator?   Know where the special ops guy is sitting / plane   Source or reflected light?

 We might look at the divergence ??   Shape of the reflected light   Know how far away the special ops guy is / plane

REPLAY

 Sniff the light!  Replay attack should work well...

  You don’t even have to know what the designator says   Does it makes sense to have a 256 number code?   Why are PRF codes 393,424,515 and so on more popular?   Americans are always thinking big (1000 missiles at a time)

  Bomb does not speak .. One way comms  So now it’s becoming interesting..

“WTF – DID IT JUST TURN THIS WAY?!”

  .. replay the laser pulses ...   ..and point it somewhere else...like..   ...at the designator (see previous slides)

  Will this work when the designator is a plane? NOT   “Page 46, Chapter 5 – Safety: c. Inversion. Caution

must be used when the laser-target line is over +30 degrees of the attack heading to ensure the LST or LGB does not detect and guide on the laser designator instead of the target‘s reflected laser energy.”

 Oops..

JDAMS

 Guidance retrofitted to dumb bombs   GPS   TV (with RF link)   Inertial navigation system

 Range up to 60km from drop, up to 12 control surfaces

 Cheap – 21k USD compared to missiles at around 75k USD

WHY DO YOU HAVE THESE SLIDES AT THE CON ACTUALLY? AG, NO MAN REALLY...

 On a more serious note...  Same principles in attack (thinking) applies

  It’s really just 1s and 0s  Don’t think it’s too complex!   If you ask the right questions, you can Google the

answers   (Patents, specs, etc.)

 Significantly complex tech is indistinguishable from magic.

 Development of UAVs in non US countries is a big headache for the US...

QUESTIONS?

FACEBOOK 0 DAY, BOUGHT TO YOU BY...

...VODACOM

WE USE THE MAGIC EMAIL ADDRESS...

..AND AWAY IT GOES!