Positive Hack Days video report

Video report from best security event in Europe.

Video of reports:
http://www.phdays.com/press/news/7903/

Slides:
http://www.phdays.com/program/conference/
http://www.phdays.com/program/workshops/

Twitter:
https://twitter.com/#!/search/realtime/%23phdays

Defcon talks canceled, releases delayed

Due some reasons, we canceled our Defcon 20 talk about vulnerabilities in SCADA systems. But hope we will release our research on Power Of Community conference in Korea.

Due mourning we delayed our releases for several weeks. Sorry.

PS. Siemens not associated with cancellation of our talk. Just someone is afraid of our plans.

Wow, we are on Darkreading!

 http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240004520/power-plant-hack-talk-free-tools-pulled-from-def-con-lineup.html

WinCC default password: 7 years long story

Siemens recently published advisory about vulnerability in WinCC. Default hardcoded MS SQL passwords ('WinCCConnect/2WSXcder', 'WinCCAdmin/2WSXcde.')was used by StuxNet worm for infection. This vulnerability was fixed long time ago in SIMATIC WinCC V7.0 SP2 Update 1 (V 7.0.2.1). Current patchlevel for WinCC is V7.0 SP3 Update 2. Looks like this is kindly reminder.
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.

Link and screenshot for history: http://iadt.siemens.ru/forum/viewtopic.php?p=2974

So correct credits for advisory: Max Prilepsky & Cyber.

PS. Mikko - perfect Cyrillic screen for you slides!

PPS. AC/DC? No way!

How to pwn nuclear plant with metasploit?

Mikko Hypponen wrote:

"...I received a series of emails from Iran. ... Atomic Energy Organization of Iran (AEOI)....

He wrote:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down...I believe it was playing 'Thunderstruck' by AC/DC..."

Looks like somebody know our secret and can pwn nuclear plant with metasploit.

2 Mikko:

Mikko, we know, you likes Russian guys, but this totally different case. It's not our fault. Really.
Proof.

Q: AC/DC?
A: No way!

XSS in HMI? So what?

Sometimes XSS  (and other client-side) very useful! Can help to exploit server-side vulnerabilities. Operator’s browser is proxy to SCADAnet!
 

Question: Anybody works with SCADA and Internet using same browser?

Correct answer: Yes!

Check it out: http://surfpatrol.ru/en/report

And enjoy the melody.