jueves, 13 de agosto de 2015

The Beginning of the Age of Digital Chaos

It is well known throughout the community of security researchers in industry very bad practices are used, in the case of mobile devices 90% of applications they are vulnerable to multiple attacks scams, often large companies much development software very insecure, they are from exposing user data to expose credit card numbers, in desktop and server applications, it is exactly the same, duarante some time we have been researching about this and we have seen that there are other platforms that could be attacked, a typical case is that of the ATM, which work with Windows XP, we all know that is not the most secure operating system that has exist, investigate more on the subject and we found that there are other much more critical software that can expose much more serious things the user accounts, email or credit card, in the case of embedded systems, Cloud and RTOS.

We have been observed that, CLOUD, SCADA (Supervisory Control and Data Acquisition) RTOS (Real Time Operating System) and Embeded systems, are implemented in systems critical systems, which can trigger a global catastrophe, there are multiple methods that could be used to attack these systems.

I think these systems are fully of security flaws that nobody has seen, not even the developers know that it is there.

Speaking of bad practices carried out by industry and governments to use Windows as the operating system for critical systems, a typical example is the US government that continues to use Windows for your things, I think it's really bad to have a windows in a security agency or military department.

Moreover we have some good practices by the military industry which bases its systems on Linux platforms with DO-178B certification, this dependent nuclear reactors, missile batteries, warplanes and other military equipment critical, this left me a question, well I've seen some news about attacks on military equipment and critical systems and reactors nuclear and more, ask me something, this is really safe or people afraid make a deep analysis and find that is another system operating that can be attacked and violated ?

I know this post, many guys of DoD and other governments going to hate me, perhaps this will bring me many problems and put me in the eye of the hurricane, but my task is to create secure things, improve the software and expose those that are not already received some messages about this, few other former military and civilians.

For a long time we have seen how hack cars, cell phones, PCs, servers and am 100% sure that this also applies to embedded systems, CLOUD, SCADA and RTOS. 

Which is an RTOS: it is basically a linux that works in real time and some versions are safer than others, some designed to never collapse and some not so, but basically it is a linux that works with binary ELF (executable and linkable format) and these binaries either way can be attacked.

Initially we have been working on a project called #VectorAttackScanner which will be the first product of our company Vector Xtreme Technologies (VXT), which was initially centered on the detection vulnerabilities in mobile devices and operating systems such as Windows and Linux, started this project because they all know that there are guys who can violate the security of memory protections such as RELRO, PAX, ASLR, DEP, PIE, NX, SSP, StackCanary among others more, because we think that a small idea, what if we create something that tells us where we can attack and that you should be improved so that they do not, and that's what makes our tool.

For all these reasons we have decided to expand our target to the analysis of SCADA, embedded systems, RTOS and CLOUD, to provide a tool for the analysis of problems in critical systems, we do not want one of these days, get some crazy and give him by blowing a pair of nuclear reactors or just trigger a third world war, we all know that in this world there are motherfuckers get up every day looking forward to watch the world burn.

Only two things: are just busting software that is poorly developed and that all ensure that something is safe does not make it safe, so have all certifications in the world.

By Jheto Xekri

No hay comentarios: