Slideshow

In a keynote on Thursday, Brad Arkin, Adobe’s Senior Director of Product Security and Privacy spoke on driving up the cost of exploits in products like Reader and Flash Player in an attempt to thwart would-be attackers. Fixing every security bug is often impossible, so instead of writing flawless code, Adobe and other vendors have begun actively seeking ways to make it hard on those trying to break their software.

At Kaspersky Lab’s Security Analyst Summit last week, over 100 researchers and law enforcement officials converged in Cancun, Mexico over the course of five days to network and discuss a veritable cornucopia of security topics. Topics such as privacy, SCADA and PLC security, tracking cybercriminals and the evolution of malware were discussed in depth. Flip through the following slides to see a collection of speaker highlights from SAS 2012.

In his presentation at S4, doctoral student Eireann Leverett presented his research showing how more than 10,000 Internet acccessible industrial control systems can be found online, including HVAC systems, building management systems, PLCs and other industrial systems. Here, Leverett shows a Google Map displaying the location of vulnerable ICS devices in North America.

The Project Basecamp presentation received a rousing response from the audience, many of whom are industrial control security experts who have long warned, quietly, about the woeful state of software security in the industry. But not everyone was enthused. Kevin Hemsley of ICS-CERT questioned Peterson about the decision to go public with the Project’s findings before notifying vendors. Here, Wightman presents his findings at S4.

The devices tested by the Basecamp Project included the D20 PLC by GE, The Modicon Quantum by Schneider Electric, Rockwell and Koyo Electronics. Each device was tested using a number of additional attack vectors. Researchers attempted to upload custom firmware or so-called “ladder logic” for the device, looked for back door accounts, weak authentication, undocumented features that could be exploited and fuzzed each device for vulnerable services. Here, a grid presents the results of the tests. A green check means the device passed the test.

The researchers working on Project Basecamp found significant security issues with programmable logic controller (PLC) they tested. Some PLCs were too brittle and insecure to even tolerate security scans and probing.

A presentation on Project Basecamp was a highlight of the conference. The talk presented the findings of a volunteer-led security audit of leading programmable logic controllers (PLCs). The audit found that decrepit hardware, buggy software and pitiful or nonexistent security features make thousands of PLCs vulnerable to trivial attacks by external hackers that could cause PLC devices to crash or run malicious code. Here Reid Wightman of the firm Digital Bond shows a closeup of the Modicon Quantum PLC displaying a “fail” signal after researchers succeeded in crashing the device.