blackops - the cadence group · cadence blackops goals: •provide an entertaining forum to discuss...

BlackOpsQ4 2014

What am I doing here?

Cadence BlackOps Goals:

• Provide an entertaining forum to

discuss emerging threats and new

security technology

• Facilitate access to others’ knowledge

and discuss current, real-world issues

• Eat

• Win prizes

• Death by PowerPoint

Cadence BlackOps: Q4 2014

Who is this guy?

Cadence BlackOps: Q4 2014

Erich Ficker (burnd0wn)

• Industrialist, philanthropist, bicyclist

• Cadence Pen Test Team Lead

• Interests: Taco Bell breakfast,

hardware hacking, WiFi

shenanigans, cars

• @eficker

erich@theCadenceGroup.com

• CISSP, GPEN, CEH

For Today

Software Vulnerabilities• MS14-060 / CVE-2014-4114: Windows OLE Could Does Allow

Remote Code Execution

• How

• Demo

• Defense

Hardware / Physical Security• The death of the door badge

• What?!

• Demo

• Defense

QA / Open Floor Discussion

Cadence BlackOps: Q4 2014

The new vulnerability discovery process

Fuzz application

Examine output for

unexpected behavior

Vulnerability Found!

Validate with Proof-

of-concept code

2

The Age of VLogos

Make up catchy

nickname and of

course LOGO!

No vulns are real

without this step

1 3

Cadence BlackOps: Q4 2014

Targets

• Microsoft OLE

• Allows content pulled from

outside sources (SMB share)

• No warnings or boxes to click

through

Not Sand or a Worm

• Sandworm is actually a

group, not a vulnerability

• Still somehow got a logo

• Still can dominate your

organization

Cadence BlackOps: Q4 2014

AKA MS14-060 / CVE-2014-4114

Cadence BlackOps: Q4 2014

AKA MS14-060 / CVE-2014-4114

Proof of Concept Steps:

• Generate .ppsx file with python script

• Create a public SMB share with two

files output by script

• Setup listener for connect-back

• Deliver .ppsx to target

• Profit!

Cadence BlackOps: Q4 2014

AKA MS14-060 / CVE-2014-4114

DEMO

Cadence BlackOps: Q4 2014

AKA MS14-060 / CVE-2014-4114

Howto: Defense

•MS Released patch on 14 OctPATCH

!

•Egress filtering / monitoring

•This is hard

•It takes work

•Can be very effective

0-day defens

e

NOPE!Anti-virus

Physical Insecurity

Cadence BlackOps: Q4 2014

Long-range RFID card badge thievery

• Utilizes standard hardware

• Exploits expected behavior

• Runs on batteries, very portable

• Trivial deployment to MiTM

• Grabs cards at up to 3 feet

Targets

• IT staff with data center / room

access

• Anyone else

Parts List

• HID MaxiProx $120 Ebay

• Arduino $20

• PCB (optional) $30

• Sdcard breakout $15

• Display (optional) $20

• Various resistors,

capacitors, voltage reg,

batteries, etc.: $20

Cadence BlackOps: Q4 2014

Cadence BlackOps: Q4 2014

DEMO

Cadence BlackOps: Q4 2014

Now we have the card, so what?

• Enter RFIDler

• $130 riftrecon.com

• Beta grade

• Will emulate / copy any 125-

134KHz

• A bit finicky, but gets it done

Cadence BlackOps: Q4 2014

Howto: Defense

• Human Security

• Expensive

• FalliblePeople

• Reactive only

• Can thwart attacks if actively monitored (see point 1)CCTV

• Good addition

• Always a good idea

• [Sidenote – Google 2 factor]

2nd

Factor

Q&A

• General questions about topics in this presentation

• Other topics or questions for the group at large

Cadence BlackOps: Q4 2014

• Next time: Q1 2015 – February-ish

• Topic suggestions, interested in

presenting (let’s talk)

FREE STUFF!!

www.theCadenceGroup.com

http://www.linkedin.com/company/the-cadence-group

801.554.9881

erich@theCadenceGroup.com

Contact Us

Erich Ficker

erich@theCadenceGroup.com

@eficker