blackops - the cadence group · cadence blackops goals: •provide an entertaining forum to discuss...
TRANSCRIPT
BlackOpsQ4 2014
What am I doing here?
Cadence BlackOps Goals:
• Provide an entertaining forum to
discuss emerging threats and new
security technology
• Facilitate access to others’ knowledge
and discuss current, real-world issues
• Eat
• Win prizes
• Death by PowerPoint
Cadence BlackOps: Q4 2014
Who is this guy?
Cadence BlackOps: Q4 2014
Erich Ficker (burnd0wn)
• Industrialist, philanthropist, bicyclist
• Cadence Pen Test Team Lead
• Interests: Taco Bell breakfast,
hardware hacking, WiFi
shenanigans, cars
• @eficker
• CISSP, GPEN, CEH
For Today
Software Vulnerabilities• MS14-060 / CVE-2014-4114: Windows OLE Could Does Allow
Remote Code Execution
• How
• Demo
• Defense
Hardware / Physical Security• The death of the door badge
• What?!
• Demo
• Defense
QA / Open Floor Discussion
Cadence BlackOps: Q4 2014
The new vulnerability discovery process
Fuzz application
Examine output for
unexpected behavior
Vulnerability Found!
Validate with Proof-
of-concept code
2
The Age of VLogos
Make up catchy
nickname and of
course LOGO!
No vulns are real
without this step
1 3
Cadence BlackOps: Q4 2014
Targets
• Microsoft OLE
• Allows content pulled from
outside sources (SMB share)
• No warnings or boxes to click
through
Not Sand or a Worm
• Sandworm is actually a
group, not a vulnerability
• Still somehow got a logo
• Still can dominate your
organization
Cadence BlackOps: Q4 2014
AKA MS14-060 / CVE-2014-4114
Cadence BlackOps: Q4 2014
AKA MS14-060 / CVE-2014-4114
Proof of Concept Steps:
• Generate .ppsx file with python script
• Create a public SMB share with two
files output by script
• Setup listener for connect-back
• Deliver .ppsx to target
• Profit!
Cadence BlackOps: Q4 2014
AKA MS14-060 / CVE-2014-4114
DEMO
Cadence BlackOps: Q4 2014
AKA MS14-060 / CVE-2014-4114
Howto: Defense
•MS Released patch on 14 OctPATCH
!
•Egress filtering / monitoring
•This is hard
•It takes work
•Can be very effective
0-day defens
e
NOPE!Anti-virus
Physical Insecurity
Cadence BlackOps: Q4 2014
Long-range RFID card badge thievery
• Utilizes standard hardware
• Exploits expected behavior
• Runs on batteries, very portable
• Trivial deployment to MiTM
• Grabs cards at up to 3 feet
Targets
• IT staff with data center / room
access
• Anyone else
Parts List
• HID MaxiProx $120 Ebay
• Arduino $20
• PCB (optional) $30
• Sdcard breakout $15
• Display (optional) $20
• Various resistors,
capacitors, voltage reg,
batteries, etc.: $20
Cadence BlackOps: Q4 2014
Cadence BlackOps: Q4 2014
DEMO
Cadence BlackOps: Q4 2014
Now we have the card, so what?
• Enter RFIDler
• $130 riftrecon.com
• Beta grade
• Will emulate / copy any 125-
134KHz
• A bit finicky, but gets it done
Cadence BlackOps: Q4 2014
Howto: Defense
• Human Security
• Expensive
• FalliblePeople
• Reactive only
• Can thwart attacks if actively monitored (see point 1)CCTV
• Good addition
• Always a good idea
• [Sidenote – Google 2 factor]
2nd
Factor
Q&A
• General questions about topics in this presentation
• Other topics or questions for the group at large
Cadence BlackOps: Q4 2014
• Next time: Q1 2015 – February-ish
• Topic suggestions, interested in
presenting (let’s talk)
FREE STUFF!!
www.theCadenceGroup.com
http://www.linkedin.com/company/the-cadence-group
801.554.9881
Contact Us
Erich Ficker
@eficker