Bryan Brake - CISSP | Information Security | Vuln Management

Brakeing Down Security Podcast

Brakeing Down Security Podcast

Description

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Categories

Technology

Episodes

2019-001: OWASP IoT Top 10 discussion with Aaron Guzman

Jan 14, 2019 36:54

Description:

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

 

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

2018-045: end of the year podcast!

Dec 27, 2018 01:11:26

Description:

Join the combined forces of:

Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/)

Bill Gardner from the "RebootIt! podcast"

https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2

 

Ms. Berlin and Bryan Brake for the end of the year podcast!

BrakeSec Podcast = www.brakeingsecurity.com

RSS: https://www.brakeingsecurity.com/rss

2018-044: Mike Samuels discusses NodeJS hardening initiatives

Dec 18, 2018 56:11

Description:

Mike Samuels

https://twitter.com/mvsamuel


https://github.com/mikesamuel/attack-review-testbed

https://nodejs-security-wg.slack.com/



Hardening NodeJS

 

Speaking engagement talks:

A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw

Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009

Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781



What is a package: (holy hell, why is this so complicated?)

   

A package is any of:

a) a folder containing a program described by a package.json file b) a gzipped tarball containing (a) c) a url that resolves to (b) d) a @ that is published on the registry with © e) a @ that points to (d) f) a that has a latest tag satisfying (e) g) a git url that, when cloned, results in (a).


https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

 

https://blog.risingstack.com/node-js-security-checklist/

 

https://www.npmjs.com/package/trusted-types

https://github.com/WICG/trusted-types/issues/31

2018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure

Dec 11, 2018 01:11:15

Description:

Adam Baldwin (@adam_baldwin)

Director of Security, npm

 

https://foundation.nodejs.org/

https://spring.io/understanding/javascript-package-managers

 

Role in the NodeJS project

    Advisory? Active role? Maintain security modules?

    Are there any requirements to being a dev?

    Are there different roles in the NodeJS environment?

    Is there any review of system sensitive packages? (or has that ship sailed…)

 

Discussion of timeline from NodeJS security team

    When were you notified? (or were you notified at all?)

    What steps were taken to fix the issue?

    Lessons learned?

 

Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)

 

Event-stream (initial bug report):   https://github.com/dominictarr/event-stream/issues/116

 

Only affected bitcoin Wallets from ‘Copay’

                    https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/

“Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :

We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (

 

https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”

 

https://thehackernews.com/2018/11/nodejs-event-stream-module.html

“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”

 

https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/

 

Hacker News (with comments): https://news.ycombinator.com/item?id=18534392

 

Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of

https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018

 

2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm

 

According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)

 

Dependency hell in NodeJS:

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

    “Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”

 

History of NodeJS security issues:

 

ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/

Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

 

How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)

What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?

 

What the responsibility is of consumers of open source?

 

What can be done to ensure vetting for ‘important’ packages?

Can someone manage turnover? (or is that ship sailed?)

 

Security scanners:

https://geekflare.com/nodejs-security-scanner/

https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0

 

Threat assessment or ‘what could go wrong in the future’?

    Bad code

    “Trust issues”

    Repo corruption

    Hijacking packages

   

Keep up to date on NodeJS security issues:

https://nodejs.org/en/security/

https://groups.google.com/forum/#!forum/nodejs-sec

 

^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?

npmjs.com/advisories or @npmjs on twitter


https://rubysec.com/ -Ruby security group

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-042-Election security processes in the state of Ohio

Dec 3, 2018 01:24:50

Description:

Where in the world is Ms. Amanda Berlin?

    Keynoting hackerconWV

 

Election Security

 

Cuyahoga County:

 

Intro: Jeremy Mio (@cyborg00101

Name?

Why are you here?

 

Discussing Ohio does election operations.

    Walk through the process

Pre-Elections

Elections Night

Post Elections

 

All about the C.I.A.

Votes must be confidential

Votes must not be compromised (integrity)

Voting should be available and without outage

 

Did a tabletop exercise with all counties in Ohio (impressive!)

    Gamified, using role-reversal

    Points based system

    Different technology has different point values

 

Physical security/chain of custody

Retention

 

EI-ISAC - election infra ISAC

https://www.cisecurity.org/services/albert/ - Albert system

https://www.cisecurity.org/best-practices-part-1/ - election security best practices

 

How does the Ohio election process stack up against other states?

 

Media Perception in Elections Hacking and threats

11 year olds ‘hacking election’

    Yes, good for a new article title

    Goes to show how easy it is to actually hack systems

        Train someone on SQLI, pwn the things

 

Elections Security Operations and Preparation

Technology types

    Ballot

    Booths

    Mail-in ballots

 

Securing election infra

    What can be done to make it more secure?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-041: part 2 of Kubernetes security insights w/ ian Coldwater

Nov 26, 2018 44:57

Description:

@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

 

She’s working on speaking schedule for 2019

 

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -


Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

2018-040- Jarrod Frates discusses pentest processes

Nov 19, 2018 01:21:18

Description:

Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

   

TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

 

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

    “limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

    “Finance doesn’t use Powershell”

- Defense in Depth

    “moving from passwords to pass phrases…”

“Improper disposal of information assets”

 

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome



Before the Test

Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in ‘test/dev’, NOT PROD Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

 

During the Test

Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?)

 

After the Test

Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don’t blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing

 

Ms. Berlin’s Legit business - Mental Health Hackers

 

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

 

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

 

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

 

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-039-Ian Coldwater, kubernetes, container security

Nov 12, 2018 50:16

Description:

Ian Coldwater-

@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

She’s working on speaking schedule for 2019

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -

 

Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-038-InfosecSherpa, security culture,

Nov 5, 2018 59:12

Description:

@InfoSecSherpa

 

I have two talks coming up:

Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)

 

 

 

*Shameless Plug* My Nuzzel newsletters
https://nuzzel.com/InfoSecSherpa

https://nuzzel.com/InfoSecSherpa/cybersecurity-africa


News stories -



Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law)

 

https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html


Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-037-iWatch save man's life, Alexa detects your mood, and post-derby discussion

Oct 22, 2018 44:31

Description:

Health & Tech?

https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/

 

https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)

 

(def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow

 

https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/

 

https://www.adheretech.com/

Privacy implications?

Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/

Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/

https://www.papercall.io/dachfest18

Make plans for next year! Follow @derbycon on Twitter!

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-036-Derbycon 2018 Audio with Cheryl Biswas and Tomasz Tula

Oct 15, 2018 39:57

Description:

Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there.

This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website...

Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas

Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas

I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection...

Tomasz Tuzel: http://www.irongeek.com/i.php?page=videos/derbycon8/track-4-18-who-watches-the-watcher-detecting-hypervisor-introspection-from-unprivileged-guests-tomasz-tuzel

Make plans for next year! Follow @derbycon on Twitter!

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-035-software bloat is forever; malicious file extensions; WMIC abuses

Oct 1, 2018 52:43

Description:

Pizza Party Link -

https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046

 

News stories-

 

Software/library bloat

 

http://tonsky.me/blog/disenchantment/

 

https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f

 

https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/

    https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html

 

https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/

 

https://attack.mitre.org/wiki/Technique/T1170  - HTA file malware examples

 

https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/

 

https://www.bbc.com/news/technology-45686890 -

(facebook account hack)

 

https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc  IOC’s from various malware

 

UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/


Block These Extensions:

 

File Extension    File Type

.adp Access Project (Microsoft)

.app Executable Application

.asp Active Server Page

.bas BASIC Source Code

.bat Batch Processing

.cer Internet Security Certificate File

.chm Compiled HTML Help

.cmd DOS CP/M Command File, Command File for Windows NT

.cnt Help file index

.com Command

.cpl Windows Control Panel Extension(Microsoft)

.crt Certificate File

.csh csh Script

.der DER Encoded X509 Certificate File

.exe Executable File

.fxp FoxPro Compiled Source (Microsoft)

.gadget Windows Vista gadget

.hlp Windows Help File

.hpj Project file used to create Windows Help File

.hta Hypertext Application

.inf Information or Setup File

.ins IIS Internet Communications Settings (Microsoft)

.isp IIS Internet Service Provider Settings (Microsoft)

.its Internet Document Set, Internet Translation

.js JavaScript Source Code

.jse JScript Encoded Script File

.ksh UNIX Shell Script

.lnk Windows Shortcut File

.mad Access Module Shortcut (Microsoft)

.maf Access (Microsoft)

.mag Access Diagram Shortcut (Microsoft)

.mam Access Macro Shortcut (Microsoft)

.maq Access Query Shortcut (Microsoft)

.mar Access Report Shortcut (Microsoft)

.mas Access Stored Procedures (Microsoft)

.mat Access Table Shortcut (Microsoft)

.mau Media Attachment Unit

.mav Access View Shortcut (Microsoft)

.maw Access Data Access Page (Microsoft)

.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)

.mdb Access Application (Microsoft), MDB Access Database (Microsoft)

.mde Access MDE Database File (Microsoft)

.mdt Access Add-in Data (Microsoft)

.mdw Access Workgroup Information (Microsoft)

.mdz Access Wizard Template (Microsoft)

.msc Microsoft Management Console Snap-in Control File (Microsoft)

.msh Microsoft Shell

.msh1 Microsoft Shell

.msh2 Microsoft Shell

.mshxml Microsoft Shell

.msh1xml Microsoft Shell

.msh2xml Microsoft Shell

.msi Windows Installer File (Microsoft)

.msp Windows Installer Update

.mst Windows SDK Setup Transform Script

.ops Office Profile Settings File

.osd Application virtualized with Microsoft SoftGrid Sequencer

.pcd Visual Test (Microsoft)

.pif Windows Program Information File (Microsoft)

.plg Developer Studio Build Log

.prf Windows System File

.prg Program File

.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)

.reg Registration Information/Key for W95/98, Registry Data File

.scf Windows Explorer Command

.scr Windows Screen Saver

.sct Windows Script Component, Foxpro Screen (Microsoft)

.shb Windows Shortcut into a Document

.shs Shell Scrap Object File

.ps1 Windows PowerShell

.ps1xml Windows PowerShell

.ps2 Windows PowerShell

.ps2xml Windows PowerShell

.psc1 Windows PowerShell

.psc2 Windows PowerShell

.tmp Temporary File/Folder

.url Internet Location

.vb VBScript File or Any VisualBasic Source

.vbe VBScript Encoded Script File

.vbp Visual Basic project file

.vbs VBScript Script File, Visual Basic for Applications Script

.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)

.vsw Visio Workspace File (Microsoft)

.ws Windows Script File

.wsc Windows Script Component

.wsf Windows Script File

.wsh Windows Script Host Settings File

.xnk Exchange Public Folder Shortcut

.ade ADC Audio File

.cla Java class File

.class Java class File

.grp Microsoft Widows Program Group

.jar Compressed archive file package for Java classes and data

.mcf MMS Composer File

.ocx ActiveX Control file

.pl Perl script language source code

.xbap Silverlight Application Package

 ------------------------------

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-034-Pentester_Scenario

Sep 25, 2018 40:03

Description:

Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018--033-Chris_Hadnagy-SE-OSINT-vishing-phishing-book_interview-pt2

Sep 15, 2018 01:00:28

Description:

Part 2 of our interview with Chris Hadnagy
Discuss more about his book,
best ways to setup your pre-text in an engagement
how you might read someone on a poker table
a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch”
and we talk about “innocent lives foundation”, something near and dear to Chris' heart.

We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it physical engagements?”

 

Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure

 

Social Engineering - the different aspects:

Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.

 

Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018-032-chris Hadnagy, discusses his new book, OSINT and SE Part 1

Sep 8, 2018 37:52

Description:

Christopher Hadnagy Interview:

Origin story connoisseur  of moonshine Social Engineering: The Science of Human Hacking 2nd Edition



Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure



Social Engineering - the different aspects:

Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.



Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!

Sep 1, 2018 01:08:27

Description:

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!

 

Thanks to our Patrons!

Gonna be at Derbycon, come see us!

 

Congrats to our Derbycon Ticket CTF winners!

Winner:  @gigstaggart

2nd Place: @ohai_ninja

3rd Place: @SoDakHib

 

Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t

 

Ms.Berlin’s Challenge:

 

potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN

Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7

Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN

 

Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8

 

Update on Mental Health GoFundMe: http://www.derbycon.com/wellness

Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.

 

Missing event issues:

https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen

https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement

 

https://github.com/palantir/windows-event-forwarding

 

https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html



https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

 

https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

 

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

 

https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/

 

https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/

 

http://bpatty.rocks/blue_team/weffles.html

 

https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/

 

Some issues with missing events… Everyone is affected by this!

 

WEF & PowerBI is good for small installations.

 

Any GPOs involved?

Can it be done on a server by server basis?

Can an attacker simply disable the service once initial access is achieved?

 

Pros and Cons of feeding the WEF output to a MapReduce system?

 

Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?

 

Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...

https://www.malwarearchaeology.com/logging/

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-030: Derbycon CTF and Auction info, T-mobile breach suckage, and lockpicking

Aug 26, 2018 01:01:35

Description:

CTF information:

    Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)

    Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site.

View the page, submit the flags, leave everything else alone...

 


Derbycon Auction - starts September 8th at 9am Pacific Time

    Slack only -

        Opening bid is $175

        Increments of $25 only

    100% goes to Chris Sanders’ “Rural Technology Fund”

        https://ruraltechfund.org/donate/

 

Amanda’s mental health workshop - AWESOME!  http://www.derbycon.com/wellness/

https://www.gofundme.com/derbycon-mental-health-amp-wellbeing

 

Mandy Logan - hacking her way out of a coma!  https://www.gofundme.com/hacking-recovery-brainstem-stroke

 

https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers

https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html

https://art-of-lockpicking.com/single-pin-picking-skills/

 

Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr)

Tools:

Tension Wrench Picks

Parts of lock:

Cylinder Driver Pins Key Pins Springs

Sites:

https://toool.us/ https://art-of-lockpicking.com/how-to-pick-a-lock-guide/  - This is a good guide if you can get past the ADs

 

Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich

 

Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/

https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/

 

https://twitter.com/InfoSystir/status/1032343381328973827

 

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-029-postsummercamp-future_record_breached-vulns_nofix

Aug 17, 2018 55:31

Description:

Post-Hacker Summercamp

 

IppSec Walkthroughs

Brakesec Derbycon ticket CTF -

 

Drama - (hotel room search gate)

  AirconditionerGate

  Personal privacy

  Ask for ID

  Call the front desk

  Use the deadbolt - can be bypassed

  Plug the peephole with TP

        Hotel rooms aren’t secure (neither are the safes)

            Probably the most hostile environment infosec people go into to try and be secure/private

 

https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/

This is the company behind a sort-of threat intel site (vulnDB) The original marketing site I figured it was marketing… it smacked of a ‘buy our product’ site\, but we don’t have to mention vulnDB

 

https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/

    Based on study by Juniper Research

 

https://www.teepublic.com/user/bdspodcast

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-018-runkeys, DNS Logging, derbycon Talks

Aug 9, 2018 50:36

2018-027-Godfrey Daniels talks about his book about the Mojave Phonebooth

Aug 1, 2018 37:46

Description:

Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com

 

https://en.wikipedia.org/wiki/Mojave_phone_booth

https://www.tripsavvy.com/the-mojave-phone-booth-1474047

 

https://www.dailydot.com/debug/mojave-phone-booth-back-number/

 

https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth

 

https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/

 

https://twitter.com/mojavefonebooth

 

https://www.google.com/maps/place/Mojave+Phone+Booth/@35.2873088,-115.6911087,3155m/data=!3m1!1e3!4m5!3m4!1s0x80c587e7172e7259:0xbc30709b3558dd90!8m2!3d35.2856782!4d-115.6844312

 

https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/

http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/

https://twitter.com/_noid_?lang=en

 

https://www.monoprice.com/product?p_id=8136&gclid=CjwKCAjwy_XaBRAWEiwApfjKHuwvafwlgj6K3bNw6Qoy06i0KlXrTcPu8RLUSnhdEur5Y8PlVNaB1hoClJoQAvD_BwE

 

http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-026-insurers gathering data, netflix released a new DFIR tool, and google no longer gets phished?

Jul 27, 2018 43:52

Description:

Stories and topics we covered:

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

 

https://osquery.io/

 

https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates

 

https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018-025-BsidesSPFD, threathunting, assessing risk

Jul 19, 2018 34:53

Description:

Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery.

Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including:

@icssec
@bethayoung
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr

We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it.

https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

@icssec
@bethayoung
@bryanbrake
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr

2018-024- Pacu, a tool for pentesting AWS environments

Jul 12, 2018 55:20

Description:

Ben Caudill @rhinosecurity

Spencer Gietzen @spengietz

 

Rhino Security - https://rhinosecuritylabs.com/blog/

 

AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

 

What is the difference between this and something like Scout or Lynis?

 

Is it a forensic or IR tool?

 

How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?

 

S3 bucket perms?

 

Security Group policy fails

 

Some of the hardening policies for Security groups?

RDS?

 

Where are you speaking… BSLV? DefCon?


https://aws.amazon.com/whitepapers/aws-security-best-practices/

 

https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf

 

https://aws.amazon.com/whitepapers/

 

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/

 

https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/


Slack

Patreon

Bsides Springfield

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-023: Cydefe interview-DNS enumeration-CTF setup & prep

Jul 2, 2018 55:25

Description:

Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs

    @cydefe

CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development

 

https://www.heroku.com/

www.exploit-db.com

 

BrakeSec DerbyCon

   

@dragosinc dragos.com

 

DNS Enumeration:

https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md

 

DNS Tools:

https://dnsdumpster.com/

https://tools.kali.org/information-gathering/theharvester

 

DNS Tutorial

https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS)

 

https://pentestlab.blog/tag/dns-enumeration/

 

    DNS

Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines.

 

DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection.

 

NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, “Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed.” From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies.

 

How difficult has that become with the advent of GDPR and whois record anonymization?

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-022-preventing_insider_threat

Jun 26, 2018 47:32

Description:

After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens.

 

news stories referenced:

https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/

 

https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/

 

https://en.wikipedia.org/wiki/Insider_threat

 

https://en.wikipedia.org/wiki/Insider_threat_management

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-021-TLS 1.3 discussion, Area41 report, wireshark goodness

Jun 20, 2018 42:43

Description:

Area41 Zurich report

Book Club - 4th Tuesday of the month

https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

TLS_DHE_RSA_AES_256_GCM_SHA256

 

TLS = Protocol

DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)

    Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are

Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_secrecy)

 

RSA = Digital Signature (authentication)

    There are only 2 (RSA, or ECDSA)

 

AES_256_GCM - HMAC (hashed message authentication code)

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

https://en.wikipedia.org/wiki/HMAC#Definition_.28from_RFC_2104.29

 

https://en.wikipedia.org/wiki/Funicular

 

https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-020: NIST's new password reqs, Ms. Berlin talks about ShowMeCon, Pwned Passwords

Jun 13, 2018 36:44

Description:

https://nostarch.com/packetanalysis3  -- Excellent Book! You must buy it.

 

DetSEC mention

 

ShowMe Con panel and keynote

 

SeaSec East standing room only. Crispin gave a great toalk about running as Standard user

 

Bsides Cleveland -

 

https://www.passwordping.com/surprising-new-password-guidelines-nist/

1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck

https://twitter.com/troyhunt/status/1006266985808875521

https://1password.com/sign-up/

https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/

 

1,300 complaints of GDPR breaches in the first 6 days of enablement:

https://iapp.org/news/a/irish-dpc-received-1300-complaints-since-gdpr-implementation-date/



https://www.pcisecuritystandards.org/about_us/leadership




2018-019-50 good ways to protect your network, brakesec summer reading program

Jun 6, 2018 47:22

Description:

Ms. Berlin’s mega tweet on protecting your network

 

https://twitter.com/InfoSystir/status/1000109571598364672

 

Utica College CYB617

    I tweeted “utica university” many pardons

 

Mr. Childress’ high school class

Laurens, South Carolina

 

Probably spent as much as a daily coffee at Starbucks… makes all the difference.

 

CTF Club, and book club (summer reading series)

 

Patreon

SeaSec East

 

Showmecon

Area41con

bsidescleveland



Here are 50 FREE things you can do to improve the security of most environments:

 

Segmentation/Networking:

Access control lists are your friend (deny all first)

Disable ports that are unused, & setup port security

DMZ behind separate firewall

Egress Filtering (should be just as strict as Ingress)

Geoblocking

Segment with Vlans

Restrict access to backups

Role based servers only! DNS servers/DCs are just that

Network device backups



Windows:

AD delegation of rights

Best practice GPO (NIST GPO templates)

Disable LLMNR/NetBios

EMET (when OSes prior to 10 are present)

Get rid of open shares

MSBSA

WSUS

** run as a standard user ** no ‘localadmin’




Endpoints:

App Whitelisting

Block browsing from servers. Not all machines need internet access

Change ilo settings/passwords

Use Bitlocker/encryption

Patch *nix boxes

Remove unneeded software

Upgrade firmware



MFA/Auth:

Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899

Setup centralized logins for network devices. Use TACACS+ or radius

Least privileges EVERYWHERE

Separation of rights - Domain Admin use should be sparse & audited



Logging Monitoring:

Force advanced file auditing (ransomware detection)

Log successful and unsuccessful logins - Windows/Linux logging cheatsheets



Web:

Fail2ban

For the love of god implement TLS 1.2/3

URLscan

Ensure web logins use HTTPS

Mod security

 

Other:

Block Dns zone transfers

Close open mail relays

Disable telnet & other insecure protocols or alert on use

DNS servers should not be openly recursive

Don't forget your printers (saved creds aren't good)

Locate and destroy plain text passwords

No open wi-fi, use WPA2 + AES

Password safes



IR:

Incident Response drills

Incident Response Runbook & Bugout bag

Incident Response tabletops

 

Purple Team:

Internal & OSINT honeypots

User Education exercises

MITRE ATT&CK Matrix is your friend

Vulnerability Scanner

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-018-Jack Rhysider, Cryptowars of the 90s, OSINT techniques, and hacking MMOs

May 30, 2018 34:15

Description:

https://darknetdiaries.com/

 

Jack Rhysider



Ok I think these topics should keep us busy for a while. Topics for discussion:



Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital

 

The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html



In the 90's strong crypto was illegal online. https://en.wikipedia.org/wiki/Data_Encryption_Standard https://en.wikipedia.org/wiki/EFF_DES_cracker

 

The NSA scrapes social media and regular OSINT techniques to figure out how to best attack a network. Manfred made a living hacking MMORPGs for the last 20 years. And he tried to do it as ethically as possible. When a single CA is breached, it breaks the security for the whole internet. Toy companies aren't securing children data What are options when you find a major security flaw in a home router but the vendor refuses to acknowledge it much less fix it? And there's no bug bounty.

2018-017- threat models, vuln triage, useless scores, and analysis tools

May 23, 2018 39:38

Description:

Vuln mgmt tools CVE scores suck.

 

Threat modeling is good.

 

Forces  you to know your environment

 

https://en.wikipedia.org/wiki/Kanban

 

https://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.html

 

https://twitter.com/lnxdork/status/998559649271025664

https://www.google.com/search?q=house+centipede&rlz=1C5CHFA_enUS759US759&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiypKyfpZjbAhWJjlkKHd0lASYQ_AUICigB&biw=1920&bih=983

https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

 

https://www.theregister.co.uk/2018/05/17/nethammer_second_remote_rowhammer_exploit/

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-016- Jack Rhysider, DarkNet Diaries, and a bit of infosec history (Part 1)

May 15, 2018 37:13

Description:

Converge Detroit


Jack Rhysider- Podcaster, DarkNet Diaries

https://darknetdiaries.com/

 

Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital

 

The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-015-Data labeling, data classification, and GDPR issues

May 7, 2018 52:07

Description:

GDPR will affect any information system that processes or will process people… like it or not.

 

Derby Tickets

    CTF and auction

Keynote

    Converge Detroit

I’ll be at nolacon too

Boettcher

    Recap BDIR #3

https://blog.netwrix.com/2018/05/01/five-reasons-to-ditch-manual-data-classification-methods/

https://blog.networksgroup.com/data-loss-prevention-fundamentals



 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-014- Container Security with Jay Beale

Apr 29, 2018 01:05:30

Description:

 

 

Container security

 

Jay Beale  @inguardians , @jaybeale

 

Containers

What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we’ve had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don’t keep the image running for so long? Don’t run as root More Containment stuff Non-privileged containers Remap the users, so root in container isn’t root outside Drop root capabilities Seccomp for kernel syscalls AppArmor or SELinux All of above is about Docker, what about Kubernetes Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements Network policy (egress firewalls) RBAC (define what users and service accounts can do what) Use namespaces per tenant and think hard about multi-tenancy Use the CIS guides for lockdown of K8S and the host Kube-bench

Difference between containers and sandboxing

 

Roll your own -

    Containers

        Using public registries - leave you vulnerable

        Use your own private repos for deploying containers

 

Reduce attack surface

Reduce user access

 

Automation will allow more security to get baked in.

 

https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html



https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide





https://www.vagrantup.com/downloads.html

 

https://www.vmware.com/products/thinapp.html

 

https://www.meetup.com/SEASec-East/events/249983387/





S3 buckets / Azure Blobs

 

https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services

 

https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-013-Sigma_malware_report, Verizon_DBIR discussion, proper off-boarding of employees

Apr 20, 2018 01:05:21

Description:

Report from Bsides Nash - Ms. Berlin

New Job

Keynote at Bsides Springfield, MO

Mr. Boettcher talks about Sigma Malware infection.

 

http://www.securitybsides.com/w/page/116970567/BSidesSpfd

**new website upcoming**

Registration is coming and will be updated on next show (hopefully)

DBIR -https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

 

VERIS framework

http://veriscommunity.net/

 

53,000 incidents

 

2,216 breaches?!

 

73% breaches were by outsiders

 

28% involved internal actors (but needs outside help?)

 

Not teaching “don’t click the link”, but instead teach, “I have no curiosity”

   

Discuss "Dir. Infosec" Slack story as method to halt infection

 

https://www.tripwire.com/state-of-security/security-awareness/women-information-security-amanda-berlin/

The “Living off the Land” trend continues with attack groups opting for tried-and-trusted means to infiltrate target organizations. Spear phishing is the number one infection vector employed by 71 percent of organized groups in 2017. The use of zero days continues to fall out of favor.

 

Off boarding people… so much process to get people on, but it’s just not mature getting people out...

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-012: SIEM tuning, collection, types of SIEM, and do you even need one?

Apr 12, 2018 01:00:43

Description:

Bryan plays 'stump the experts' with Ms. Berlin and Mr. Boettcher this week...

We discuss SIEM logging, and tuning...

How do SIEM deal with disparate log file types?

What logs should be the first to be gathered?

Is a SIEM even required, or is just a central log repo enough?

Which departments benefit the most from logging? (IT, IR, Compliance?)

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-011: Creating a Culture of Neurodiversity

Apr 4, 2018 01:10:36

Description:

Megan Roddie discusses being a High functioning Autistic, and we discuss how company and management can take advantage of the unique abilities of those with high functioning autism.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-011.mp3

 

Matt Miller's Assembly and Reverse Engineering Class:

Still can sign up! The syllabus is here:  https://drive.google.com/open?id=1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0

 

 

SHOW NOTES:

 

Link to Megan’s slides

 Megan Roddie (@megan_roddie

Diversity - Why managers should strive for diverse teams - First, Break All the Rules: What the World's Greatest Managers Do Differently Strengths - hire people based on their strengths, not their weaknesses (see StrengthsFinder 2.0) regarding Grant and Lee Megan: 1. Achiever, 2. Learner, 3. Intellection, 4. Focus, 5. Harmony Bryan:  Learner, Ideation, Futuristic, Significance, Focus Amanda: Restorative, Learner, Input, Ideation, Focus Brian: Maximizer, Learner, Responsibility, Individualization, Belief Scores Weaknesses - weaknesses are made irrelevant by the strengths of others.  If one employee has a weakness, you can hire someone who has great strength in that area. Sports teams quote (Slide 6) What is it? (vs. neurotypical) What are weaknesses of HFAs? What are strengths of HFAs? (Slides 17 - 22) HFA One-on-one time is the SINGLE most effective management tool, works with HFAs and neurotypicals alike → guide Examples (Slide 28) Pants Introductions (vendor meet at BSides example) Some (most?) neurotypicals get offended How to manage or work with HFAs Tips (slides 32-34) Structure and Routine → Productivity Clarity → Thorough Work Patience and Understanding → Dedicated & Passionate Employee Needs

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-010 - The ransoming of Atlanta, Facebook slurping PII, Dridex variants

Mar 28, 2018 37:46

Description:

 

Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

 

 

Stories:

https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/

TLS1.3 - https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/

https://slate.com/technology/2018/03/facebook-acknowledges-it-kept-records-of-calls-and-texts-from-android-users.html

https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html

https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13

 

 

Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-009- Retooling for new infosec jobs, sno0ose, Jay Beale, and mentorship

Mar 19, 2018 01:12:03

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3

Topics discussed:

How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs. Best methods to retool yourself if you are trying to move to a new industry Why 'hitting the ground running' isn't the sign of an immature organization...

Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

SHOW NOTES:

 

Guests: Mr. Jay Beale

Guest: Mr. Brad Ammerman @?????????

 

Announcements:

RE/ASM class (Matt Miller)

SeaSec East Meetup at Black Lodge

Jay’s class at Black Hat

https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

Slack channel

“M3atshield”

 

What jobs are good segues into either blue or red teams/pentesting?

SOC Analyst (network security, pcap, IR)

SysAdmin (obviously)

Cod devs (audits, binary analysis, they know the code internals)

System architects (they know the nuts and bolts)

Security architects (segue to red team, they know how to defend, threat analysis)

Project management /management (client/customer facing, can understand the business side)

 

Journeyman pipelines vs. intern pipelines

Different than interns = Already highly skilled in ‘something’

Code devs

Physical security

audit/compliance

project/program management

System admin

Management

“generalist”

 

Retooling can be difficult

May be a paycut

Fear of failure

How do we alleviate that? (mentorship model?)

 

Companies looking for skilled people can’t look for what they want

Think in the bigger picture

 

Is not being able to see the value in a non-infosec person coming to the team a sign of immaturity in a company?

The phrase “must be able to hit the ground running”

Turn off for those wanting to make that change

Feel they must already know the job

 

People should be considered as like a block of clay, not an immutable stone.

People can change if they want to…

2 party comfort zone. Both the person changing role/title, and the company understanding where the person sits in the position.

 

mentorship/menteeship in an org

BDIR-001: Credential stealing emails, How do you protect against it?

Mar 13, 2018 01:35:37

Description:

BDIR Episode - 001

Our guests will be:

Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry
Topic of the Day:

CREDENTIAL STEALING EMAILS WHAT CAN YOU DO

 

Join us for Episode-001, our guest will be:

Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry

Topic of the day will be:

"CREDENTIAL STEALING EMAILS WHAT CAN YOU DO"

Show Notes:

Introductions Introduce our Guest Martin Brough Twitters - @HackerNinja Blog - InfoSec512.com

 

More show notes at https://www.imfsecurity.com/podcasts/2018/2/28/bdir-podcast-episode-001

2018-008- ransomware rubes, Defender does not like Kali, proper backups

Mar 12, 2018 58:12

Description:

https://www.auditscripts.com/free-resources/critical-security-controls/

Thanks to Slacker Ben Chung, who heard about this from John Strand...

 

BsidesIndy report - Amanda

Bsides Austin - Brian

 

Log_MD 2.0 - www.log-md.com

 

https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/

https://itsfoss.com/kali-linux-debian-wsl/

https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-packages-as-threats/


Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

  

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

2018-007- Memcached DDoS, Secure Framework Documentation, and chromebook hacking

Mar 6, 2018 45:59

Description:

Topics:

Secure Framework documents Modifying chromebooks so you can use Debian/Ubuntu Memcached is the new DDoS hotness Announcement of the next BrakeSec Training Class (see Show Notes below for more info)

Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

  

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

--Show Notes--

Announcements:

Matt Miller’s class on Assembly and Reverse engineering

Starts 2 April - 6 sessions

2nd Class - 6 sessions, beginning 21 May

Beginner course on Assembly

Advanced course, dealing with more advanced topics

$150 for each class, or a $250 deal if you sign up for both classes

paypal.me/BDSPodcast/150USD - Specify in the NOTES if you want the “Beginner” or “Advanced” course

paypal.me/BDSPodcast/250USD - If you want both courses

We need a minimum of 10 students per class

 

Projects:

Chromebook with Debian

Bit of a pain, if I could be honest..

Needed USB hub with eth0, and a USB soundcard

USB3 low profile thumbdrives would be better

https://www.amazon.com/gp/product/B01K5EBCES/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

https://www.securecontrolsframework.com/ ←--well well worth the signup

https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d - ‘secure.xlsx’

http://www.dummies.com/programming/certification/security-control-frameworks/

Numerous security frameworks already exist:

Cisco

NiST

CoBIT

ITIL (can be utilized)

SWIFT  https://www.accesspay.com/wp-content/uploads/2017/09/SWIFT_Customer_Security_Controls_Framework.pdf

“My weird path to #infosec” on twitter

https://en.wikipedia.org/wiki/Hydrocolloid_dressing

2018-006- NPM is whacking boxes, code signing, and stability of code

Feb 27, 2018 46:18

Description:

Topics on today's show:

NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems?

Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it.

Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'

 

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

SHOW NOTES:

Previous podcast referenced:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3

NPM -

https://www.techrepublic.com/article/series-of-critical-bugs-in-npm-are-destroying-server-configurations/

https://www.bleepingcomputer.com/news/linux/botched-npm-update-crashes-linux-systems-forces-users-to-reinstall/

Using ‘pre-production’ software without testing is not advisable

Unfortunately, many assume all software is stable

A product of ‘devops’ - failing forward “we’ll just fix it in post”

 

Talked last podcast about ‘supply chain security’

https://givan.se/do-not-sudo-npm/


https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

 

Developers can leave a project, leaving code unmaintained… or dependencies

 

Also, a modicum of trust is required… verifying the code before you use it.

Verification that the code came from where it was supposed to

 

Many important code bases aren’t signed or have verification

Wordpress does not appear to publish file hashes

Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf


Bsides NASH-

https://bsidesnash.org/2018/02/20/interview-and-resume-workshop/

2018-005-Securing_your_mobile_devices_and_CMS_against_plugin_attacks

Feb 14, 2018 48:24

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3

Topics:

Discussion of Ms. Berlin's course

CAPEC discussion

RTF malware MS Office

A Phishing story...

Mobile Supply Chain Security

CMS Supply Chain Security

Ms. Berlin’s course - recap of 2nd session

 

Brakeing Down IR -date?

 

Any malware of note?

Upgrade your Office!  Just double-clicked, used rtf and document never opened, just the script ran.

 

Supply chain isn’t just Hardware… software stacks abound and not followed

 

Wordpress plugins, CMS plugins/themes… not monitored, weakly secure

Keeping track is as important as asset management

Do you know what your CMS is running, plugin wise?

And if plugins aren’t bad enough, you have PHP to deal with

 

Suggestions:

Buy plugins - you get what you pay for

Check what support  you get (always a good idea)

Require reviews for new plugins, and old ones, esp if they haven’t updated in a while

Are they still maintained? (abandonware bad)

New owners? (many plugins and apps get bought and then start changing permissions, or worse, serving malware)

 

Joomla -

Vulnerable Extensions list - https://vel.joomla.org/live-vel

Wordpress - WPScan     https://wpvulndb.com/plugins

https://capec.mitre.org/


https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485

PYPI - https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

CCleaner -

https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security

News:

https://hotforsecurity.bitdefender.com/blog/uh-oh-how-just-inserting-a-usb-drive-can-pwn-a-linux-box-19586.html

Adversary generation systems

Red Baron - https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/february-2018/introducing-red-baron

https://github.com/uber-common/metta

https://github.com/NextronSystems/

https://www.kitploit.com/2018/02/venom-1015-metasploit-shellcode.html

Quickly building Redteam Infrastructure

https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/

If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-004 - Discussing Bsides Seattle, and Does Autosploit matter?

Feb 5, 2018 38:39

Description:

Show Notes:

https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing

Topics Discussed:

New tool : AutoSploit - Does it lower the bar?

How should Blue teamers be using Shodan?

Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about. 

 

ANNOUNCEMENTS:

Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast, send as a 'gift' 

Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit

 

  If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

BDIR-000 ; The Beginning

Jan 30, 2018 01:04:54

Description:

Here is the inaugural episode of the "Brakeing Down Incident Response"

 

Please check it out!

 

BDIR Episode - 000

Our guests will be:

Dave Cowen - Forensic Lunch Podcast and G-C Partners
Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering

Topic of the Day:

WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER?

"Incident Response, Malware Discovery, and Basic Malware Analysis,
Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"

SHOW NOTES:
https://www.imfsecurity.com/podcast/2018/1/18/bdir-podcast-episode-000

 

 

 

2018-003-Privacy Issues using Crowdsourced services,

Jan 27, 2018 01:06:30

Description:

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here:  2017-040

#infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like.

One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms.

We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, CrowdFlower, or CircleCi 2

Direct Show Download:   http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3

 

ANNOUNCEMENTS:

Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast 

Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit

 

  If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

   

 

Show Notes:  

 

Mr. Boettcher gave a talk (discuss) http://DETSec.org 

Brakeing Down Incident Response Podcast

 

Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)

 

I need to mention HITB Amsterdam

David’s Resume Review -- Bsides Nash Resume Review 

SANS SEC504 Mentor course

Guest: Nicolas Valcarcel

Twitter: @nxvl

 

Possible News to discuss:

https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/

 

Mechanical Turk

https://www.mturk.com/

CrowdFlower

https://www.crowdflower.com/

CircleCi 2.0

https://circleci.com/docs/2.0/

 

TaskRabbit

https://www.taskrabbit.com/

 

Historically:  https://en.wikipedia.org/wiki/The_Turk

 

Expensify using Amazon Mechanical Turk

https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy

 

https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/

FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”

 

https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/

“About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”

 

“Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.”

Kind of like a Yelp for HIT reviewers?

 

Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties?

Is it an acceptable risk?

 

Privacy questions to ask for companies that employ ML/AI tech?

Are they using Mturk or the like for training their algos?

Are they using Master level doers for processing?

 

Nxvl links:

Securely Relying on the Crowd (paper Draft):

https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf

How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/

How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/

The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/

How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/

AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/

Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/

2018-002-John_Nye-Healthcare's_biggest_issues-ransomware

Jan 20, 2018 01:03:28

Description:

John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes extortion or blackmail.   We go over some of the things he's found, and discuss how we could address these issues.

 

Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences.  The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD.

Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

2018-001- A new year, new changes, same old trojan malware

Jan 12, 2018 01:05:37

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3

The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware).

Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D )

We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner.

We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline. 

I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q)

Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week!

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".     ---Show Notes---  

Music change

Couldn’t remember where I got the other music


Little more news than we used to

Try to shy away from news everyone will talk about

 

Brakeing Down Incident Response (BD-IR) podcast

Hosted by Mr. Boettcher and Michael Gough

Vendor talks

Sponsors (provisionally)


News:

http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/

https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/

https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/



Upcoming Training:

Amanda? - Cyber KillChain training

Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour)

Matt Miller - Reverse Engineering course

More advanced, still working on details with him (no promises yet)


Michael Gough - Malware Archaeology

Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org

Houston - April 3rd - 1 Day - HouSecCon

Preparing and Responding to an endpoint incident, what to configure, and look for

Tulsa - April 11-12th - 2 Days - BSides Oklahoma

Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for


Job postings on our Slack

Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA)

Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA

He’s on Twitter (https://twitter.com/mfourdraine) or join us in our Slack

Many positions he has will relocate you to lovely Bellevue, WA

MG just posted “James Avery Information Security Manager”


Teaching a mentor course in Seattle (SEC504) starting March 1st.

Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake

Great if you work a job where you get called a lot

Less likely to have to get up during class and walk away…


Bit of a technical discussion - PTF (pentester framework)

Setup, install software

Lighter than Kali

Works on debian, ubuntu, pretty much any linux


Slack

Invite only

Slack bot died

A new link every month is a bit of a PITA

Being popular invites bots… would like to reduce that risk by broadcasting an invite


Friend of mine was invited to speak on “A man’s view of women in technology” O.o (http://www.cmhwit.org/)

“ John ---- Actually, my plan at this point is to interview several of the successful woman I know in technology, followed by personal observations of how I've seen them become well respected leaders in the field.”

2017-SPECIAL005-End of year Podcast with podcasters

Dec 23, 2017 01:25:50

Description:

As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content.

Please enjoy! And please seek out these podcasts and have a listen!

Slight warning: some rough language

People and podcasts in attendance:

Tracy Maleef (@infosecSherpa)

Purple Squad Security Podcast (@purpleSquadSec) -

John Svazic (@JohnsNotHere)

Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe)

Danny Akacki (@dakacki) - RallySec Podcast (@rallysec)

Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin)

 

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio

Dec 16, 2017 01:06:30

Description:

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks.

While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. 

Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices.

We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss

Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. 

 

Direct Link: https://brakesec.com/2017-042

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

 

 

 

 

--Show Notes--

 

https://github.com/int0x80/githump

 

http://ptrarchive.com/

 

https://hunter.io/

 

https://www.data.com/

 

https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

 

2017-041- DFIR Hierarchy of Needs, and new malware attacks

Dec 8, 2017 01:02:18

Description:

Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals.

DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack.

In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program.

Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails.

 

 

Direct Download Link: https://brakesec.com/2017-041

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS 

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

--Show Notes--

 

Malware report

 

https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/

 

https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html

 

https://github.com/swannman/ircapabilities -  DFIR Hierarchy

 

Based on Maslow’s Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs

Requirements must be met before you can move on.

It’s not perfect, but gives a general idea of how needs should be met.

 

 

2017-040-Expensify_privacy_issues-Something_is_rotten_at_Apple

Dec 1, 2017 47:29

Description:

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world.

Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews.

Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way.

 

 

Direct Link: https://brakesec.com/2017-040

 

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

---Show Notes---

Agenda:

Trip report from Amanda to New Zealand

Did we talk about Amanda’s appearance on PSW?

 

Discuss last week’s show about custom training

Comments? Suggestions for custom training solutions?

 

https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake

Expensify -

https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/

https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy

 

How is this different than like a medical transcriptionist?

Don’t you go in and modify the receipts yourself? Or is that a feature you can force?

 

It’s a privacy issue.

Hotel receipts, boarding passes, even medical receipts

 

Turn off ‘smart scan’?

Many companies like using it, and some will only accept smart scanned receipts

Fat fingering receipts isn’t ‘cool’

Snap a photo, move along

 

Expensify is global, and could have wide reaching effects for this new ‘feature’...

Expensify used Mechanical Turk, a ‘human intelligence tasks’

Micropayments to do menial tasks

 

Example of why periodic review of your 3rd parties is necessary

New ‘features’ = new nightmares

Privacy requirements change

Functionality not in alignment with your business goals

Apple ‘passwordless root’

http://appleinsider.com/articles/17/11/29/apple-issues-macos-high-sierra-update-to-fix-password-less-root-vulnerability

 

HIgh Sierra before today (29 November 2017) had the ability to login as root with no password…

That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752

 

It also works on remote services, like ARD (apple remote desktop), and file shares…

Rolling IR

Was it necessary?

Serious, yes

Was discovered two weeks prior https://forums.developer.apple.com/thread/79235

Dev (chethan177) on the forum “didn’t realize it was a security issue”

 

Easy enough fix  (Bryan IR story)

Open Terminal

Sudo passwd root

Change password

 

Do you trust users to do that? Not across a large enterprise

 

2017-039-creating custom training for your org, and audio from SANS Berlin!

Nov 24, 2017 43:13

Description:

This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday.  

I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training.

 

Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics"

Take a listen and we hope you enjoy it!

 

Direct Link: https://brakesec.com/2017-039

 

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

---Show notes (from Bryan and JB)---

 

Ms. Berlin in New Zealand

 

Mr. Boettcher with the family

 

Training

 

What makes us despise training so much?

Cookie cutter

Scenarios do not match environments

Speaking is a little too perfect

Flash based

UI is horrible

Outdated

Easy questions

 

Infosec training is worse

2 hours of training each year

Not effective

 

Why not make your own?

Been doing it at work

No more than 7 minutes

Custom made

Tailored for your own company

 

Do you training like a talk at a con

Time limit: 7 (no more than 10 minutes)

Create some slides (5-7 slides)

Do it on a timely topic

Recent tabletop exercise results

Recent incident response

Phishing campaign

Script or no-script required

Sometimes talking plainly can be enough

 

https://screencast-o-matic.com/ - Windows (free version is 7 minutes long)

Quicktime - OSX (free) (Screenflow)

Handbrake (convert to MKV or MP4)

Microphone (can use internal microphones if you have a quiet place)


[begin notes: SANS Berlin REMOTE segment]
corresp. JB

reach jb at
(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange


--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/


--pre-NetWars chat with the SEC 503 class:
-what do you like about SANS conference
-european privacy laws, even country to country!
-biggest priority for next year:  building a SOC, working together with sales, asset management, constant improvement, password reuse

--special BrakeSec members only cameo


--“bring your own device” interview with an Information Security/forensics professional
password elimination or no reuse


--interview with Heather Mahalik (@HeatherMahalik)
Bio https://www.sans.org/instructors/heather-mahalik
-“game over” whatsapp, unpatched android, other known-historically weak tools as “assume breach of mobile”
-interesection of network forensics and mobile
-open source tools and the lack of, how to judge your tools
-Heather’s recent blog
-getting into mobile, decompiling, etc.
-number one topic for next year:  encryption for Andriod 8 Oreo, iOS 12
-“most popular android is still v4.4”

Heather’s blog we mentioned
http://smarterforensics.com

link to the book Heather mentioned:
https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/


--link to blog mentioned, jb’s initial reflections on SEC 503

https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost
JBs blog main link, or if you’re not a fan of linkedin
https://cherokeejb.blogspot.de/

small featured music clips used with permission from YGAM Records, Berlin
“Ж” by the artist Ōtone (Pablo Discerens), (c)(p)2016
Get it for free or donate at http://ygam.bandcamp.com !

book club EMEA!:
message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can’t make the main call !


--
-
[end segment]

 

2017-038- Michael De Libero discusses building out your AppSec Team

Nov 16, 2017 56:10

Description:

Direct Link: https://brakesec.com/2017-038

 

Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.

So I asked him on, and we went over the highlights of his talk. Some of the topics included:

Discussing with management your manpower issues

Who to include in your team

Communication between teams

 

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

 

 

----SHOW NOTES:

 

Amanda’s appearance on PSW

 

Building an AppSec Team - Michael de Libero (@noskillz)

 

https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\

 

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

 

https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett

 

Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing

 

Random Notes from Mike:

Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. “security health” Role of management Managing a “remote” team Handling incoming requests from other teams

 

How do you sell a company on having an appsec team if they don’t have one?

 

If you have an existing ‘security team’, how easily is it to augment that into an appsec team?

Can you do job rotation with some devs?

Do devs care enough to want to do code audits

“That’s not in my job description”

 

Skills needed in an appsec team

Does it depend on the tech used, or the tech you might use?

 

Internal security vs. consultants

 

Intro to RE course with Tyler Hudak

 

Bsides Wellington speaker Amanda Berlin

2017-037 - Asset management techniques, and it's importance, DDE malware

Nov 8, 2017 52:29

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3

We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this.

We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement.

Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand.

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us.

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

SHOW NOTES:

 

Oreilly con report

Malware report from Mr. Boettcher

DDE (Dynamic Data Exchange), all the rage

https://en.wikipedia.org/wiki/Windows_2.0

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf

http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216

https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/

 

Why asset management?

Know what’s in your environment

CIS Top 20...no wait, it’s the TOP THREE of the 20.

It all builds on this…

Know what’s in your environment

http://www.open-audit.org/

https://metacpan.org/pod/App::Netdisco

2017-036-Adam Shostack talks about threat modeling, and how to do it properly

Oct 30, 2017 01:34:54

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

 

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

SHOW NOTES:

 

Ideas and suggestions here:

 

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

 

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

 

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

 

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

 

https://en.wikipedia.org/wiki/Johari_window

 

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

 

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

 

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

 

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

 

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

 

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

 

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

 

Is the book still applicable?

New book

 

What traps do people fall into?  Attacker-centered, asset-centered approaches


Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

2017-SPECIAL004- SOURCE Conference Seattle 2017

Oct 22, 2017 48:09

Description:

After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered.

I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter

Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices  https://preossec.com/

 

Joe Basirico discusses the proper environment to get the best out of your bug bounty program. 

points from his abstract:

Bug Bounty Programs - Why you want to invite security researchers to hack your products

Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness.

How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix.

 

Source conference YouTube Channel:  https://www.youtube.com/channel/UCAPQk1fH2A4pzYjwTCt5-dw/videos (2017 is not available yet, but all talk from 2008-2015 is available)

agenda of the talks that occurred at Source Seattle 2017 

https://www.sourceconference.com/seattle-2017-agenda

https://www.sourceconference.com/copy-of-seattle-2016-agenda-details

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-035-Business_Continuity-After_the_disaster

Oct 16, 2017 59:20

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3

 

We are back this week after a bit of time off, and we getting right back into it...

What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done.

We also talk a bit about 3rd party vendor reviews, and what would happen if your 3rd party doesn't have a proper plan in place.

Finally, we discuss the upcoming #reverseEngineering course starting on 30 October 2017 with Tyler Hudak, as well some upcoming appearances for Ms. Berlin at SecureWV, GrrCon, and Bsides Wellington, #newZealand

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---SHOW NOTES---

You have enacted your BC/DR plan

Step 1. Panic

Step 2. Panic more, or let your management panic

Step 3. Follow the plan… you do have a plan, right?

 

Enacting a BC/DR plan

RPO/RTO - https://www.druva.com/blog/understanding-rpo-and-rto/

 

Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”

 

https://en.wikipedia.org/wiki/Recovery_point_objective

 

Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.

 

https://en.wikipedia.org/wiki/Recovery_time_objective

 

https://uptime.is/99.99

 

Excerpt from "Defensive Security Handbook" -

Buy from Amazon (sponsored link):  http://amzn.to/2zcmWBY

Recovery Point Objective

 

The recovery point objective (RPO) is the point in time that you wish to recover to. That is, determining if you need to be able to recover data right up until seconds before the disaster strikes, or whether the night before is acceptable, or the week before, for example. This does not take into account of how long it takes to make this recovery, only the point in time from which you will be resuming once recovery has been made. There is a tendency to jump straight to seconds before the incident; however, the shorter the RPO, the more the costs and complexity will invariably move upwards.

Recovery Time Objective

 

The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO.

 

To illustrate with an example, if you operate a server that hosts your brochureware website, the primary goal is probably going to be rapidly returning the server to operational use. If the content is a day old it is probably not as much of a problem as if the system held financial transactions whereby the availability of recent transactions is important. In this case an outage of an hour may be tolerable, with data no older than one day once recovered.

 

In this case the RPO would be one day, and the RTO would be one hour.

 

There is often a temptation for someone from a technology department to set these times; however, it should be driven by the business owners of systems. This is for multiple reasons:

 

It is often hard to justify the cost of DR solutions. Allowing the business to set requirements, and potentially reset requirements if costs are too high, not only enables informed decisions regarding targets, but also reduces the chances of unrealistic expectations on recovery times.

 

IT people may understand the technologies involved, but do not always have the correct perspective to make a determination as to what the business’ priorities are in such a situation.

 

The involvement of the business in the DR and BCP plans eases the process of discussing budget and expectations for these solutions.

 

RPO should be determined when working through a Business impact analysis (BIA)

https://www.ready.gov/business-impact-analysis

 

https://www.fema.gov/media-library/assets/documents/89526

 

There is always a gap between the actuals (RTA/RPA) and objectives

After an incident or disaster, a ‘Lessons Learned’ should identify shortcomings and adjust accordingly.

This may also affect contracts, or customers may require re-negotiation of their RTO/RPO requirements

 

If something happens 4 hours after a backup, and you have an hour until the next backup, you have to reconcile the lost information, or take it as a loss

Loss = profits lost, fines for SLAs

 

You may not be doing the same after the disaster. New processes, procedures

 

https://www.bleepingcomputer.com/news/security/fedex-says-some-damage-from-notpetya-ransomware-may-be-permanent/

Ms. Berlin’s appearances

Grrcon - http://grrcon.com/

 

Hack3rcon/SecureWV -  http://securewv.com/

 

Oreilly Conference - https://conferences.oreilly.com/security/sec-ny/public/schedule/detail/61290

Experts Table?

 

Bsides Wellington (sold-out)

----

CLASS INFORMATION

Introduction to Reverse Engineering with Tyler Hudak

Starts on 30 October - 20 November

4 Mondays

Sign up on our Patreon (charged twice, half when you sign up, half again when 1 November happens

2017-SPECIAL003-Audio from Derbycon 2017!

Oct 8, 2017 01:15:06

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3

Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend.

 

We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the last 7 years.

We talk to Ms. Wynter (@sec_she_lady) about her experiences at her first Derbycon.

Mr. Matt Miller (@milhous30) talked about some of his #reverse #engineering challenges that were in the #Derbycon #CTF

Lots of great talks happened there this year, check them all out over on @irongeek's site (http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-034-Preston_Pierce, recruiting, job_descriptions

Oct 2, 2017 01:02:06

Description:

*Apologies for the continuity this was recorded before we went to Derbycon 2017.*

 

Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate.

Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reputable companies.

We also discuss job descriptions, getting management buy in for a good candidate, and more. 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-034-Preston_Pierce_recruiting_job_descriptions.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 Show Notes:

 

https://news.slashdot.org/story/17/09/01/1729237/us-employers-struggle-to-match-workers-with-open-jobs

 

Blueteamers

 

Looking at job descriptions,

Fix if outdated or unnecessary

 

Managers

 

Be realistic about expectations

 

Recruiters

 

Better research of people

Discuss realistic demands from customers

 

You

Update your LinkedIn removing overly generalized terms (healthcare, for example)

When should you reach out to a recruiter? Right away? After you’ve already completed some leg work?

Companies do a poor job of marketing for their current openings.

2017-SPECIAL002-Derbycon-podcast with podcasters (NSF Kids/Work)

Sep 27, 2017 01:18:31

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3

 

SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner)

We actually did talk about the skills gap, resume workshop held at Derbycon, and so much else. 

 

If you haven't been to Derbycon, you should definitely make plans now to attend...

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-033- Zane Lackey, Inserting security into your DevOps environment

Sep 18, 2017 01:00:36

Description:

Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?)

So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen...

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--SHOW NOTES--

 

Security shifts from being a gatekeeper to enabling teams to be secure by default

Require a culture shift

Should that be implemented before the shift to CI/CD, or are we talking ‘indiana jones and the rock in the temple’?


How?

Secure coding?

Hardening boxes/Systems?

 

If it’s just dev -> prod, where does security have the chance to find issues (i.e. test and QA belong there)?

 

We used to have the ability for a lot of security injection points, but no longer

 

Lowers the number of people we have to harangue to be secure…?

 

Security success = baked in to DevOps

 

Shift from a ‘top down’ to ‘bottom up’

Eliminate FPs, and forward on real issues to devs

Concentrate on one or two types of vulnerabilities

Triage vulns from most important to least important

 

Go for ‘quick wins’, or things that don’t take a lot of time for devs to fix.

Grepping for ‘system(), or execve()’

Primitives (hashing, encryption, file system operations)

How do you stop a build going to production if it’s going out like that?

Do we allow insecurity to go to Production?

Or would it be too late to ‘stop the presses’?

“We’ll fix it in post…”


Instead of the ‘guardrail not speedbump’ you are the driving instructor...

 

But where does security get in to be able to talk to devs about data flow, documentation of processes?

5 Y’s - Why are you doing that?

 

Setup things like alerting on git repos, especially for sensitive code

Changing a sensitive bit of code or file may notify people

Will make people think before making changes

Put controls in terms of how they enable velocity

 

You like you some bug bounties, why?

 

Continuous feedback

 

Learn to find/detect attackers as early in the attack chain

 

Refine your vuln triage/response

 

Use bug reports as IR/DFIR...

 

https://www.youtube.com/watch?v=ORtYTDSmi4U

 

https://www.slideshare.net/zanelackey/how-to-adapt-the-sdlc-to-the-era-of-devsecops

 

http://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization

 

 

 

In SAST, a modern way to decide what to test is start with a small critical vuln, like OS command injection.  Find those and get people to fix it.  BUT don’t developers or project teams get unhappy [sic] if you keep "moving the goal post" as you add in the next SAST test and the next SAST test.  How do you do that and not piss people off?

 

[15:16]

How do you make development teams self sufficient when it comes to writing a secure application?  Security is a road block during a 3 month release schedule….getting "security approval" in a 3 day release cycle is impossible.

 

[15:17]

But then…what is the job for the security team?  If DevOps with security is done right, do you still need a security team, if so what do they do????  Do they write more code???

I don't think your Dev'ops'ing security out of a job...but where does security see itself in 5 years?

Last one if there is time and interest.  If Zane Lackey was a _maintainer_ of an open source project, what dev ops sec lessons would he apply to that dev model…to the OpenSource model?

(We've got internal projects managed with the open source model...so im interested in this one)

Even with out any of those questions the topics he covered in his black hat talk are FULL of content to talk about.  Heck, even bug bounties are a topic of conversation.

The idea of a feedback loop to dev...where an application under attack in a pen test can do fixes live....how that is possible is loads of content.

 

2017-032-incident response tabletops, equifax breach

Sep 12, 2017 47:38

Description:

Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc.

This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath.

And in case you've been under a rock, #equifax was breached.  143 million credit records are in the ether. We discuss the facts as of 9 September 2017, and what this means to the average user.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-032-incident_response-equifax-done2.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

---SHOW NOTES---

Incident response

 

Must go beyond ‘threats’.

What is in your environment

Struts aren’t a threat, or are they?

Equifax didn’t think so at the time…

Insider threat

External entities

Libraries

plugins/themes used (Wordpress)

 

Risk analysis

Qualitative

Quantitative

 

What makes a good incident response exercise (

 

 

 

Following the creation and implementation of security controls around use cases, can be the testing of tabletop exercises and drills as a proof of concept. A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.
While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.
Tabletop exercises are composed of several key groups or members.


During a tabletop exercise there should be a moderator or facilitator that will deliver the scenario to be played out. This moderator can answer “what if ” questions about the imaginary emergency as well as lead discussion, pull in additional resources, and control the pace of the exercise. Inform the participants that it is perfectly acceptable to not have answers to questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes to mitigate them prior to an actual incident.
• A member of the exercise should also evaluate the overall performance of the exercise as well as create an after-action report. This evaluator should take meticulous notes as well as follow along any runbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of situations. In this case having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.
• Participants make up the majority of this exercise. Included should be groups such as Finance, HR, Legal, Security (both physical and information), Management, Marketing, and any other key group that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise.


What to include in the tabletop:
• A handout to participants with the scenario and room for notes.
• Current runbook of how security situations are handled.
• Any policy and procedure manuals.
• List of tools and external services.


Post-exercise actions and questions:
• What went well?
• What could have gone better?
• Are any services or processes missing that would have improved resolution time or accuracy?
• Are any steps unneeded or irrelevant?
• Identify and document issues for corrective action.
• Change the plan appropriately for next time.


Tabletop Template
The Federal Emergency Management Agency (FEMA) has a collection of different scenarios, presentations, and tabletops that can be used as templates.

 

Derbycon channel on Slack

Intro to RE class

 

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

 

https://hackernoon.com/a-series-of-unfortunate-events-or-how-equifax-fire-eye-threw-oil-on-the-fire-c19285f866ed

2017-031-Robert_Sell-Defcon_SE_CTF-OSINT_source

Sep 4, 2017 01:03:47

Description:

This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-030-Vulnerability OSINT, derbycon CTF walkthrough, and bsides Wellington!

Aug 29, 2017 52:37

Description:

This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg.

We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3 

 

Ms. Berlin is going to be at Bsides Wellington!  Get your Tickets NOW!

https://twitter.com/bsideswlg

https://www.bsides.nz/

 

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--show notes--

 

NCC group talks in Seattle

NIST guidelines - no security questions, no SMS based 2fa

 

Vuln OSINT

 

Sites have information like Spokeo…

Breadcrumbs

 

Take Java for example (CVE-2017-10102): info is sparse

Other sites have more

https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle’s site (impressive crappery)

Some are better: RHEL is fairly decent

https://access.redhat.com/errata/RHSA-2017:2424

Ubuntu has some different tidbits

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10102.html

Arch has info

https://security.archlinux.org/CVE-2017-10102

Point is, just because you use a specific OS, don’t limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you.

 

https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102)

 

Derbycon CTF walkthrough

 

Looking for an instructor for an ‘intro to RE’ course.

Dr. Pulaski = Diana Maldaur

Dr. Crusher = Gates McFadden

 

2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware

Aug 20, 2017 01:17:41

Description:

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection.

What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update?

After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure.

Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--SHOW NOTES--

 

Gough says ‘something is bad about CIS’

 

CIS benchmarks need revamping -- BrBr

/var, /var/log in separate partitions?

Password to access grub?

Disable root login to serial pty?

Many cloud instances and VMs don’t have serial ports (not in a traditional sense)

 

What’s the use case for using them? What problem will they solve?

Misconfiguration?

Proper logging?

NTP sources?

 

So many, dilution possible

SCAP

OVAL

STIG (complex as well)

CIS

 

Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done.

What is a good baseline?

Write your own?

 

How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway)

On windows, they are needlessly complicated and cause more problems

Roles have to be created “backup admin”

Can cause unintended issues

 

https://twitter.com/HackerHurricane/status/898629567056797696

 

https://twitter.com/HackerHurricane/status/892838553528479745

 

Category            Sub Category                                      7/2008  8.1     2012    Win-7   Win-8.1 WLCS    ThisPC  Notes

 

Detailed Tracking   Process Termination                       NA      NA      NA      NA      NA      S/F     S

Object Access       File Share                                           NA      NA      NA      NA      NA      S/F     S/F    

Object Access       File System                                         NA      NA      NA      F       NA         S       S/F    

Object Access       Filtering Platform Connection           NA      NA      NA      NA      NA      S       S      

Object Access       Filtering Platform Packet Drop          NA      NA      NA      NA      NA      NA      NA

 

Log Sizes:

-------------

Security - 1 GB

Application – 256MB

System – 256MB

PowerShell/Operational – 512MB – 1 GB v5

Windows PowerShell – 256MB

TaskScheduler – 256MB

 

Log Process Command Line                                             (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

PowerShell Logging v5                                                    (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

TaskScheduler Log                                                          (5)     (5)     (5)     (5)     (5)     (1)     Yes

-----------------------------------------------------------------------------------------------------------------

 

(5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

2017-028-disabling WU?, Comcast wireless hack, and was it irresponsible disclosure?

Aug 13, 2017 54:45

Description:

 This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that.

We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network.

We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---SHOW NOTES---

Twitter discussion -

https://twitter.com/Computerworld/status/894611609355603968

 

http://www.computerworld.com/article/3214146/microsoft-windows/it-s-time-to-check-your-windows-machines-and-temporarily-turn-off-automatic-update.html

 

[sic] “tons of problems with Automatic Update patches so far this year”

[sic] “if you’re savvy enough to be reading this, you should consider turning Auto Update off, too”

 

Advocating disabling auto-updates in an OS is reckless.

Home networks for majority of users is completely flat

One Vlan (e.g. 192.168.1.0/24)

‘Savvy’ = technical

Which many of our users are not

 

Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer

 

Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible

 

Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled.

The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr

Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

 

http://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html

http://www.csoonline.com/article/3214487/security/pentest-firm-calls-carbon-black-worlds-largest-pay-for-play-data-exfiltration-botnet.html#tk.twt_cso

--this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure)

Agreed… that shiz is damaging -- brbr

 

 

 

NoStarch TCP guide - https://www.nostarch.com/tcpip.htm

IPV4 -https://en.wikipedia.org/wiki/IPv4

 

[graphic of IPv4 header from wikipedia article]

 

IHL - size of the header (minimum of 5)

DSCP - has to do with traffic shaping and QoS

ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate

Must be supported by both ends, and completely optional to enforce

Total Length - total size of the packet

Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it’s used for ‘used for uniquely identifying the group of fragments of a single IP datagram”

 

https://github.com/tcstool/Fireaway

 

http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

 

2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?

Aug 4, 2017 01:09:02

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3

Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics.

We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required?

We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow. 

Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

 

show notes

 

what is the required amount of data required to properly train the algorithms

 

how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)

 

Xoke Soru: "why are you trying to make skynet and kill us all?  Do you hate humanity?"

 

Who will ML replace? Who in security?

 

Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.

 

Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"

 

https://en.wikipedia.org/wiki/Artificial_neural_network

 

https://en.wikipedia.org/wiki/Machine_learning

 

https://en.wikipedia.org/wiki/Portal:Machine_learning

 

https://www.slideshare.net/allyslideshare/something-wicked-78511887

 

https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses

 

https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751

 

O’Reilly Conference 31 October

 

Mick douglas class

Derbycon CTF

Book club

 

Patreon

slack

2017-025-How will GDPR affect your Biz with Wendyck, and DerbyCon CTF info

Jul 23, 2017 01:10:49

Description:

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3

 

GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared.

This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK.

If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info.

ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started.  The info is also in the show notes, including the form you need to post your flag information.

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---Show Notes:----

 

 

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

 

 

Would it be better if companies stored less data, or de-anon it to the point where a breach

 

Massive fines for breaches. Usually some percentage of profits…

 

(up to 4% of annual global turnover or €20 Million (whichever is greater))

 

“Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).”

 

Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain

 

Right to be forgotten (not realistic):

“A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data “

 

GDPR full text:

http://ec.europa.eu/newsroom/document.cfm?doc_id=45631

 

Good intro:

https://www.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html

 

Controversial topics:

http://www.eugdpr.org/controversial-topics.html

 

Key Changes:

http://www.eugdpr.org/key-changes.html

 

Difficulty of doing GDPR in the cloud

https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662

US businesses largely ignoring GDPR

http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec

 

Fears of breach cover-up (due to massive fines ‘up to 4% of profits’)

http://tech.newstatesman.com/news/gdpr-cover-ups-security

 

From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2)

 

https://www.auditscripts.com/

 

CTF for derby ticket

Level 1-

The internet is a big place :) I’ve hidden 3 flags out on it and it’s your job to see how many you can find. I’ll give you a few hints to start.

 

Company Name = Big Bob’s Chemistry Lab There’s something illegal going on, find out what!! Submit flags here https://goo.gl/forms/iUEVHNuSYr34OZA22  

2017-024-infosec_mental_health_defcon_contest-with-rand0h-and-tottenkoph

Jul 17, 2017 01:30:56

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3

The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them.

So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do...

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--Show Notes--

Chris Sanders: Cult of Passion

http://chrissanders.org/2017/06/the-cult-of-passion/

 

Exercise

Start playing ingress or Pokemon Go, just to get out and gamify activity

 

Reduce alcohol consumption

Defcon : Friends of Bill W.

Agent X : 3/5K events at Defcon

 

Critics comments

You won’t please everyone, so don’t try

 

Spend time away from infosec

Family, friends

Hobbies

 

If you are in a job with ‘secrets’, find someone to talk to

Another person with the same ‘secrets’ or similar job

 

https://www.scientificamerican.com/article/gut-second-brain/

 

@DAkacki (what is your podcast @rallysec)

Da667’s book

[I love murder]@tottenkoph

@jimmyvo

@andMYhacks (works with Jimmy)

@infosecmentors

 

2017-023-Jay_Beale_Securing Linux-LXC-Selinux-Apparmor-Jails_and_more

Jul 10, 2017 01:09:44

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3

 

Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. 

Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it? 

We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage?

Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show.

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---

Show Notes:

 

AppArmor

 

SELinux

 

Privilege Escalation - InGuardians Murderboard

 

Port Knocking (Single Pack Authorization)

 

OSSEC

 

ModSecurity

 

Linux Containers

 

Jess frizelle -bane

 

Dan walsh - selinux

 

Selinux troubleshoot daemon

 

https://en.wikipedia.org/wiki/System_call

 

“In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.”

 

OpenBSD pledge(2): https://man.openbsd.org/pledge.2

 

https://www.raspberrypi.org/products/raspberry-pi-2-model-b/

 

Suhosin

 

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

@inguardians

@jaybeale

www.inguardians.com


----

 

What are you doing at Black Hat and Def Con?

 

Training class at Black Hat - 2 days Def Con Workshop - ModSecurity and AppArmor - 4 hours Packet Hacking Village Workshop - Container security Vapor Trail at Def Con Labs (Larry and Galen) Dancing my butt off?

2017-022-Windows Hardening, immutable laws of security admins, and auditpol

Jul 4, 2017 53:48

Description:

Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3

This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later?

 

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

--SHOW NOTES--

10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx

Really great stuff

On This Page

Law #1: Nobody believes anything bad can happen to them, until it does

Law #2: Security only works if the secure way also happens to be the easy way

Law #3: If you don't keep up with security fixes, your network won't be yours for long

Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with

Law #5: Eternal vigilance is the price of security

Law #6: There really is someone out there trying to guess your passwords

Law #7: The most secure network is a well-administered one

Law #8: The difficulty of defending a network is directly proportional to its complexity

Law #9: Security isn't about risk avoidance; it's about risk management

Law #10: Technology is not a panacea

https://www.linkedin.com/in/scott-culp-cissp-8b69572a/

 

 

http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html

 

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

 

auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx

 

https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings

 

 

https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager

 

 

https://www.databreaches.net/irony-when-blackhats-are-our-only-source-of-disclosure-for-some-healthcare-hacks/

 

https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

 

2017-SPECIAL- Michael Gough and Brian Boettcher discuss specific ransomware

Jun 30, 2017 19:26

Description:

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast.

 

Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic

They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus

Jun 23, 2017 01:18:47

Description:

This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly.

One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments.

So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community.

Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers.

Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music)

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-020-Hector_Monsegur_DNS_OSINT_Outlaw_Tech_eClinicalWorks_fine

Jun 15, 2017 01:16:37

Description:

Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.

 

We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?

 

We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---------- 

Show notes:

 

going beyond DNS bruteforcing and passively discovering assets from public datasets???

Very interested in hearing about this

Straight OSINT, or what?

Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:

Data from the certificate transparency project (https://www.certificate-transparency.org/) rDNS and forward dns dataset from https://scans.io/  Sonar Scans - Rapid7 Sublist3r: https://github.com/aboul3la/Sublist3r And other datasets that are out there Crime Flare https://krebsonsecurity.com/tag/crimeflare-com/ -> crimeflare.com Discuss why brute forcing DNS leaves such a heavy footprint for blue team forensics How cloud providers like CloudFlare, and others, do not take advantage of DNS bruteforcing error messages   Special shout out to Ryan Sears @ CaliDog Security for his research into this field https://en.wikipedia.org/wiki/Markov_chain Smart DNS Bruteforcing - https://github.com/jfrancois/SDBF

 

Training gained from internal phishing campaigns

Does it breed internal mis-trust?

Recent campaign findings

Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?

 

Outlaw Tech on Science Channel

What’s it about? (let’s talk about the show)

The show itself is on the Science channel (Discovery) The aim of the program is to discuss the technology behind many of the biggest crimes (heists, el chapo’s communication network, etc) And how I play a part in it https://www.spoofcard.com/ https://www.sciencechannel.com/tv-shows/outlaw-tech/ Rhinosecuritylabs.com  

 

http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting

 

https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit

-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/

 

http://securewv.com/cfp.html

 

 

 

OneLogin/Docusign breaches

OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/

Docusign:  https://www.inc.com/sonya-mann/docusign-hacked-emails.html

http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm

Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/

 

China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect

 

Facial recognition for plane boarding:  http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html

 

 

Keybase.io’s Chrome plugin  -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en

2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

Jun 7, 2017 01:11:34

Description:

 

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.

 

-------

Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class

Patreon: https://www.patreon.com/bds_podcast

 

If you want the videos and don’t care about the class, they will be released a week after class is over for free.

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

 

https://twitter.com/jessysaurusrex/status/859123589123121152

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.

 

Passwords Multifactor authentication Device encryption Ad blocking Browser hardening via extension/plugin Safe browsing (this breaks into a few different topics) Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser Social engineering (this breaks into a few different topics) Segmentation/compartmentalizing data + communications Secure storage(local vs cloud data) Media storage safety (thumbdrives! Charge-only cables for mobile devices!) Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late Regularly reviewing permissions granted to apps through oAuth Backups

 

http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/

“The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.”  summed up our entire industry in this paragraph --brbr

  

https://securingthehuman.sans.org/resources/security-awareness-report-2017

^^^^ saw this on Twitter yesterday -brbr

 

Key takeaways:

 

The study recommends the following for addressing communications:

 

Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value. Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting. Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications. Take communications training; they can be easily developed with the right focus. Align with human resources to ensure an awareness program is tied into company culture. Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. 

 

You writing a book?

 

I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)

 

You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.

 

Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.

 

Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?

 

Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?

 

If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?

  

And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use

Device encyption

2FA/MFA

 

What training do infosec people need? How important are the soft skills to help with communicating?

2017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details

May 30, 2017 50:40

Description:

We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out.

Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet?

We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities.  Details are in the show notes and in our Slack Channel.

 

Ms. Sunny Wear is doing a web app security class

Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC) 

Sign up for the class at the $20 dollar Patreon level (if you plan on attending)

Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along)

Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information)

https://www.patreon.com/bds_podcast

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3

RSS: www.brakeingsecurity.com/rss

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 SHOW NOTES:

 

SANS experience

Pity Quincenera - I (bryan) sucked

Need more experience

Speed kills (I (bryan) got flustered and I shutdown) you took speed?

No Kali - was surprised, until I thought of why :D

Was not helpful to my team (jacek, ryan, Michael C., David)

John Strand was phenomenal

Frank Kim was great

The audio was not, unfortunately :(

 

 

Samba/SMB (port 445) vulns

Use case for having it exposed?

**** OPEN TO SUGGESTIONS *****

What does that say about the company?

No security team, or the security team is ineffectual about telling people about the risks?

What

MS17-010 is the new MS08-067

http://thehackernews.com/2017/05/samba-rce-exploit.html

Over 400,000 open to the web

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

 

Training announcement:

 

Ms. Sunny Wear doing a web app security class

Starts June 14th

Sign up for the class at the $20 dollar Patreon level

Sign up for immediate video access at the $10 Patreon level 

https://www.patreon.com/bds_podcast

 

 

Who’s Slide is it Anyways? @ImprovHacker

https://docs.google.com/forms/d/e/1FAIpQLSeLS0barWRdKVjPPyZ82lvC0UQMaDTJXRwF11qItlbZOrrf6A/viewform?c=0&w=1

 

#infosec #podcast #webAppSec #application #security

2017-017-Zero_Trust_Networking_With_Doug_Barth,_and_Evan_Gilman

May 10, 2017 01:25:46

Description:

 Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?

Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.

Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.

Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

show notes:

 

The lines are blurring:

 

DevOps

NetOps

SDN

SDP

docker/containerization

2FA authentication

 

https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)

https://www.beyondcorp.com/

 

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

 

Where is this Google article???

http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html

https://cloud.google.com/beyondcorp/

https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/

 

Who benefits from this? Network engineers, apparently… :)

Devs?

IT?

Sounds like a security nightmare… who would get the blame for it failing

 

How do we keep users from screwing up the security model? Putting certs on their personal boxes?

 

Prior BrakeSec shows:  Software Defined Perimeter with Jason Garbis

http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

 

http://shop.oreilly.com/product/0636920052265.do

 

Doug Barth Twitter: @dougbarth

 

Evan Gilman Twitter:  @evan2645

 

Runs counter, right? We are used to not trusting the client…

 

A Mature company can only implement

Device inventory

Config management

Data flow

Asset management

 

Micro-services?  

Brownfield networks

Sidecar model -

Certain OSes not possible

2017-016-Fileless_Malware, and reclassifying malware to suit your needs

May 3, 2017 01:05:43

Description:

 Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys.

The latest marketdroid speak appears to be the term 'fileless malware', which by definition...

 

FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.”

 

https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not ‘fileless’

But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection.

This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects

 

https://business.kaspersky.com/targeted-attacks-trends/6776/

http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-015-Being a 'security expert' vs. 'security aware'

Apr 27, 2017 44:43

Description:

This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?

We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers

Apr 20, 2017 01:00:12

Description:

So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.

After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.

We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.

Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--- show notes----

 

Discuss AIDE with Ms. Berlin

 

Log-MD.com posted their first video.

 

Fingerprint Masters (a case against biometrics):

http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone

http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/


Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/

 

ShadowBrokers dump

“Worst since Snowden”

https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

Making policies, easier said than done

Discuss DefSec chapter on Policies

Difficulty: aligning policies with compliance standards

FedRamp, PCI, etc

Writing a good policy so that it follows the guidelines

 

http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook

2017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt

Apr 13, 2017 48:44

Description:

Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.

We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)

This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

What does MFA try to solve:

Mitigate password reuse Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials

 

Cred theft:

Getting to the point where old mate literally has more password dumps than time https://www.troyhunt.com/i-just-added-another-140-data-breaches-to-have-i-been-pwned/ Honestly not going away, and combined with password reuse makes things pretty bad

 

Phishing:

Happens. META: do we need to back this up with some stats?  https://blog.barkly.com/phishing-statistics-2016

 

MFA / Bad things happening with that:

AU Telecommunications provider sent multifactor SMS to wrong people https://www.itnews.com.au/news/telstra-sending-sms-to-wrong-numbers-after-exchange-fire-449690 RSA was owned years ago - and had to reissue a bunch of tokens http://money.cnn.com/2011/06/08/technology/securid_hack/ https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0 On the plus side, obviously increased cost to attacker significantly to do that Phishing frameworks are everywhere Misc / Turns out U2F makes phishing kind of dead? (Read first amendment) https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ Appears Backed up by the spec ( ‘Origin’ / https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf)

 

Phishing/2FA/Solutions?

a) What does multifactor actually solve? b) Are we (infosec industry) issuing multifactor solutions to people just so people make money? c)  Do these things give a *false* sense of security? d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.

 

Internal training / is this actually working?


Australia Post didn't think so

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

 

Counterpoints:

It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )

C: I don’t like running some silly app on my phone

C: I also don’t like running around with a physical token

C: Embedding a Yubico nano in my usb slot leaves me with one usb port left

Also doesn’t solve when someone just steals that token

 

Does any of it matter:

Beyondcorp / "Lets make the machines state be part of the credential"

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids

Is there some way we (not google) can make it so a credential is worthless?

 

Solutions:

Duo / “There's an app on my phone and it has context about what wants to do something right now”

Probably a step in the right direction

Kind of like some Aus banks which SMS you before transferring $X to Y account

Okta - (grab links to spec)

META // Does this actually solve it?

OAUTH - (grab links to spec)

Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower

META // Engineering things to short lived secrets is a better idea

 

I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:

The devices used everywhere are chromebooks run in standard mode rather than developer mode (Whitelisting For Free™) Everything is a web app Everything else can’t run due to app whitelisting built-in The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines Everything cares about the machine the user is using - It’s part of the credential Passwords are no longer important and it’s all single sign on Suddenly credential theft doesn’t matter The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters Caveat, someone will probably think of some cool technique and that’ll ruin everything See: Problem of induction / “Black swan event”

 

Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).

 

Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/

 

Duo Security // Beyondcorp

https://duo.com/blog/beyondcorp-for-the-rest-of-us



More info on Beyondcorp

https://www.beyondcorp.com

 

Misc// Hey google wrote a paper on U2F a while back

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)

https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf


META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing

https://risky.biz/RB448/

2017-012-UK Gov Apprenticeship infosec programs with Liam Graves

Apr 6, 2017 54:13

Description:

One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.

I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)

So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)

Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--

 

Show Notes:

UK apprenticeship schemes:

long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.

End Point Assessment - project based final assessment.

 

A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf

 

Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)

 

Other schemes include (new and existing):

Cyber Intrusion Analysts Cyber Security Technologists Data Analysts Digital Marketers Infrastructure Technicians IT Technical Salesperson Network Engineers Software Developers Software Development Technicians Software Testers Unified Communications Trouble-shooters (no idea what these ones are) Unified Communications Technicians

 

https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).

 

https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.

 

Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.

 

Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)

 

Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.

 

IBM has a trade school - hiring 2,000 US Veterans in the next 5 years

https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html

 

Technical schools

http://www.browardtechnicalcolleges.com/

http://www.bates.ctc.edu/ITSpecialist

 

DoL apprenticeship programs

https://oa.doleta.gov/bat.cfm

 

Difference between ‘for-profit’ and ‘trade schools’

 

Internships = some companies are paying fat bank:

http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries

 

Washington State trades/apprenticeships

Mostly ‘blue’ collar positions

http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/

Few ‘technical positions’

 

Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students

No ‘junior security architects’, or ‘junior pentesters’

Yet non-technical positions have junior slots

Manager / Senior manager, Project manager / Sr. Project manager

 

Difficulty in infosec apprenticeships

What are the ‘starter’ jobs?

IT related

Sysadmins

Log analyst

 

Useful links:

https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme

https://www.gov.uk/guidance/cyber-security-cni-apprenticeships

https://www.ncsc.gov.uk/new-talent

 

All available apprenticeships:

https://www.gov.uk/government/collections/apprenticeship-standards

 

Employer commitments:

https://www.gov.uk/take-on-an-apprentice

 

For people looking to pivot from non-Infosec jobs into cyber security:

https://cybersecuritychallenge.org.uk/about/new-to-the-challenge

https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/

https://www.gov.uk/government/publications/apprenticeship-levy-how-it-will-work/apprenticeship-levy-how-it-will-work

 

 

 

2017-011-Software Defined Perimeter with Jason Garbis

Mar 30, 2017 52:41

Description:

We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.

So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).

This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based...  So have a listen!

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---

 

Show Notes:

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter/

    Hmmm… seems like a standard created by companies selling their products for it

        Have a product, create a problem, fix the problem...

 

How much alike is this to things like ‘Beyondcorp’?

    https://www.beyondcorp.com/

    http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

 

De-perimeterization - removing all the bits ‘protecting’ your computer

    Treat your computers as ‘on the Internet’

    https://en.wikipedia.org/wiki/De-perimeterisation

https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf

 

https://github.com/WaverleyLabs/SDPcontroller

 

2FA becomes much more important, or just plain needed, IMO --brbr

 

Questions:

    How will development of applications change when attempting to implement these technologies?

   

    If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?

 

    Can this cut down on the “Shadow IT” issue? Does the user control the certs?

    How does this work with devices with no fully realized operating systems?

        Phones, HVAC, IoT

        Legacy SCADA or mainframes?

 

    What is the maturity level of a company to implement this?

        What minimum requirements are needed?

            Asset management?

            Policies?

        Who/how do you monitor this?

            More blinky boxes?

            Will WAFs and Web proxies still function as expected?

    Are there any companies companies were this is not a good fit?

        What’s the typical timeline for moving to this network model?

        What’s the best way to deploy this?

            Blow up old network, insert new network?

            Phase it in with new kit, replacing old kit?

    Compliance

        How do explain this to auditors?

            “We don’t have firewalls, that’s for companies that suck, we are 1337”

Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide

2017-010-Authors Amanda Berlin and Lee Brotherston of the "Defensive Security Handbook"

Mar 23, 2017 01:13:42

Description:

Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook"

We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you.

The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link)

Hope you enjoy!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 Previous Lee Brotherston episodes:

Threat Modeling w/ Lee Brotherston

Is your ISP MiTM-ing you

 Lee fills in for Mr. Boettcher, along with Jarrod Frates

TLS fingerprinting application

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-009-Dave Kennedy talks about CIAs 'Vault7', ISC2, and Derbycon updates!

Mar 15, 2017 01:15:18

Description:

Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).

This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.

To help us, we asked Mr. Dave Kennedy  (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.

Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2.  We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.

We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3

Youtube:  https://www.youtube.com/watch?v=lqXGGg7-BlM

iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--show notes--

http://www.bbc.com/news/world-us-canada-10758578

 

WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’

    Should they not have tools that allow them to infiltrate systems of ‘bad’ people?

    Promises to share information with manufacturers

        BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’

            Shit code, poor software design/architecture

            Security wonks aren’t without blame here either

 

http://www.bbc.com/news/technology-39218393  -RAND report

        Report suggested stockpiling is ‘good’

            “On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”

 

Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…  

http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668

 

(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)

 

Wikileaks - more harm than good?

    Guess that depends on what side you’re on

    What side is Assange on? (his own side?)

    Media creates FUD because they don’t understand

        Secure messaging apps busted (fud inferred by WL)

            In fact, data is circumvented before encryption is applied.

Some of the docs make you wonder about the need for ‘over-classification’


Vulnerabilities uncovered

 

Samsung Smart TVs “Fake-Off”

Tools to exfil data off of iDevices

    BrBr- Cellbrite has sold that for years to the FBI

        CIA appears to only have up to iOS 9 (according to docs released)

Car hacking tech

Sandbox detection (notices mouse clicks or the lack of them)

    Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html

Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html

    Not new: https://attack.mitre.org/wiki/Technique/T1093

**anything Mr. Kennedy feels is important to mention**

 

What can blue teamers do to protect themselves?

    Take an accounting of ‘smart devices’ in your workplace

        Educate users on not bringing smart devices to work

            And at home (if they are remote)

                Alexa,

        Restrict smart devices in sensitive areas

            SCIFs, conference rooms, even in ‘open workplace’ areas

           

    Segment possibly affected systems from the internet

    Keep proper inventories of software used in your environment

    Modify IR exercises to allow for this type of scenario?

    Reduce ‘smart’ devices

        Grab that drill and modify the TV in the conference room

        Cover the cameras on TV

            Is that too paranoid?

        Don’t setup networking on smart devices or use cloud services on ‘smart’ devices

    Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)

2017-008-AWS S3 outage, how it should color your IR scenarios, and killing the 'whiteboard' interview

Mar 6, 2017 01:14:23

Description:

If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah?

 "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?'

We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links)

Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk.  What do we mean? Listen to our show and find out.


#AIDE - https://appyide.org/events/ $60

more info: https://appyide.org/1313-2/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

---show notes---

 

AWS S3 outage (hopefully more information by the end of the week)

    Massive outages - many sites down

        IoT devices borked        https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/

 

TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

 

Brian: Water sprinkler story…

 

Do we put too much stock in Amazon?

        Email Story time: Recent IR exercise

            Mostly AWS shop

            “If we suspend reality” drinking game

            World War Z “the 10th man”

 

Not the 1st time AWS was involved in an outage:

    http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle

 

Realistic IR exercises need to examine the ‘ultimate’ bad…

    Even if you’re in ‘suspend reality’ mode

 

https://theoutline.com/post/1166/programmers-are-confessing-their-coding-sins-to-protest-a-broken-job-interview-process

http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/

 

No problem with copy/paste, hunting up functions, etc

    Problem comes when failure to understand the code you’re using, and the integration of that code therein

 

Programming Interviews Exposed

 

LOVED this idea….

https://letsjusthackshit.org/platypuscon2016.html

“In the spirit of what brought this community together, we’re aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we’re putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new.”

 

Patreon - just pop a dollar

CTF Club - Tuesdays 9am Pacific / 6pm Pacific

Book club - Defensive Security Handbook - Starting 15 March

2017-007- Audio from Bsides Seattle 2017

Mar 1, 2017 35:43

Description:

Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion.

We have 3 interviews here this week:

Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not.

Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles.

Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets...

If you are looking for some great content, a Bsides is nearby, just look around...

 

Other Twitter handles mentioned on the show...

@ben_ra
@firewater_devs  (both phone hackers)

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3

YouTube:

iTunes:

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-006- Joel Scambray, infosec advice, staying out from in front of the train, and hacking exposed

Feb 20, 2017 01:05:45

Description:

Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible.

Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series.

We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO.

 

From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/):

"Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office.

Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy."

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3

iTunes (generic link, subscribe for podcast):  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

-------

Show Notes:

 

Joel Scambray

 

In a bio:

    “Joel’s words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional’s challenge is to bring the most evidence possible to support those decisions, both technical and non.”

 

Building and maintaining a security program

    Which is better?

starting with a few quick wins

Or having an overarching project to head where you want to go

 

Starting companies (buyouts / stock options / lessons learned)

 

Hacking Exposed

    Will you stop at ‘7’?

    Will there be a “hacking exposed: IoT”?

        Medical devices

   

What leadership style works best for you?

 

Things we couldn’t cover due to time:

Security Shift from network layer to app layer

    Software defined networking, for example

        How to set policies to keep your devs from running amok

 

------

2017-005-mick douglas, avoid bad sales people, blue team defense tools

Feb 15, 2017 01:03:58

Description:

Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors.

But this week, we have a different Mr. Douglas.  This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering.

Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge.

Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X

Mick's document:

https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0

Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it:

http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3

https://attack.mitre.org/wiki/ATT%26CK_Matrix

 

 

Mick's last appearances on BrakeSec:

http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3

http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3

iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware

Feb 6, 2017 52:25

Description:

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.

Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.

We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD

----------

HITB announcement:

“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

 

 

 

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3

iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2

YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

-----------

Show notes:

 

Sandboxing tech  -  https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf

 

A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.

 

Various types of sandbox tech

 

Jails - freebsd

    Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian

        http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html

 

Pledge(8)  - new to OpenBSD

    Program says what it should use, if it steps outside those lines, it’s killed

    http://www.tedunangst.com/flak/post/going-full-pledge

    http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge

    http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html

 

Chroot - openbsd, linux (chroot jails)

    “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”

    Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’

 

Rules based execution - AppArmor, PolicyKit, SeLinux

    Allows users to set what will be ran, and which apps can inject DLLs or objects.

    “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”

https://en.wikipedia.org/wiki/Seccomp

https://en.wikipedia.org/wiki/Linux_Security_Modules

 

Android VMs

 

Virtual machines - sandboxes in their own right

    Snapshot capability

    Revert once changes have occurred

    CON: some malware will detect VM environments, change ways of working

 

Containers (docker, kubernetes, vagrant, etc)

    Quick standup of images

    Blow away without loss of host functionality

    Helpful to run containers as an un-privileged user.

https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/

 

Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

 

Emulation Vs. Virtualization

 

http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware  --seems like a good link

 

VMware Thinapp (emulator):

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224

 

(continued next page)

Malware lab creation (Alienvault blog):

https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide

 

https://www.reverse.it/

 

News: (assuming it goes short)

SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/

 

(whitelisting files in Apache)

https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937

 

http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html

https://github.com/robertkuhar/java_coding_guidelines

https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#

 

https://www.concise-courses.com/security/conferences-of-2017/

2017-003-Amanda Berlin at ShmooCon

Jan 30, 2017 30:46

Description:

Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It’s always amazing to watch people talk about what they are passionate about, and Shmoocon is a great relaxed environment where that happens frequently."

James Green @greenjam94
Aaron Lint @lintile  
Jon? @hackeducate

Melanie Rich-Wittrig @securitycandy

Amanda Berlin attended ShmooCon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Melanie Rich-Wittrig (@securitycandy) discusses how she's empowering kids to get into information security, even as early as age 10 or 11. She discusses how she motivates by teaching CTF and hacking concept, and gamifying by using point systems.

www.securitycandy.com

RSS: http://www.brakeingsecurity.com/rss

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-003-ShmooCon_Audio.mp3

YouTube:

 

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

2017-002: Threat Lists, IDS/IPS rules, and mentoring

Jan 22, 2017 01:05:41

Description:

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.

But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.

We discuss some of the issues using them, discuss how to use them in your #environment.

Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...

RSS: www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3

iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2

YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

Show Notes:

HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme

 

2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring

 

Threat Lists (didn’t have much time to research :/) THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/    Don’t use threat list feeds (by IP/domain) as threat intelligence Can use them for aggressively blocking, don’t use for alerting https://isc.sans.edu/suspicious_domains.html https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt http://iplists.firehol.org/ https://zeltser.com/malicious-ip-blocklists/ https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx Spamhaus: https://www.spamhaus.org/ leachers Open rulesets - You can always depend on the kindness of strangers Advantage is that these are created by companies that have worldwide reach Updated daily Good accompanying documentation You can buy large rulesets to use in your own IDS implementation Depends on your situation if you want to go managed or do yourself Regardless you need to test them Managed security services will do this for you I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself Only a good idea for one-off, targeted attacks DIY IDS/IPS rulesets https://securityintelligence.com/signature-based-detection-with-yara/ http://yararules.com/ http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/ Yara rules For Mentors Set expectations & boundaries Find a good fit Be an active listener Keep open communication Schedule time Create homework Don’t assume technical level Ask questions Do your own research Find a good fit Put forth effort It’s not the Mentor’s job to handhold, take responsibility for own learning Value their time Come to each meeting with an agenda For Mentees Mentoring frameworks? InfoSec Mentoring https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741 Podcasts (Courtesy of Ms. Hannelore) https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

2017-001: A New Year, malware legislation, and a new cast member!

Jan 12, 2017 43:44

Description:

We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender).

We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try to find some understanding.

With all the various secure messaging systems out there, we discuss how why secure messaging systems fail so poorly with regards to #interoperability and the difficulties in getting average non-infosec people to adopt one. We also discuss #Perfect #Foward #Security and how it prevents people from decrypting old messages, even if the key is compromised.

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

---Show Notes---

News story:

http://www.latimes.com/politics/la-pol-sac-crime-ransomware-bill-20160712-snap-story.html

 

“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” said Brandon Perry, a senior consultant for NTT Com Security. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”

 

Ransomware won’t infect you if you watch training videos:

http://thehackernews.com/2017/01/decrypt-ransomware-files.html

 

Secure messaging - stuck in an Apple ecosystem

    Too many, no interoperability

        Signal, Whisper, Wickr, Wire, WhatsApp, FB messenger

        I uninstalled Signal… can’t convince people to adopt something if everyone cannot message one another --BrBr

 

OpenPGP is ‘dangerous’

http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/

    Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy

        “A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm.” (input given gives the same output every time)

Perfect Forward Secrecy - “In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys.

   

Ms. Amanda’s pentest homework:

“https://docs.google.com/document/d/17NJPXpqB5Upma2-6Hu5svBxd8PH0Ex7VgCvRUhiUNk8/edit”

2016-051: Steps to fixing risks you found, and the State of the Podcast

Dec 25, 2016 41:30

Description:

It's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner.

I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps.

We also discuss some the previous episodes of the year, some recent developments to build our #community, like our book club and upcoming #CTF club.

Plus, there is one other surprise, but you'll have to wait until our next episode to find out!

 

Enjoy our final episode of 2016. Our regular show will return the week of 9 January 2017!

 

https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Legal_and_commercial_responses

iTunes:

YouTube: https://www.youtube.com/watch?v=w56W5gMMg0E

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-051-State_of_the_podcast_Finding_and_managing_risk.mp3

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until 31 December 2016. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

Google Play Store  https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

2016-050: Holiday Spectacular with a little help from our friends!

Dec 22, 2016 01:14:54

Description:

Brakesec Podcast joined:

Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec)

Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast

Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec)

And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also get to hear my lovely wife come in and bring me #holiday #sweeties and even dinner, as she had no idea we were recording at the time (she later told me "You sounded like you were having too much fun, so I assumed you weren't recording")

**there might be some explicit language**

Join us won't you, and listen to 3 fantastic podcasts mix it up for the holidays.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-050-holiday_spectacular-defsec-advpersistsec-brakesec-infosystir.mp3

#YouTube: https://www.youtube.com/watch?v=sJaAG0KRpDY

#iTunes: https://itunes.apple.com/us/podcast/2016-050-holiday-spectacular/id799131292?i=1000379206297&mt=2

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-049-Amanda Berlin, the art of the sale, and Decision making trees

Dec 15, 2016 56:47

Description:

 "Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters.

A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work...

We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether.

We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2

Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg

 

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-048: Dr. Gary McGraw, Building Security into your SDLC, w/ Special guest host Joe Gray!

Dec 4, 2016 01:11:07

Description:

As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the  Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information).

Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production.  Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :)

Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry.

Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705

Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/

Gary's twitter is @cigitalgem

Joe Gray's twitter is @C_3PJoe

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2

YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4

Join our Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems

Nov 28, 2016 19:50

Description:

Just a quick episode this week...

As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM)

We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so.

Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts

http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html

You can find the github of this script and the audit software that I mentioned below:

https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA  

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-046: BlackNurse, Buenoware, ICMP, Atombombing, and PDF converter fails

Nov 21, 2016 44:50

Description:

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred.

After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do.

We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal?

All that and more this week on Brakeing Down Security Podcast! 

Check out our official #Slack Channel! Sign up at https://brakesec.signup.team

Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw  https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705  (ebook is available of Safari books online)

 

BlackNurse

https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

 

Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document:

https://twitter.com/boettcherpwned/status/799726266693713920

Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3

Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes:

https://twitter.com/newsyc200/status/799761390915424261

 

#BlackNurse

https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

ICMP

Type 3, Code 3 (Destination Port unreachable)  http://www.faqs.org/rfcs/rfc792.html

#SHA1 deprecated on website certs by Chrome on 1 January 2017

http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522

#Benevolent #malware (buenoware)

https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703

#Atombombing

http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions

https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/

http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2

Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ

 

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-044: Chain of Custody, data and evidence integrity

Nov 7, 2016 47:04

Description:

During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc.

This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help.

Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3

#YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI

#iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-043: BSIMMv7, a teachable moment, and our new Slack Channel!

Nov 2, 2016 01:14:10

Description:

 

**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.**

Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing.

We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices.

Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having.

We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it.

Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2

YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y

 

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-042-Audio from Source Seattle 2016 Conference

Oct 25, 2016 01:32:53

Description:

Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier.

I was able to interview a number of people from the conference. You can see a partial list of them here:

http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights


Interviewed

Chip McSweeney from OpenDNS (@chipmcmalware) and Rob Cheyne about the conference and got a bit of information about Chip's talk on "Domain Generating Algorithms" (DGA) that #malware use for domain C&C, and how to detect and reverse certain algos.

Rob Cheyne is the organizer of Source, so we talked a bit about the history and difficulties putting on 3 of these a year, and what makes the "Source" conference format so different.

Masha Sedova was one of the keynote speakersto discuss how she gamified her information security program and got everyone involved. Really excellent talk about changing organizational behavior.

Rob Fuller gave two days of Metasploit training, to show the versatility and to teach about the effectiveness of this tool. I also ask if Metasploit has reached it's end, since it's easily detected in many environments. Rob is a great interview and gives me his unvarnished opinion.

Mike Shema from https://cobalt.io/ discussed expanding and tailoring your bug bounty program to suit your organization and to ensure that your bug bounty program is mature. Using private bug bounties, and ensuring proper follow through in a timely manner can ensure maximum bang for the buck.

Last but not least, Deidre Diamond who did a keynote about 'Words to Stop Using now'. Deidre is the CEO of a national cyber security staffing company (Cyber Security Network) and Founder of a not-for-profit that empowers women in the infosec industry. Hear her thoughts on how leadership training is needed in the corporate environment, I ask her why we still need recruiters with hiring sites and why job descriptions are still a thorn in everyone's sides.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-042-Source_Seattle_2016_audio.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-042-audio-from-source/id799131292?i=1000377063127&mt=2

YouTube: https://www.youtube.com/watch?v=sj_SD2k7zXw

#RSS: http://www.brakeingsecurity.com/rss

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-041- Ben Johnson, company culture shifts, job descriptions, cyber self-esteem

Oct 17, 2016 01:11:23

Description:

Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry.

Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community.

We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your company culture better.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-041-Ben_johnson.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-041-ben-johnson-company/id799131292?i=1000376744922&mt=2

YouTube: https://www.youtube.com/watch?v=HrTPH97-YIY

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-040: Gene_Kim, Josh_Corman, helping DevOps and Infosec to play nice

Oct 10, 2016 01:01:40

Description:

If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great.

If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out.

But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how we can make security, compliance, and DevOps to play nice with one another.

Gene Kim's new book (excerpt): http://itrevolution.com/handbook-excerpt

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-040-Gene_Kim-Josh_Corman-Getting_Security-and_DevOps_playing_nice.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-040-gene-kim-josh-corman/id799131292?i=1000376417012&mt=2

YouTube:  https://www.youtube.com/watch?v=fOuSRYJtiKo

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-039-Robert Hurlbut, Threat Modeling and Helping Devs Understand Vulnerabilities

Oct 4, 2016 01:15:00

Description:

Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws.

We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and managers.

 

Robert's Website is chock full of good information about threat modeling and secure coding practices at http://www.roberthurlbut.com

 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-039-Robert_Hurlbut-threat_modeling_and_analysis.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-039-robert-hurlbut-threat/id799131292?i=1000376171899&mt=2

YouTube: https://www.youtube.com/watch?v=P5jEVJTymOg

 

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-038-Derbycon Audio and 2nd Annual Podcast with Podcasters!

Sep 29, 2016 01:24:14

Description:

Mr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast.  It is truly a labor of love and something that we hope everyone can learn something from.

We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensics-af-int0x80-of-dual-core) and how to evade log monitoring with Mr. Brian Boettcher and Michael Gough. (shout-out to @mattifestation, @dualcore, @baywolf88, @carlos_perez)

We sat down with Mr. Osman (@surkatty) from the Sound Security Podcast (@SoundSec), who was a first time attendee to #DerbyCon. We get his thoughts about DerbyCon and what talks he enjoyed.

Finally, our 2nd Annual podcast with our fellow podcasters was on. We had it in Bill Gardner's room (ReBoot-It podcast) (@oncee), Amanda Berlin (@infosystir) from #Hurricane #Labs Podcast, Jerry Bell (@MaliciousLink) from #Defensive #Security Podcast, Ben Heise (@benheise) from Rally #Security Podcast, Tim DeBlock (@TimothyDeBlock) from Exploring Information Security Podcast, and SciaticNerd (@sciaticnerd) from Security Endeavors podcast

IronGeek's website has all the videos available to listen to here: http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist

 

Whiskey Bent Valley Boys:  http://whiskeybentvalley.tumblr.com/ or iTunes: https://itunes.apple.com/us/artist/whiskey-bent-valley-boys/id318874442

 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-038-Derbycon_podcast.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-038-derbycon-audio-2nd/id799131292?i=1000375934157&mt=2

YouTube: https://www.youtube.com/watch?v=W7ylsfwGyhc

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-037: B1ack0wl, Responsible Disclosure, and embedded device security

Sep 14, 2016 01:06:51

Description:

Have you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in?

This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users...  We also find out how B1ack0wl learned his stock and trade.

https://www.exploit-db.com/exploits/40332/

Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening to the finding.

http://www.devttys0.com/  -- #embedded device hacking blog

http://io.netgarage.org/ -- #wargame site #B1ack0wl mentioned

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-037-b1ack0wl_responsible_disclosure-belkin_routers.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-037-b1ack0wl-responsible/id799131292?i=1000375462991&mt=2

YouTube: https://www.youtube.com/attribution_link?a=kChiecG0Sv4&u=/watch%3Fv%3D9_qS2s3GrT4%26feature%3Dem-upload_owner

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson

Sep 11, 2016 01:08:12

Description:

Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs.  During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere.

Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

So, we wanted to have Nick on to discuss any updates that occurred, and also asked an MSSP owner, Kevin Johnson, from SecureIdeas (@secureideas on Twitter), as Kevin is well versed with both sides, being a customer, and running an MSSP with his product, Scout (https://secureideas.com/scout/index.php)

We go over what an MSSP is (or what each person believes an MSSP is), we discuss the facts from Nick and his client's side, we try and put ourselves in the shoes of the MSSP, and if they handled the issue properly.

We also find out how Nick managed to save the day, the tools they used to solve the problem.  We did a whole podcast on it, and maybe it's time to re-visit that...

Finally, we discuss the relationship between an MSSP and the customer, what expectations each party should see from each other, and what are the real questions each should ask one another when you're searching out an MSSP.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-036-mssp-nick_selby-kevin_johnson.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-036-mssp-pitfalls-nick/id799131292?i=1000375157370&mt=2

YouTube:  https://www.youtube.com/watch?v=b1rEpaBAKpQ

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-035-Paul Coggin discusses the future with Software Defined Networking

Sep 6, 2016 01:13:28

Description:

Paul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN)

Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer.  Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications.

And there's more good news (if you're a black hat), there's no role based security, parts of the #specification isn't fully fleshed out yet, and there are vendor specific frameworks of their own, that may not be fully interoperable with each other...

Paul talks to us about some background of #SDN, some of the pitfalls and what you need to think about when implementing Software Defined Networking.

 

Links referred to in the Show:

https://www.rsaconference.com/writable/presentations/file_upload/tech-r03-sdn-security-v3.pdf

https://www.blackhat.com/docs/eu-14/materials/eu-14-Pickett-Abusing-Software-Defined-Networks-wp.pdf

http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/

https://people.eecs.berkeley.edu/~rishabhp/publications/Sphinx.pdf

https://www.opendaylight.org/

https://www.opennetworking.org/certification

Ras Pi as an OpenFlow controller: https://faucet-sdn.blogspot.com/2016/06/raucet-raspberry-pi-faucet-controlling.html

Zodiac FX SDN boards (Excellent customer service!):  http://northboundnetworks.com/

Excellent site discussing SDN:  http://www.ipspace.net/Main_Page

Coursera SDN course:  https://www.coursera.org/learn/sdn

 

Brakeing Down Security RSS: http://www.brakeingsecurity.com/rss

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2016-035-Paul_Coggin_SDN.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-035-paul-coggin-discusses/id799131292?i=1000374972931&mt=2

YouTube: https://www.youtube.com/watch?v=YuuNzeiexUY

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-034: Sean Malone from FusionX explains the Expanded Cyber Kill Chain

Aug 28, 2016 01:40:44

Description:

Another great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking.

In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts.

This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems or networks, like the #SWIFT banking transfer. This discussion also is great for showing management the time and effort required to gain access to systems.

We also talk about the #OODA loop (https://en.wikipedia.org/wiki/OODA_loop) and how disrupting that will often cause attacks to go awry or to be stunted, reducing the effectiveness.

Sean T. Malone website: http://www.seantmalone.com/


Slides and presentation referred to in the podcast: http://www.seantmalone.com/docs/us-16-Malone-Using-an-Expanded-Cyber-Kill-Chain-Model-to-Increase-Attack-Resiliency.pdf

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-034-CyberKillChain.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-034-sean-malone-from/id799131292?i=1000374642630&mt=2

YouTube:  https://www.youtube.com/watch?v=eBOCjaGmbMg

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-033: Privileged Access Workstations (PAWs) and how to implement them

Aug 22, 2016 57:33

Description:

Bill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled)  Here is the synopsis of his talk that you can now see at DerbyCon:

Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other techniques I've used to limit exposure to credential theft and lateral movement. I hope to show fellow blue teamers these types of controls are feasible to implement, even in small environments. 

TechNet article referenced on the show:

https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-033-PAWs-Bill_Voecks-Rejected_Talks.mp3

RSS: http://www.brakeingsecurity.com/rss

iTunes: https://itunes.apple.com/us/podcast/2016-033-privileged-access/id799131292?i=1000374432509&mt=2

YouTube: https://www.youtube.com/watch?v=0DwR9RcEBo0

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-032-BlackHat-Defcon-Debrief, Brakesec_CTF_writeup, and blending in while traveling

Aug 15, 2016 59:56

Description:

Co-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp"

Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare for the contest next year, and steps it took to solve the challenges.

The final item of the night was about travel security, since the Olympics are on, and there was a report about Olympic athletes who were robbed at gunpoint. We discuss safety while traveling, keeping a low profile, reducing risk, and reminding you to leave the overly Patriotic shirts and apparel at home.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-032-Defcon-blackHat_debrief-travel-security_CTF-writeup-final.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-032-blackhat-defcon-debrief/id799131292?i=1000374155086&mt=2

YouTube:  https://www.youtube.com/watch?v=Df-JL-PiGus

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-031:DFIR rebuttal and handling incident response

Aug 8, 2016 59:00

Description:

A couple of weeks ago, we discussed on our show that not all incident response events required digital forensics.  We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on.

Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.

We discuss definitions of what digital forensics are, and how that term really has a broad range for classification.

Brian will be teaching SEC566 in Long Beach in September. Here is the link for more information to sign up for this course...  https://www.sans.org/community/event/sec566-long-beach-26sep2016-brian-ventura

 

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2016-031-DFIR_discussion_and_rebuttal.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-031-dfir-rebuttal-handling/id799131292?i=1000373849931&mt=2

YouTube: https://www.youtube.com/watch?v=e3Dy001GdWM

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-030: Defending Against Mimikatz and Other Memory based Password Attacks

Aug 1, 2016 35:01

Description:

In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table.

When improperly configured, the passwords are stored in memory, often in plain text.

 

This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks.

 

Links to blogs:

https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft

http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html

https://jimshaver.net/2016/02/14/defending-against-mimikatz/

 Praetorian Report on pentests: http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-030-Defense_against_Mimikatz.mp3

YouTube:  https://www.youtube.com/watch?v=QueSEroKR00

iTunes: https://itunes.apple.com/us/podcast/2016-030-defending-against/id799131292?i=1000373511591&mt=2

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...

Jul 26, 2016 01:22:40

Description:

Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough.

Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go.

This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest. 

We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance).  We ask questions like

Who should be involved setting scope? 

Should #Social #Engineering always be a part of a pentest?

Who should be notified if/when a #pentest is to occur?

Should your SOC be told when one occurs?

What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)?

And how long do you want the engagement to be?

And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well...

It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagements. If your organization is about to engage a company for a pentest, you'd be wise to take a moment and listen to this.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-029-Jarrod_Frates-What_to_do_before_a_pentest_starts.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-029-jarrod-frates-steps/id799131292?i=1000373091447&mt=2

#YouTube:  http://www.youtube.com/attribution_link?a=p2oq6jT3Iy0&u=/watch%3Fv%3DsTc_seN-hbs%26feature%3Dem-upload_owner

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec, and SCADA headaches

Jul 18, 2016 01:00:24

Description:

Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3)

I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understand why it was started. This is its inaugural year, and they already have some excellent schwag and sponsors. This is not just an event for ladies, but a way of #empowering #women, creating #mentorship opportunities, and assistance for people moving into the #infosec industry.

Also, since Ms. Cheryl's loves discussing #ICS and #SCADA problems and headaches, we got into the headaches, #challenges, and maybe some 'logical' solutions to fixing SCADA vulns... but does the logical approach work in a business sense?

TiaraCon official site:  http://tiaracon.org/ 

TiaraCon Dates: Thursday Aug 4 - Friday Aug 5

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-028-Cheryl_Biswas_Tiaracon_ICSSCADA_headaches.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-028-cheryl-biswas-discusses/id799131292?i=1000372642921&mt=2

Youtube: https://www.youtube.com/watch?v=vsolDjsz5M4

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-027: DFIR conference, DFIR policy controls, and a bit of news

Jul 11, 2016 45:02

Description:

Mr. Boettcher is back!  We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required.

We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts.

Platypus:  http://sveinbjorn.org/platypus

Eleanor Malware on OSX:

https://www.grahamcluley.com/2016/07/mac-malware-uses-tor-obtain-access-systems/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-027-DFIR_policy_controls.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-027-dfir-conference-dfir/id799131292?i=1000372256055&mt=2

YouTube: https://www.youtube.com/watch?v=RPN0nDGYA5c#action=share

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-026-powershell exfiltration and hiring the right pentest firm

Jul 4, 2016 01:14:55

Description:

 Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil.

Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet).

Tyler tells us about using Cobalt Strike for creating persistent connections that are more easily hidden when you are on an engagement.

 

Adam's demo can be found on our YouTube channel: https://youtu.be/rj--BfCvacY

Tyler's demo of Throwback and using Cobalt Strike can be found on our YouTube Channel:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-025-Windows Registry, Runkeys, and where malware likes to hide

Jun 27, 2016 50:48

Description:

The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups).  This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself.

We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions.

And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. You can find reglister here:

http://www.securityforrealpeople.com/2015/08/introducing-new-forensics-tool-reglister.html

 

We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-025-Windows_Registry-RunKey_artifacts-finding_where_malware_hides.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2

 

SoundCloud: https://soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2016-024: Kim Green, on CISOaaS, the Redskins Laptop, and HIPAA

Jun 20, 2016 01:13:20

Description:

We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company.  She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role.

Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that their internal teams may have missed. We are going to discuss with her why they decided to make it a private bug bounty, and what was the result.

https://www.youtube.com/watch?v=GbW777t1tTA -- more about the bug bounty

We also discuss why#HIPAA seems to be so far behind in terms of being able to protect #PHI/#PII and what if anything can be done to fix it. 

http://www.darkreading.com/analytics/hipaa-not-helping-healthcares-software-security-lagging/d/d-id/1322715

We finish up discussing a recent news story about the how the National Football League (#NFL) team Washington Redskins had a trainer lose a laptop with the PII and health information on several thousand NFL players. We discuss why they did not violate HIPAA, and what if anything they did violate.

https://www.washingtonpost.com/news/dc-sports-bog/wp/2016/06/01/nfl-players-medical-records-reportedly-stolen-from-redskins-trainers-car/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-024-Kim_Green-HIPAA-CISO_as_a_service-HIPAA_maturity_redskins-laptop.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-024-kim-green-on-cisoaas/id799131292?i=1000371021883&mt=2

YouTube: https://www.youtube.com/watch?v=F9zvkeuON4I&list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K&index=1

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-023- DNS_Sinkholing

Jun 13, 2016 39:21

Description:

Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet.  You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning.  What do you do?

In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to  or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met.

Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly.  We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ.

In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2

YouTube: https://youtu.be/67huikA2QFg

 

Links we used to discuss sinkholing:

Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/

*UPDATED literally hours after I posted this show*  Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153

 

 

http://resources.infosecinstitute.com/dns-sinkhole

 

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing

 

https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

 

http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769

 

Blackhole DNS servers -- http://www.malware-domains.com/   or http://www.malwaredomains.com/

http://handlers.dshield.org/gbruneau/sinkhole.htm

Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/

 

http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455

 

http://someonewhocares.org/hosts//  -massive dns sinkholing list

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

images:

Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole

2016-022: Earl Carter dissects the Angler Exploit Kit

Jun 6, 2016 57:40

Description:

Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware.  This week we sit down with him to understand the #Angler EK.

He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even get to hear about how the creators "rent" out the EK, and how they also control the malvertising side as well. Great insights into how the EK eco-system operates...

We talk about some of the vulns used by exploit kits. Contrary to popular belief, the vulns used don't always have to be 0day. Blue teamers will learn valuable insights in protecting your networks from this EK.

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2016-022-earl_carter_dissects_angler_ek.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-022-earl-carter-dissects/id799131292?i=1000370105193&mt=2

 

Links referenced during the show:

Earl's slides from Bsides Austin: http://www.slideshare.net/EarlCarter3/bsides-anglerevolution-talk-60408313

http://blog.0x3a.com/post/118366451134/angler-exploit-kit-using-tricks-to-avoid-referrer

http://blogs.cisco.com/security/talos/angler-flash-0-day

http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681

http://blogs.cisco.com/security/talos/angler-flash-0-day

https://hiddencodes.wordpress.com/2015/05/29/angler-exploit-kit-breaks-referer-chain-using-https-to-http-redirection/

https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence

May 29, 2016 57:38

Description:

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc).

We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry.

Ben discusses with us the Layered Approach to EDR:

1. Hunting

2. Automation

3. Integration

4. Retrospection

5. Patterns of Attack/Detection

6. indicator-based detection

7. Remediation

8. Triage

9. Visibility

We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry.

Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people.

Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :(

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2

YouTube: https://youtu.be/I10R3BeGDs4

RSS: http://www.brakeingsecurity.com/rss

Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info)

https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-020-College Vs. Certifications Vs. Self-taught

May 22, 2016 54:20

Description:

Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better?

We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well.

Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language.

ASM book used in the above class: http://www.drpaulcarter.com/pcasm/

Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip

We also discuss free alternatives for learning out there, and how effective they are.

 

Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3


iTunes:  https://itunes.apple.com/us/podcast/2016-020-college-vs.-certifications/id799131292?i=1000369124337&mt=2


YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K

RSS FEED: http://www.brakeingsecurity.com/rss

 

Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-019-Creating proper business cases and justifications

May 16, 2016 54:43

Description:

Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization.

We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include:

1. Aligning business goals and operational goals

2. How to discuss ROI with management

3. Getting actionable information for business requirements from affected parties

4. Steering yourself away from confirmation bias or optimism bias, and ensuring you're thinking critically when comparing the current status quo vs. a new solution

5. Information you might want to gather from potential vendors to make a more informed decision as to whether their product is the one you want

And finally, we discuss how to handle the dread vendor demos. There may be a number of them, and they are arguably the best method of knowing the software or hardware is going to work for you.

This is a topic that affects everyone, whether you are a manager, or a user of the technology involved.

We also like to remind people that our DerbyCon CTF and raffle are still going on. There is plenty of time to get involved if you want a chance to get a ticket to Derbycon 2016!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-019-business_cases_and_justifications-final.mp3

Itunes: https://itunes.apple.com/us/podcast/2016-019-creating-proper-business/id799131292?i=1000368774135&mt=2

YouTube Link: https://youtu.be/8sWn1IYpgtY

Links referred to in the show:

http://www.ask.com/business-finance/business-justification-example-cdebe6f929949e8c

http://www.iso20022.org/documents/BJ/BJ044/ISO20022BJ_ATICA_v4_with_comments.pdf

http://klariti.com/business-case-2/business-case-justify-business-need/

https://en.wikipedia.org/wiki/Business_case

https://en.wikipedia.org/wiki/Optimism_bias

http://www.ehow.com/how_6672801_write-business-justification.html

http://www.acqnotes.com/acqnote/careerfields/establishing-software-requirements

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-018-software restriction policies and Applocker

May 9, 2016 01:00:01

Description:

Windows has all the tools you need to secure an OS, but we rarely use them.  One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install.

We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restricting access to certain functions or applications.

Also, the 2nd clue for our CTF can be found in this podcast... see if you can find the giant clue... :)

**NOTE: We had an issue with Mr. Boettcher's Windows 10 install, he's using Windows 10 Home, which does not appear to have Applocker or Software Restriction Policy by default.  So, I cut a lot of us bickering^H^H^H^H discussing how to get it to work, so the middle around 25:00 mark will feel a tad off. Apologies... I should have stopped recording.

 

Links referred to during the podcast:

https://technet.microsoft.com/en-us/library/hh831534.aspx

http://mechbgon.com/srp/  - LOL, mentions the use of ‘parental controls’ to restrict systems

http://www.instructables.com/id/Getting-past-Software-Restriction-Policies/

http://www.itingredients.com/how-to-deploy-software-restriction-policy-gpo/

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/using-software-restriction-policies-and-applocker-policies

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3

#iTunes Link: https://itunes.apple.com/us/podcast/2016-018-software-restriction/id799131292?i=1000368338483&mt=2

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-017-The Art of Networking, Salted Hashes, and the 1st annual Podcast CTF!

May 2, 2016 01:02:26

Description:

You might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning.

We also brainstorm ideas on how people in our community keep their skills sharp, and why some seem to allow them to atrophy once they get a specific certification or degree. We cite examples of things and actions that allow you to gain more knowledge, and to ensure your company will still see you as an SME. CPEs can be gained in the most simplest of methods. Just by listening to this podcast, for example, you can receive one CPE (1 hour = 1CPE) there are many other ways of getting them. and we cite several in this podcast.

We also discuss the continued use of unsalted, weakly hashed passwords in systems, and why a recent breach of a custom Minecraft implementation allowed it to occur.

Story: http://news.sky.com/story/1687550/minecraft-hack-exposes-seven-million-passwords

But I think the most exciting part of the podcast is theannouncement of the 1st annual Brakeing Down Security PodcastCTF!The details can be found in the podcast.

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-017-Networking-Podcast_CTF-salted_hashes.mp3

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#iTunes: https://itunes.apple.com/us/podcast/2016-017-art-networking-salted/id799131292?i=367885714&mt=2

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-016-Exploit Kits, the "Talent Gap", and buffer overflows

Apr 25, 2016 01:00:14

Description:

Angler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come.

We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get better...

*BONUS*... after the audio, listen to me (Bryan) failing at understanding buffer overflow exercises I'm doing as part of my #OSCP certification...

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-016.-Exploit_kits_Talent_Gaps_and_buffer_overflows.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-016-exploit-kits-talent/id799131292?i=367465364&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior

Apr 16, 2016 01:10:44

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2

Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing

You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box...

But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you?

Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system...

Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to...

Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment...

 

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-014-User_Training,_Motivations,_and_Speaking_the_Language

Apr 8, 2016 41:17

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2

Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion.

What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a language barrier? I don't mean Spanish/English, but do we do a good job at speaking "user"? How can we do a better job at that if we find ourselves failing? How can speaking 'manager' or 'VP' help us get help that we need? For many, it's like the difference in communicating with someone who speaks Mandarin.

We discussed the need to educate people against thumbdrive insertion, even in the face of a study of people inserting random thumbdrives into their computers. We discuss the motivation of users who do so, whether it's altruistic, or malicious:

http://www.pc-tablet.co.in/2016/04/07/25826/study-shows-users-access-random-pendrives-computers-overlooking-risk/

We discussed an app logic flaw that were found recently in the news:

http://www.digitaltrends.com/mobile/free-pizza/

Which is exactly what we were talking about when talking to Ben Caudill a few weeks ago about app logic flaws. This flaw has been in the app for a good long time, and while the security researcher saw fit to report it, the ethical implications of keeping it secret could have cost Domino's a lot.

Mr. Boettcher gives us a report of Bsides Austin, and how it's grown in the past few years. We finish up discussing infosec conferences and how they appear to be thriving. Is it good marketing, or are companies finally understanding their importance?

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2016-013-Michael Gough, the ISSM reference model, and the 5 P's

Mar 26, 2016 58:52

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2

We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2-part podcast on ITIL with Tim Wood, which is a service based solution to enable your IT and infosec initiatives to also align with your business needs.

From the ISSM whitepaper:

"organizations need to build and run an integrated service management system that addresses security and risk management as well as the regulatory compliance imposed on the agency while ensuring that agreed services are provided to internal and external customers and managed end-to-end.

For agencies and organizations to achieve meaningful service outcomes, technology and agency decision makers need to align their goals and strategies more closely while dealing with an increasing amount of technologies, threats, and regulatory compliance requirements."

We discuss the idea of the "5 P's", which are "Policy, Process, People, Products (or technology), and Proof", and how they are important to the implementation of the #ISSM reference model

Finally, we discuss a typical engagement using the ISSM model. Creation of the 7 Core components and additional using a maturity model to self-assess your company in an effort to show transparency to your internal processes.

Important links:

http://www8.hp.com/h20195/V2/getpdf.aspx/4AA2-2350ENW.pdf?ver=1.0

http://www.digitalgovernment.com/media/Downloads/asset_upload_file772_2477.pdf

https://en.wikipedia.org/wiki/Information_security_management_system

http://www.davebolick.com/SampleNewsletterHPFinancialAdvisor.pdf

http://media.govtech.net/HP_RC_08/Security_RC/ISSM_for_SLG.pdf

Integrating ITIL into infosec: http://traffic.libsyn.com/brakeingsecurity/2015-018-Integrating_infosec_with_ITIL.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-017_ITIL_and_infosec.mp3

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

#cobit, #cmmi, #maturity model, #ISSM, #ITIL, #Service, #management, #reference model, #ISO, #27002, #27001, CISSP, #podcast, #infosec, #compliance

2016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure

Mar 19, 2016 51:47

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3

Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2

Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site?

Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.

This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles..

We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed.

http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/

http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

2016-011-Hector Monsegur, deserialization, and bug bounties

Mar 14, 2016 01:12:26

Description:

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3

iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2

Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with.

https://en.wikipedia.org/wiki/Hector_Monsegur

This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet.

Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side?

In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day...

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/

Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you...

We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

2016-010-DNS_Reconnaissance

Mar 7, 2016 49:54

Description:

DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. 

This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. 

We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email.

We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks.

Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices. 

Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

 

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

Podcast Links we used for information:

http://www.slideshare.net/BizuworkkJemaneh/dns-42357401

300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D

https://technet.microsoft.com/en-us/library/cc770432.aspx

http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html

http://tldp.org/HOWTO/DNS-HOWTO-6.html

https://en.wikipedia.org/wiki/Domain_Name_System

https://en.wikipedia.org/wiki/DNS_spoofing

http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html

http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/161-protocols-dns-response.html

http://www.thegeekstuff.com/2012/05/ettercap-tutorial/

https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/

https://support.google.com/a/answer/48090?hl=en

http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf

https://tools.ietf.org/html/rfc882

https://tools.ietf.org/html/rfc883

https://tools.ietf.org/html/rfc1034

https://tools.ietf.org/html/rfc1035

 

2016-009-Brian Engle, Information Sharing, and R-CISC

Feb 29, 2016 01:05:57

Description:

We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center. 

"Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website

To learn more, visit https://r-cisc.org/  

We discussed with Brian a bit of the history of the #R-CISC, and why his organization was brought into being. We ask Brian "How do you get companies who make billions of dollars a year to trust another competitor enough to share that they might have been compromised?" "And how do you keep the information sharing generic enough to not out a competitor by name, but still be actionable enough to spur members to do something to protect themselves?"

Other links:

Veris framework Mr. Boettcher mentions: http://veriscommunity.net/

TAXII protocol: https://taxiiproject.github.io/

STIX https://stixproject.github.io/

https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari

https://www.paloaltonetworks.com/company/press/2015/palo-alto-networks-joins-the-retail-cyber-intelligence-sharing-center-in-newly-launched-associate-member-program.html

http://www.darkreading.com/cloud/r-cisc-the-retail-cyber-intelligence-sharing-center-signs-strategic-agreement-with-fs-isac-to-leverage-services-and-technologies-for-growth/d/d-id/1320363

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

 

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-009-brian_engle_rcisc_information_sharing.mp3

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

iTunes: https://itunes.apple.com/us/podcast/2016-009-brian-engle-information/id799131292?i=364002695&mt=2

#actionable, #brian, #engle, #cissp, #cpes, #data, #financial, #infections, #isac, #malware, #podcast, #rcisc, #retail, #security, #infosec, #threat #intelligence

 

Photo of Brian Engle courtesy of https://r-cisc.org

 

**I (Bryan) apologize for the audio. I did what I could to clean it up. Seriously don't know what happened to screw it up that badly. I can only imagine it was bandwidth issues on my Skype connection**

2016-008-Mainframe Security

Feb 22, 2016 01:47:02

Description:

This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us.

Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can.

So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS.

We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes.

Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY

Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo

Linux for mainframes: http://www-03.ibm.com/systems/linuxone/

Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n

 

Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2

 

2016-007-FingerprinTLS profiling application with Lee Brotherston

Feb 14, 2016 01:11:07

Description:

We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. 

We do a bit of history about #TLS, and the versions from 1.0 to 1.2

Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint.

Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action! 

Video demo: https://youtu.be/im6un0cB3Ns

 

 

https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png

http://blog.squarelemon.com/tls-fingerprinting/

https://github.com/LeeBrotherston/tls-fingerprinting

http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition

https://www.youtube.com/watch?v=XX0FRAy2Mec

http://2015.video.sector.ca/video/144175700

Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3

2016-006-Moxie_vs_Mechanism-Dependence_On_Tools

Feb 8, 2016 54:06

Description:

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism

Moxie: noun 

 "force of character, determination, or nerve."

 

Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise.

But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional.

Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2

Brakeing Down Security interviewed on "Building a Life and Career in Security" podcast!

Feb 4, 2016

Description:

After we interviewed Jay Schulman on our podcast, Mr. Boettcher and I did his podcast!  Listen to both of us share our bios and learn how Mr. Boettcher and I met, and how our unorthodox ways of getting into information security can show that anyone can move into that space...

https://www.jayschulman.com/episode15/

 

Jay has conducted other interviews with some great people, and he creates some great blog posts. Please check out his site at https://www.jayschulman.com

You can also hear our discuss BSIMM and learn a bit more about Jay from our podcast as well...

http://brakeingsecurity.com/2016-001-jay-schulmann-explains-bsimm-usage-in-the-sdlc

2016-005-Dropbox Chief of Trust and Security Patrick Heim!

Jan 30, 2016 46:38

Description:

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics.

We discussed a number of topics:

Cloud migrations

What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration?

We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures.

Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates.

It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time.

Some #articles we drew upon for questions to ask Mr. Heim:

http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/

http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security

http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html

http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/

http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

#iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3

Partick Heim image courtesy of darkreading.com

2016-004-Bill_Gardner

Jan 24, 2016 01:19:06

Description:

BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster...

We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!

 

Bill's Twitter: https://www.twitter.com/oncee

Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&sr=1-2

(non-sponsored link)

Bill's "Reboot It" Podcast: http://www.rebootitpodcast.com/

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-004-Bill_Gardner.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-004-bill-gardner/id799131292?i=361222239&mt=2

2016-003-Antivirus (...what is it good for... absolutely nothing?)

Jan 18, 2016 54:34

Description:

#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971.

This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them.  And what options do you have if you don't want to use anti-virus?

We also argue about whether it's just a huge industry selling snake oil that is bolstered by #compliance #frameworks, like #PCI?

#mcafee,#symantec,#panda,#avg,#kaspersky,#logging,#siem 

*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec #Podcast #Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-003-AntiVirus_what_is_it_good_for.mp3

Itunes:https://goo.gl/Jk3CxU

 

2016-002-Cryptonite- or how to not have your apps turn to crap

Jan 11, 2016 01:03:15

Description:

This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap.

Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo?

We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/

 

Book:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751

Show Notes:

https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing

*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2

 

2016-001: Jay Schulmann explains how to use BSIMM in your environment

Jan 4, 2016 01:02:17

Description:

#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks.  For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program.

 

Jay Schulman's #website: https://www.jayschulman.com/

Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1

Jay's Twitter: https://twitter.com/jschulman

 

 

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3

2015-054: Dave Kennedy

Dec 28, 2015 51:53

Description:

Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET).  You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets.

But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we interviewed a couple of weeks ago) and others to improve #ISC2 processes, and to make #CISSP and other certs more competitive in the #infosec/IT community.

And yes... we find out about what is going on with DerbyCon and get some updates with what will happen in the next DerbyCon.

 

iTunes Link: https://itunes.apple.com/us/podcast/2015-054-dave-kennedy/id799131292?i=359677576&mt=2

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

2015-053: 2nd annual podcaster party

Dec 22, 2015 01:17:43

Description:

This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to.

Sit back with some eggnog, and let your ears savor the sounds of the season.  Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured fun.

WARNING: There is adult language, and themes, so if you have little ones around, you might want to skip this one until after bedtime.

Happy Holidays from Brakeing Down Security Podcast.

2015-052: Wim Remes-ISC2 board member

Dec 17, 2015 46:52

Description:

I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015.  Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them.

I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive.

This is a great interview if you're looking to get your #CISSP or any other ISC2 cert, or you currently have an #ISC2 #certification and want to get knowledge of the workings of ISC2 and the board.

 

Mr. #Remes' Twitter: @wimremes

ISC2 official site: http://www.isc2.org

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-052-wim_remes-isc2.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-052-wim-remes-isc2-board/id799131292?i=359103338&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

2015-051-MITRE's ATT&CK Matrix

Dec 10, 2015 48:23

Description:

#MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information.

This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix. 

Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence companies call it TTP (#Tactics, #Techniques, and #Procedures), we also discuss the Cyber #KillChain, and where it came from.

#ATT&CK Matrix: https://attack.mitre.org/wiki/Main_Page

Tactics, Techniques, and Procedures (shows patterns of behavior) https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf -- Cyber Kill Chain paper that inspired the ATT&CK Matrix

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-051-mitres-att-ck-matrix/id799131292?i=358670845&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

2015-049-Can you achieve Security Through Obscurity?

Dec 4, 2015 42:19

Description:

That's the question many think is an automatic 'yes'.  Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft

This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of #security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example)

#encryption #infosec

Show Notes:  https://docs.google.com/document/d/1PioC2hnQHhm5Xd1SCT4ewvZmZiLcE5pGQuif4Tuk_zE/edit?usp=sharing

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-049-Security_by_Obscurity.mp3

Mr. Boettcher's Twitter: http://www.twitter.com/boettcherpwned

Bryan's Twitter: http://www.twitter.com/bryanbrake

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

2015-048: The rise of the Shadow... IT!

Nov 27, 2015 43:52

Description:

Cheryl Biswas gave a great talk last month at Bsides Toronto.  I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist?

This also leads to the issue of business data being put on personal devices, which as anyone knows can cause a whole host of additional issues. Malware installed on personal devices can make for sharing business secrets a cinch.

So, while Mr. Boettcher was working, I managed to wrangle a quick interview with Cheryl out of her offices in Toronto, Ontario.

Cheryl gave us some great audio, and when you're done, you can watch her Bsides Toronto talk.  

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-048-Cheryl_Biswas_Shadow_IT.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2015-048-rise-shadow...-it!/id799131292?i=357889684&mt=2

Cheryl's Twitter: https://www.twitter.com/3ncr1pt3d

Cheryl's BsidesTO talk: https://www.youtube.com/watch?v=q0pNWpWFKBc

 

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

2015-047-Using BSIMM framework to measure the maturity of your software security lifecycle

Nov 21, 2015 46:45

Description:

Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours...

We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically...

BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-047-using-bsimm-framework/id799131292?i=357545342&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

 

 

 

2015-046: Getting Security baked in your web app using OWASP ASVS

Nov 11, 2015 36:48

Description:

During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.

 

During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this.  It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle

 

#project #management #security #architect

Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2015-046-getting-security/id799131292?i=356958476&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf

Bill's Blog: http://www.sempf.net

Bill's Twitter: http://www.twitter.com/sempf

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

2015-045: Care and feeding of Devs, podcast edition, with Bill Sempf!

Nov 5, 2015 46:26

Description:

When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand.

It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team. 

Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders.

Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3

Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2

Bill's #DerbyCon Talk "#Developers: Care and Feeding":

http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me11-developers-care-and-feeding-bill-sempf

Bill's Blog: https://sempf.net/

Bill's Twitter: http://www.twitter.com/sempf

Check us out using the #TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#RSS: http://www.brakeingsecurity.com/rss

 

2015-044-A MAD, MAD, MAD, MAD Active Defense World w/ Ben Donnelly!

Oct 30, 2015 55:48

Description:

It's a madhouse this week! We invited Ben Donnelly (@zaeyx) back to discuss a new software framework he's crafted, called #MAD Active Defense. Ben wants to make Active Defense simple enough for even the busiest blue teamer.

The interface takes it design from other well known #software frameworks, namely #Metasploit, #REcon-ng, and even a bit of #SET, he said.

We even did a quick demo of MAD, discussed the tenets of #Active #Defense, and talked about a little skunkworks project of Ben's that you will find enjoyable.

Direct Link: http://brakeingsecurity.com/2015-044-a-mad-mad-mad-mad-world-with-ben-donnelly

Promethean Security MAD GitHub: https://github.com/PrometheanInfoSec/MAD

Demo Video (~110MB): http://traffic.libsyn.com/brakeingsecurity/MAD_Ben_edited.mkv

Backup Demo Download (gDrive) site (~110MB): https://goo.gl/FtWlCM

Check us out using the TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

RSS: http://www.brakeingsecurity.com/rss

#activeDefense #blueTeam #intrusionDefense #benDonnelly

 

2015-043: WMI, WBEM, and enterprise asset management

Oct 22, 2015 44:55

Description:

WMI (Windows Management Instrumentation) has been a part of the Windows Operating system since Windows 95. With it, you can make queries about information on hosts, locally and even remotely.

Why are we talking about it? It's use in the enterprise and by admins is rarely used, but it's use in moving laterally by bad actors is growing in it's use.  It's highly versatile, able to be scripted, and can even be used to cause triggers for when other programs run on a system. 

Mr. Boettcher and I sit down and discuss the functions of #WMI, it's history, what classes and objects are, and ways you can leverage WMI to make your admins job much easier.

#assetmanagement #remotemanagement #wbem #wmi #windows

DerbyCon WMI talk: http://www.irongeek.com/i.php?page=videos/derbycon5/break-me12-whymi-so-sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-matt-graeber-willi-ballenthin-claudiu-teodorescu

Wbemtest: http://blogs.technet.com/b/chad/archive/2012/03/08/tip-45-wbemtest-the-underappreciated-tool.aspx

WMI documentation: https://msdn.microsoft.com/en-us/library/aa384642(v=vs.85).aspx

TuneIn podcast Link: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

RSS: http://www.brakeingsecurity.com/rss

 

Show notes

2015-042: Log_MD, more malware archaeology, and sifting through the junk

Oct 15, 2015 01:11:58

Description:

Just before #Derbycon, we invited Michael Gough (@hackerhurricane) to join us on the #podcast. 

For the last 3-4 months, my co-host Brian and he were engaged in the creation of a software tool that would make #log #analysis of #windows systems quicker, and together they have achieved that with "Log-MD", short for Log Malicious Discovery.

For hosts infected with #Malware and #bots, they always leave a fingerprint of what they are doing behind. This software takes your system, configures it to get the maximum #logging output possible, then puts everything in a nice readable format, enabling you to filter out known good items, leaving you with bad items, or suspicious activity.  This allows you to analyze #logfiles and find malware in less time than before. This will make #forensics of infected systems faster and more economical.

We do some discussion of #Log-MD, and then we have MIchael demo LOG-MD for us.

Video demo: https://youtu.be/0_J90sOVY8c

log-MD site: http://log-md.com/

RSS: http://www.brakeingsecurity.com/rss

iTunes: https://itunes.apple.com/us/podcast/2015-042-log-md-more-malware/id799131292?i=354715938&mt=2

 

Derbycon Audio - post-Derby interviews!

Oct 10, 2015 01:04:10

Description:

In our last bit of Derbycon audio, I discussed DerbyCon experiences with Mr. Boettcher, Magen Wu (@tottenkoph), Haydn Johnson (@haydnjohnson), and Ganesh Ramakrishnan (@hyperrphysics).  We find out what they liked, what they didn't like, and you get a lot of great information about packing for a con, things you can do to improve your convention going experience.

Hopefully, you'll hear the amount of fun we had, and find the time to go to a convention. There are literally hundreds, many only few hours by plane away. Some can be found in your own town or within driving distance.

Derbycon - A podcast with Podcasters! *explicit*

Oct 1, 2015 00

Description:

Mr. Boettcher and I attended Derbycon, and while he was out attending talks, I got invited to do a podcast with some of the other podcasts who were there.  Special thanks to Edgar Rojas, Amanda Berlin, Jerry Bell, Andrew Kalat, Paul Coggin, Tim DeBlock, and everyone else at our recording.  We have a bit more audio that we will post this month, including a discussion of a tool Mr. Boettcher and Michael Gough collaborated on to make windows malware analysis easier to do.

2015-040; Defending against HTML 5 vulnerabilities

Sep 21, 2015 00

Description:

Last week, we discussed with Shreeraj Shah about HTML5, how it came into being and the fact that instead of solving OWASP issues, it introduces new and wonderful vulnerabilities, like exploiting locally stored web site info using XSS techniques, and doing SQLI on the new browser WebSQL.

So this week, it's all about defensive techniques that you can use to educate your developers against making mistakes that could get your company's web application on the front page of the news paper.

2015-039: Hazards of HTML5

Sep 14, 2015 33:29

Description:

Shreeraj Shah (@shreeraj on Twitter) came on this week to give us a run-down of some of the issues with HTML5? How can a new standard actually be worse than something like Flash? And why would a standard not address existing OWASP issues, and even create new issues, like the ability of a browser to have a database inside of it managing everything?

This week we discuss HTML5 history, some of the pitfalls, and discuss some of the new technologies found in HTML5 that will create more headaches for agents of infosec.

2015-038-Influence Vs. Mandate and Guardrails vs. Speedbumps

Sep 7, 2015 53:36

Description:

When we wanted to have Martin Fisher on, it was to discuss 'Security Mandate vs. Security Influence'. We wanted to discuss why companies treat compliance as more important, and if it's only because business requires it to be done. And if infosec is a red headed stepchild because they often don't have the guidance of a compliance framework.

 

But it ended up going in another direction, with Martin discussing infosec leadership, and how we as agents of infosec should be 'guardrails' instead of 'speed bumps' to business processes and people. It was a great discussion from a veteran healthcare CISO, especially if you're thinking of pursuing a CISO or CSO management track.

 

https://www.manager-tools.com/  -- Manager Tools podcast

2015-037-making patch management work

Aug 31, 2015 45:40

Description:

Once you find a vulnerability, how do you handle patching it? Especially when devs have their own work to do, there are only so many man hours in a sprint or development cycle, and the patching process could take up a good majority of that if the vuln is particularly nasty.

One method is to triage your patches, and we discuss that this week with Mr. Boettcher. We also talk about how our respective company's handle patching of systems.

We also discuss what happens when compensating controls run out of effectiveness, and if there is a point at which they no longer are 'compensating' for anything any further.

2015-036: Checkbox security, or how to make companies go beyond compliance

Aug 24, 2015 53:11

Description:

Checkbox Security... checklists required to follow by compliance people and many security people have to fall in line, because they often have no choice.

But what if there was a way to use compliance requirements to get beyond the baseline of PCI/SOCII/HIPAA, and get to be more secure?

Megan Wu (@tottenkoph), Mr. Boettcher, and I spent a bit of time discussing just that. We discuss basic issues with compliance frameworks, how to get management to buy-in to more security, and even how you can get Compliance people to help without them knowing it.

2015-035: Cybrary.it training discussion and Bsides Austin Panel

Aug 16, 2015 40:56

Description:

After last week's discussion of end-user training in the SANS top 20 security controls, we realized that it would be great to discuss how a company involved in training does proper training.

 

So we hit up our sponsor at Cybrary.it to discuss their end-user security training track and how companies can use it to help their employees to be more secure in their workplace.

 

We end the podcast with a bit of audio from the Bsides Austin blue/red panel Mr. Boettcher moderated. He asked them about training and it's worth. The first answer from Justin Whitehead is telling as to how he believes training will fail regardless. His answer was chilling in fact, and we hope to continue that conversation with him in the future about it.

Flashback: 2014-001_Kicking some Hash

Aug 16, 2015 39:55

Description:

For long time listeners of the podcast, back when Brian and I wanted to do the podcast, we were working at the same company, and the first podcast we did was on hashes. 

 

Bob story: Bob was getting tired of explaining what MD5, SHA1, SHA2 were to developers, so as we were developing our idea for the podcast, this was the first episode we had. Mr. Boettcher had several ideas for podcasts prior to.

I was actually gonna go it alone, but wanted him to join me. Thankfully, he broached the idea of being on the podcast. This was actually the second take, as the first one was done in our office and we didn't want any legal issues doing it at work, so we trahed that one and made this version. I thought the first take was better, but what are gonna do... :)

 

2015-034: SANS Top20 Security Controls #9 - CTFs - Derbycon dicsussion

Aug 10, 2015 54:25

Description:

End User training.  Lots of companies have need of regular security training. Many treat it as a checkbox for compliance requirements, once a year.  With the way training is carried out in many organizations, is it any wonder why phishing emails still get clicked, passwords still get compromised, and sensitive information is still leaked.

We discuss methods to make training more effective, and how to make people want to do training.

Finally, we dicsuss Capture-The-Flag competitions, and why it would behoove blue team people to attempt them. They become a great barometer for understanding your shortcomings, and what you as a blue teamer might need to study up on...

2015-033: Data anonymization and Valuation, Privacy, and Ethical medical research

Aug 3, 2015 54:26

Description:

Katherine Carpenter is a privacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.

 

This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.

 

email contact: carpenter.katherinej@gmail.com






http://jama.jamanetwork.com/article.aspx?articleid=192740

 

https://depts.washington.edu/bioethx/topics/consent.html



https://en.wikipedia.org/wiki/De-anonymization

https://en.wikipedia.org/wiki/Data_anonymization

https://en.wikipedia.org/wiki/De-identification

 

https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

 

http://www.nature.com/news/privacy-protections-the-genome-hacker-1.12940

 

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

 

https://en.wikipedia.org/wiki/Information_privacy_law

 

http://www.theguardian.com/technology/2015/apr/06/data-privacy-europe-facebook

 

http://www.theguardian.com/technology/2015/jun/15/eu-privacy-laws-data-regulations

 

http://www.theatlantic.com/technology/archive/2013/01/obscurity-a-better-way-to-think-about-your-data-than-privacy/267283/

 

http://fusion.net/story/171429/app-genetic-access-control-genes-dna-for-password/



###

 

Katherine’s note, comment, and links.

It is good to be thinking about de-identification (especially regarding health care data)

 

I think a better question to ask is how easy is it to re-identify information that has been de-identified. The HIPAA rule has 18 Identifiers which count as Personally Identifiable Information (PII) or Personal Health Information (PHI) include birth date, zip code, and IP address; When data is collected in non-health contexts, these identifiers are not considered PII/PHI (for example: this kind of information can be used for marketing purposes or financial/credit-related purposes).

 

A brief history on the topic:

in 1997 a precocious grad student IDed the Governor of MA using purchased voter records to reID deIDed health information that was released. (This study was one motivator to pass HIPAA.) Further research along the same lines of the previous project can be summed up with a simple and scary statistic: in 2000, 87% of Americans may be uniquely identified by combining zip code, birthday and sex(gender).

 

For this reason, health information is threatened not only by deID’n & reID’n, but by the combination of and other types of information that are publicly available or available for purchase and could reveal things about an individual that would contribute to reID of individual’s health info.

 

Here are a bunch of articles that discuss the topic from different angles.

 

http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/

 

https://datafloq.com/read/re-identifying-anonymous-people-with-big-data/228

 

http://www.bloomberg.com/news/articles/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy

 

https://epic.org/privacy/reidentification/

 

http://news.harvard.edu/gazette/story/2011/10/you%E2%80%99re-not-so-anonymous/

 

Dwork, C. and Yekhanin, S. (2008), “New Efficient Attacks on Statistical Disclosure Control Mechanisms,” Advances in Cryptology—CRYPTO 2008, to appear, also at http://research.microsoft.com/research/sv/DatabasePrivacy/dy08.pdf

 

Is Deidentification Sufficient to Protect Health Privacy in Research?

Mark A. Rothsteinhttp://www.ncbi.nlm.nih.gov/pmc/articles/PMC3032399/



2015-032: Incident response, effective communication, and DerbyCon Contest

Jul 26, 2015 59:13

Description:

 In an incident response, the need for clear communication is key to effective management of an incident. This week, we had Mick Douglas, DFIR instructor at SANS, and Jarrod Frates, who is a pentester at InGuardians, and has great experience handling incidents. Find out some roles in an incident response (the Shadow, the event coordinator, the lead tech), and how companies should have an IR plan that handles various 'incident severities'.

Jarrod updates us on "TheLab.ms" and how you might like to help them! 

Finally, We are holding a contest to win a ticket to DerbyCon, full instructions are below. We are giving away two tickets. 

DerbyCon 1st Ticket contest expires 31 July 2015. 

 

1.     To enter for a ticket to DerbyCon

a.     A donation must be made to Hackers for Charity (http://www.hackersforcharity.org/)

b.     Once the donation is made, email your receipt of your donation to bds.podcast@gmail.com

c.     If you win:  We will contact you by the email you mailed the receipt from with our contact information. You will need to contact us when you get to DerbyCon, as we will not send you the ticket directly. You will also be responsible for airfare and accommodations at DerbyCon.

2015-031: Fab and Megan-High_Math-Psychology_and Scarves

Jul 18, 2015 52:52

Description:

Strap yourselves in ladies and Gentlemen.  With Mr. Boettcher gone on "vacation" this week, I needed some help with the podcast, and boy did we pick a doozy.  If you're a fan of Turing Complete algorithms, frankly, who isn't ;) , we had Ms. Fabienne Serrière (@fbz) and Ms. Magen Wu (@tottenkoph) who discuss higher order math and psychology on our podcast this week.

We also discuss a little project management and even talk about why proper survey sizes and getting a good cross-section is important.

 

Be sure to pick up one of Ms. Fbz's scarves, especially if you're a math nut, and love fracctals and patterns as I do.

Kickstarter: https://www.kickstarter.com/projects/fbz/knityak-custom-mathematical-knit-scarves

Elementary Cellular Automaton : http://mathworld.wolfram.com/ElementaryCellularAutomaton.html

Turing Complete:  https://en.wikipedia.org/wiki/Turing_completeness

Sierpinski Triangle: https://en.wikipedia.org/wiki/Sierpinski_triangle

Chomsky Hierarchy: https://en.wikipedia.org/wiki/Chomsky_hierarchy

Hammer/LangSec: https://github.com/UpstandingHackers/hammer

Sergey Bratis: http://www.cs.dartmouth.edu/~sergey/

Stego Hats: http://www.ravelry.com/projects/fbz/pseudo-random-reversible-hat

SeaSec East: http://www.meetup.com/SEASec-East/

2015-030: Bsides Austin panel Discussion (Red Team vs. Blue Team)

Jul 13, 2015 38:49

Description:

My podcast co-host Brian Boettcher, along with Kate Brew, an Austin, TX based security blogger, headed up this panel called "Red Team Vs. Blue Team". The idea was to ask people from various sides of the aisles (attackers and defenders) pressing questions about how the industry operates.

Infosec heavyweights like Kevin Johnson (@secureideas), Mano Paul (@manopaul), Josh Sokol (@joshSokol), made this a very excellent podcast...

 

We hope you enjoy!

2015-029: Big Brown cloud honeyblog with @theroxyd

Jul 6, 2015 49:00

Description:

Roxy, who we interviewed a few months ago on our podcast about hackerspaces, is back with us this week to discuss a project she is working on, called 'Big Brown Cloud'. If you've ever wanted to setup your own fake blog and send people to it to gain information on possible attacks, you've come to the right place.  

 

We also get an update on the hackerspace that Jarrod, Sean, and Roxy were getting setup a few months ago. They've come a long way, and they are about to move into their new facility

https://thelab.ms/

2015-028: using log analytics to discover Windows malware artifacts

Jun 29, 2015 44:49

Description:

In this podcast, you'll learn about:

Log analytics software that can be used to parse system logs for naaty malware

Detecting Malware artifacts

learn about windows directory locations

looking for indicators like packing, changed hashes, etc

Tips for capturing malware using tools like RoboCopy

Learn about what code caves are and how malware hides inside them (http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves)

 

SANS DFIR poster - https://www.sans.org/security-resources/posters/windows-forensics-evidence-of-75 

2015-027- detecting malware in Windows Systems with Michael Gough

Jun 22, 2015 50:34

Description:

Michael Gough joined us again to discuss malware detection techniques on Windows systems. We talk about how you can modify Powershell's defaults to allow for better logging potential. Also, we find out some hidden gems that pretty much guarantee to let you know that you've been infiltrated. 

Stay for the powershell security education, and you also learn some new terminology, like "Malware Archaeology", Malwarians, and 'Log-aholic', to name a few...

2015-026- Cloud Security discussion with FireHost

Jun 15, 2015 54:07

Description:

This week, we discuss various methods of enabling companies to move applications to cloud based platforms. 

We discuss containers, like Docker, and how various hosting services handle converting businesses from a traditional data centers to a secure. cloud based entity.

We even discuss securing the data in the cloud, preventing bad guys from accessing it, as well as the cloud provider themselves, who can be served with a subpeona to hand over data.

Brakeing Down Security would like to thank FireHost for allowing Chase and Mike to join us.

2015-025: Blue Team Army, Powershell, and the need for Blue team education

Jun 8, 2015 34:25

Description:

With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.

 

Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should.  By being deficient in necessary skills, the knowledge between bad guys and the defenders widens. 

2015-024: Is a good defense the best offense? Interview w/ Mick Douglas!

May 31, 2015 49:21

Description:

We had the opportunity to discuss with Mick Douglas the fact that there is a stigma of blue team always being on the losing end of the security. Is it because there are more tools for the pentesters or bad guys, or that it takes a massive IT budget to be secure? We don't believe so... Great insights into how a blue team can protect their network.

2015-023_Get to know a Security Tool: Security Onion!

May 26, 2015 37:10

Description:

Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.

 http://blog.securityonion.net/p/securityonion.html

2015-022: SANS Top 25 Critical Security Controls-#10 and #11

May 18, 2015 56:04

Description:

When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.

Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.

 

2015-021: 24 Deadly Sins: Command injection

May 11, 2015 40:10

Description:

We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751

This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.

Special Interview with Johnny Long!

May 8, 2015

Description:

At DerbyCon last year, Mr. Boettcher did a microcast with Johnny Long. An inspirational human being who left a life many info professionals dream of, and went to Africa to help disadvantaged people make a better life with access to technology.

Where is the audio you ask? Well, we've posted it on out Patreon so that they can have first dibs on it. We'll post it here this weekend for everyone. 

He is a great individual and we hope you'll enjoy it.

2015-020 - Deadly Programming Sins - Buffer Underruns

May 3, 2015 38:05

Description:

Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself. 

Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur.

Get ready for a crash course in code audits. The book is not required, but it definitely helps when we are discussing concepts.

We also mentioned our new Patreon account, so if you are a listener, and want to support what we do, you can give on a per month schedule. Donations are entirely optional, and if you don't wish to give, that's fine too.

 

24 Deadly Sins on Amazon:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751/ref=sr_1_1?ie=UTF8&qid=1430622916&sr=8-1&keywords=24+deadly+sins+of+software+security+programming+flaws+and+how+to+fix+them

 

https://cwe.mitre.org/

 

 

2015-018- How can ITIL help you flesh out your infosec program?

Apr 26, 2015 58:17

Description:

When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner.

ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major projects and security initiatives.

Tim Wood joins us for the second part of his interview. We discuss Change Management, Problem Management and making inter-departmental SLAs a reality for proper management of changes.

 

Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

2015-017: History of ITIL, and integrating Security

Apr 18, 2015 55:59

Description:

Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these.  To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks.

We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a reality.

This week, we go over the History of ITIL, and understand the various incarnations from v1.0 to v3.0. You quickly understand where security will start fitting into all those facets of the ITIL framework.

 

Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

2015-016: Special Interview: Cybrary.it

Apr 7, 2015 33:52

Description:

Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it

2015-015: 2015 Verizon PCI report

Apr 4, 2015 43:19

Description:

It's that time of year again...  when all the reports come out that shows how various industries did over the last year.

Brakeing Down Security went over the results of the Verizon PCI report.  Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.

 

 http://www.verizonenterprise.com/pcireport/2015/

 

Pay IRS using "Snapcard": http://www.coindesk.com/pay-taxes-bitcoin-snapcard-pay-irs/

 

According to the US Internal Revenue Service (IRS), virtual currencies are treated as "Property": http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance

2015-014-SANS Top 20 Controls - #12 and #13

Mar 28, 2015 57:33

Description:

We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges.  Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.

 

 

https://www.sans.org/media/critical-security-controls/CSC-5.pdf

 

 

http://www.openspf.org/

 

https://4sysops.com/

2015-013-Hackerspaces and their sense of community

Mar 21, 2015 49:52

Description:

We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places. 

If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, and Jarrod talk about the highs and lows and even some of the gotchas in setting up a space.

2015-012-Fill In podcast with Jarrod and Lee!

Mar 15, 2015 01:43:36

Description:

Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics.  We discuss the seemingly short talent pool for IT/IS positions.  We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece of Internet Infrastructure, and finally, we figure out why PGP/GPG is not user-friendly, and if there are ways to make it better, or if it needs to be replaced permanently.

 

News of the week

RowHammer -

http://www.darknet.org.uk/2015/03/rowhammer-ddr3-exploit-what-you-need-to-know/

 

Lack of hire-able people in IT/IS - per Leviathan Sec report. https://www.leviathansecurity.com/blog/scarcity-of-cybersecurity-expertise/

 

NTP maintained by one guy ‘Father Time’

http://www.informationweek.com/it-life/ntps-fate-hinges-on-father-time/d/d-id/1319432

 

Moxie Marlinspike’s GPG/PGP rant: Perfection ruined the goal http://www.thoughtcrime.org/blog/gpg-and-me/

 

2015-011- Why does BeEF and metadata tracking keep I2P developers up at night?

Mar 7, 2015 45:43

Description:

In our continuing discussion with Jeff and "Str4d", we got right to the heart of the matter: Privacy and anonymity.

 

If you're trying to remain anonymous, what steps do the devs of I2P use to keep themselves as anonymous as possible.  We also touch on what the "Browser Exploitation Framework", and why it scares the heck out of Jeff.

 

Finally, I ask them if there is any real 'good' sites on I2P, because of how the media seems to latch on to any story where we hear the bad things of any anonymizing network, is there a way we can improve the image of anonymizing networks.

 

*** If you have a blog, and it's about security/privacy/compliance, please consider adding us as a write-in for '2015 Best New Security Podcast' here:

https://www.surveymonkey.com/s/securitybloggers***

 

Show notes: https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

2015-010 - How can you use I2P to increase your security and anonymity?

Mar 1, 2015 57:06

Description:

Mr. Boettcher got a hold of the developers and maintainers of the anonymizing network "I2P". We talked with "str4d" and "Jeff" this week.

In Part 1 of the interview, we discuss the technical aspects of I2P, how it functions, how 'Garlic routing' works, and how the flood Fill servers allow for I2P to function effectively.

In the final segment, we discuss form factors, specifically if I2P is available for embedded systems like Raspberry Pi.

If you find Tor not to your liking, give I2P a try... it's goals are the same, but the method of security and privacy are different. Plus, as you can hear from the podcast, it's very much a tight knit community of security and privacy enthusiasts.

 

Show notes, links, and contact info: 

https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

2015-009-Part 2 with Pawel Krawczyk

Feb 22, 2015 35:33

Description:

The second part of our interview with Pawel discussed Content management systems, and how you can integrate CSP in Drupal, Django, and the like.

Content managers, you'll want to listen to this, especially about how CSP can help you secure the content on your systems, as well as protect customers from web based attacks using the sandboxing functions of CSP

Pawel's Blog = ipsec.pl

Pawel's CSP builder app = cspbuilder.info

Quick Guide to CSP: http://content-security-policy.com/

 

 

2015-008- Make your web Apps more secure with Content Security Policy (part 1)

Feb 17, 2015 29:33

Description:

Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.

 

We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it.

If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.

 

https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox

2015-007-SANS_Top20_14and15--Proving_Grounds_Microcast with Megan Wu!

Feb 10, 2015 53:40

Description:

Extra special treat this week!  We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.

 

But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on"  NOW IS YOUR CHANCE! :)

This is a great opportunity if you're a veteran speaker, or just want to give back to the community at large... You can mentor a n00b to help them create a topic, help them hone their paper, and be with them when they give the talk at Bsides Las Vegas in July.  

Many thanks to @tottenkoph and @securitymoey. They need your help, both as a mentor and a mentee.  This is also an excellent networking opportunity. You get 1-on-1 access to an often influential mentor, someone in the infosec community, and your talk will be seen by several hundred people. hmmm.... maybe I should put one in :D

 

-----

SANS #14-10: 

Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control.

------

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

2015-006- Is your ISP doing a 'man-in-the-middle' on you?

Feb 7, 2015 59:29

Description:

During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited.  

 

We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research.  The bad news? Other ISPs, including American ISPs are using this technology.

 

This is one of those podcasts that you need to tell your friends about, cause it's truly surprising the lengths ISPs go to injecting content into your pages.

 We also have a short message about the Bsides Las Vegas Proving Grounds this year... If you've wanted to present a paper at a conference, and have a mentor guide you through the process, hit them up on the Proving Grounds page at http://www.bsideslv.com

Show notes (lots of info): https://docs.google.com/document/d/1YLkiRE1SVIyWquWc-iQrESWlT10rSJmW1VcrOX3kQZ0/edit?usp=sharing 

 

 

 

 

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

2015-005: Threat Modeling with Lee Brotherston

Feb 1, 2015 45:07

Description:

Threat Modeling... ranks right up there with Risk Assessments in importance...  You gotta figure out how the applications you're creating or the systems you're engineering are secure.  It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs.

Brakeing Down Security talked about conducting threat modeling and application reviews with Lee Brotherston (@synackpse) from Leviathan Security (@LeviathanSecurity) this week. We discuss types of risk analysis, including one named 'Binary Risk Analysis', which may simplify assessment of your computer systems.  

 

Show notes = https://docs.google.com/document/d/1K-eycek2Xud7loVC4yrHg6eHCY0oyztV_ytbY433oYk/edit?usp=sharing

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

2015-004-SANS Top 20: 20 to 16

Jan 26, 2015 58:59

Description:

Mr. Boettcher and I went over the bottom 5 of the SANS Top 20 security controls that businesses should implement. When put into the right order, you should be able to have an environment that is able to withstand most any attack.

We also talk about 5 'Quick Fixes' that will put you on the right track with becoming more secure.

 

You may be surprised at what is considered a priority...  have a listen: (QR code links to the mp3)

 

Show notes: https://docs.google.com/document/d/1JuRJ-RPTmw50pTeO82rb9_rC8tFf53eiUzkppfwQvs0/edit?usp=sharing

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

All About Tor

Jan 17, 2015 40:59

Description:

Brakeing Down Security tackles the 'Deep Web' this week... yep, we talk about Tor. If you don't have a lot of experience with this or wonder how it works, we give you a little history and help you understand the traffic flow works.

 

We even give you some advice on de-identification and things you shouldn't allow when traveling the Deep Web, like Javascript, Flash, and Java.

 

Show Notes:

https://docs.google.com/document/d/1vBI_bg_0RzF_sSNMj84xQpEZGUrxtAkB8SxZ08MzUi0/edit?usp=sharing

 

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 2: Big Trouble in Small Businesses

Jan 10, 2015 35:54

Description:

Security's the same, the world around...  and is a necessity in businesses of all sizes, from the mega-corporations, all the way down to the business with 10 employees in a garage in suburbia.

This week, Mr. Boettcher and I discuss security in small businesses. What is needed to make security part of the culture of a new company. We discuss some open source tools to ensure that networks are monitored properly, logs are collected, collated, and analyzed. And better yet, these are on the cheap, which is helpful for a small business on a tight budget.

 QR code links directly to the episode...

 

 http://www.ihotdesk.co.uk/article/801717385/Most-small-businesses-have-faced-InfoSec-breach-recently

 https://blog.whitehatsec.com/infosec-europe-wrapup/

 

 http://www.infosectoday.com/Articles/DRPlanning.htm

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

2015-001- "unhackable" or "attacker debt"

Jan 4, 2015 10:43

Description:

This is a quick little podcast I did without Mr. Boettcher about a Twitter discussion that occurred when Dr. Neil Degrasse Tyson mentioned that we should just make computers 'unhackable'.

The first episode of the 2015 season of Brakeing Down Security is here!

 

Tweet from Dr. Neil Degrasse Tyson

                        https://twitter.com/neiltyson/status/551378648578916353

Rebuttal from Kevin Johnson

 

                        https://twitter.com/secureideas/status/551510885441998848

 

 

 

"Dirt Rhodes"

Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 3.0

http://creativecommons.org/licenses/by/3.0/

Is Compliance running or ruining Security Programs?

Dec 26, 2014 32:46

Description:

We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast.

We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.

 

So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year!  Happy Holidays... all of them... :)

Brakeing Down/Defensive Security Mashup!

Dec 22, 2014 01:26:28

Description:

It's a Super Deluxe sized Brakeing Down Security this week...

It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :)

I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...  

We also discussed Sony, caused it's huge news of the year, and talked about Target, because we love dissing PCI... ;)

There might be a few bad words, so if you have small ears around, be advised...

When you're done, check out the other 96 episodes of Defensive Security, and check out our 55 other episodes..

 

http://www.defensivesecurity.org/

Twitter handles:

Andrew Kalat: https://twitter.com/lerg

Jerry Bell: https://twitter.com/Maliciouslink

 

 

Icon provided by DefensiveSecurity.org... I'd imagine they'd let us use it, since they were on the podcast ;)

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Tyler Hudak (@secshoggoth) Discusses incident respose, and DIY malware research

Dec 15, 2014 41:44

Description:

This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it. 

We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice...

I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :)

***NOTE: I guess now would be a good time to mention that many of the links below have unsafe software and actual malware payloads, so use with extreme caution. Especially do not download anything from these sites unless it's in a VM that is not on your companies assets.***

http://www.hopperapp.com/ - Disassemble OSA binaries

http://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers - other Disassemblers

http://vxheaven.org/ - Virus Heaven

http://www.malwaredomainlist.com/ - Find websites serving malware

http://oc.gtisc.gatech.edu:8080/ - Georgia Tech malware repository

Sandboxie - http://www.sandboxie.com/

KoreLogic - http://www.korelogic.com/ (lots of great tools here)

http://secshoggoth.blogspot.com/ - Tyler's Blog

Tyler Hudak discusses malware analysis

Dec 8, 2014 39:29

Description:

Tyler Hudak (@secshoggoth) came to discuss with us the process of doing analysis on malware binaries. We talk about MASTIFF, his malware framework.  We also discuss how to gain information from malware program headers, and some software that is used to safely analyze it.

Helpful Links:

Ida Pro: https://www.hex-rays.com/products/ida/

Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Mastiff White Paper: http://digital-forensics.sans.org/blog/2013/05/07/mastiff-for-auto-static-malware-analysis

Mastiff latest: http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/

cuckoo sandbox: www.cuckoosandbox.org

Anubis: https://anubis.iseclab.org/

 

PE Headers: http://en.wikipedia.org/wiki/Portable_Executable

ELF: http://fr.wikipedia.org/wiki/Executable_and_Linkable_Format

REMnux- reverse engineering linux distro:https://remnux.org/

 

Inetsim: http://www.inetsim.org/

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Part 2 w/ Ben Donnelly -- Introducing Ball and Chain (making password breaches a thing of the past)

Dec 1, 2014 37:41

Description:

Last week, we talked with Ben Donnelly about ADHD (Active Defense Harbinger Distro). But Ben isn't a one trick pony, oh no... this young punk is trying to solve fundamental problems in the business industry, in particular securing passwords.  That's why he's been working with Tim Tomes (@lanmaster53)invented 'Ball and Chain', which is a large (>2TB) file that can be used to help generate passwords and entropy.

 

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

New Tumblr Post

Nov 30, 2014

Description:

It's a bit meta, cause this will show up there in a few minutes, but Brakeing Down Security now has a Tumblr...

Don't know why it took so long...  We'll be posting from other Tumblr blogs, and our episodes will post there... I hope you will spread the word...

http://brakeingdownsecurity.tumblr.com/

Thank you from Brakeing Down Security

Nov 28, 2014

Description:

When Mr. Boettcher and I started the Brakeing Down Security Podcast, we really did it for 2 reasons:

1. We wanted to educate people and ourselves about information security topics, and do it in a way that was fun

2. Educate ourselves about some topics that we were not familar with, because infosec and compliance is such a vast range of topics and skills

 

Mr. Boettcher and I want to extend a warm and hearty THANK YOU SO MUCH for inviting us into your podcasting listening device. We realize there are a ton of infosec podcasts out there, and you allowing us to share space with them makes us so happy.

Look for more podcasts in December, and in the new year, look for more videos and excellent interviews.

 

As we've always said, we do this podcast for you, and we want to know what you want to hear or see.  If you have a topic you'd love to have us talk about, or you'd like to come on our podcast and talk about something you're working on, please let us know.  We want input, so please leave us some feedback on iTunes, or tweet our podcast to your friends

 

Happy Thanksgiving to our US fans, Happy Thursday for the rest of the world...

 

Bryan Brake

Creator, Co-Host of the Brakeing Down Security podcast

@bryanbrake

@boettcherpwned

Website: www.brakeingsecurity.com

RSS: brakeingsecurity.libsyn.com/rss

iTunes:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

EMAIL: bds.podcast@gmail.com

 

Active Defense and the ADHD Distro with Ben Donnelly

Nov 23, 2014 44:40

Description:

We snagged an interview with Benjamin Donnelly, a maintainer of the Active Defense Harbinger Distribution (ADHD). version 0.60

 

A thoroughly enjoyable conversation with a new up-and-coming security professional. He's the future, and he is already contributing a lot of great info to the infosec industry.

 

Part 1 is all about ADHD, next week, we discuss his talk about a project he's working on that will remove the threat of password breaches using 'Ball and Chain'.  And it's all open source...

 

 

 

ADHD ISO:  http://sourceforge.net/projects/adhd/


CryptoLocked:   https://bitbucket.org/Zaeyx/cryptolocked

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

WebGoat install video with Mr. Boettcher!

Nov 21, 2014 05:19

Description:

My man Mr. Boettcher posted up a video on how to install OWASP's WebGoat Vulnerable web application!

He walks you through WebGoat 5.4, and even gives you some tips on solving issues that he'd found.  And to make it even easier, he's given you some instructions below.

Hope you enjoy, especially if you've had issues setting up WebGoat in the past.

 

 

Webgoat 5.4 instructions
========================
1. search google and download the war file

            (From Bryan: Here's the link -- https://code.google.com/p/webgoat/downloads/list )


2. install tomcat
    sudo apt-get install tomcat7
3. move the war file to tomcat webapp directory
    sudo mv ~/Downloads/WebGoat-5.4.war /var/lib/tomcat7/webapps/WebGoat.war
4. edit tomcat-users.xml by adding the content below
    sudo vi /var/lib/tomcat7/conf/tomcat-users.xml
5. restart tomcat
        sudo /etc/init.d/tomcat7 restart
6. in your browser, type localhost:8080/WebGoat/attack







Active Defense: It ain't 'hacking the hackers'

Nov 18, 2014 49:26

Description:

Active Defense... It conjures images of the lowly admin turning the tables on the evil black hat hackers, and giving them a dose of their own medicine by hacking their boxes and getting sweet, sweet revenge... But did you know that kind of 'revenge' is also rife with legal rammifications, even bordering on being illegal??

This week, Mr. Boettcher and I tackle this prickly subject, and discuss some software you can use to 'deter, prevent, and dissuade' potential bad guys...

 ADHD Training (courtesy of Paul's Security Weekly Podcast): http://blip.tv/securityweekly/active-defense-harbinger-distribution-release-party-7096833

Artillery - https://www.binarydefense.com/project-artillery/

DenyHosts - http://denyhosts.sourceforge.net/

Nova:  http://www.sans.org/reading-room/whitepapers/detection/implementing-active-defense-systems-private-networks-34312

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Interview Part 2 with Paul Coggin: Horror stories

Nov 10, 2014 39:04

Description:

If you think Halloween was scary, Paul Coggin gives us another reason to curl up in the fetal position as he goes explains Lawful Intercept, and Route Maps. And what's worse, your 3rd party auditors are starting to get the tools that will make you address network protocol issues.

 

Lots of great material here below in our show notes, including some tools (free) that you can use to get yourself schooled on network protocols

 

http://www.zdnet.com/researcher-describes-ease-to-detect-derail-and-exploit-nsas-lawful-interception-7000025073/

 

BGPmon - http://www.bgpmon.net/

Renesys (now Dyn Research) http://research.dyn.com/

BGP Play - http://bgplay.routeviews.org/

BGP Looking glass servers - http://www.bgp4.as/looking-glasses

yersinia - http://www.yersinia.net/

Fx Twitter handle - https://twitter.com/41414141

ernw - https://www.ernw.de/

Cisco Route Maps - http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/49111-route-map-bestp.html

Paul's Bsides Nashville talk - http://www.irongeek.com/i.php?page=videos/bsidesnashville2014/300-bending-and-twisting-networks-paul-coggin

Huawei ENSP - http://enterprise.huawei.com/en/products/network-management/automation-tools/tools/hw-201999.htm

NRL Core - http://www.nrl.navy.mil/itd/ncs/products/core

NRL Mgen - http://www.nrl.navy.mil/itd/ncs/products/mgen

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Interview with Paul Coggin (part 1)

Nov 3, 2014 42:06

Description:

One of the talks my colleague got to see was Paul Coggin's talk about Internetworking routing and protocols.  In this interview, we dicsuss some tools of the trade, how MPLS isn't secure, and why you should be doing end-to-end encryption without allowing your VPN or circuit provider to do it for you...

If you have any interest in network security, including the higher order network protocols like BGP, MPLS, ATM, etc...  You'll want to check out his DerbyCon talk, and our interview...

 

Paul's Derbycon 2014 talk - http://www.irongeek.com/i.php?page=videos/derbycon4/t319-bending-and-twisting-networks-paul-coggins

Hacking SNMP tips and tricks: http://securityreliks.securegossip.com/2011/04/hacking-snmp-in-a-few-simple-steps/

SNMPBlow: http://www.stoptheplague.com/?p=19

ERNW: https://www.ernw.de/research-community/index.html

Fx paper on Lawful Intercept: http://phenoelit.org/stuff/CSLI.pdf

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Learning about SNMP, and microinterview with Kevin Johnson

Oct 26, 2014 41:20

Description:

In an effort to educate ourselves for an upcoming interview, we sat down and talked about SNMP (Simple Network Management Protocol). We get into the basics, the ins and outs of the protocol, the different tools that use (or exploit) SNMP, and we talk about how to better secure your SNMP implementation. YOu should listen to this, because next week's interview will knock your socks off. :)

Finally, We end with a DerbyCon interview Mr. Boettcher snagged with our friend Mr. Kevin Johnson about how we need to regulate ourselves with regard to a code of ethics, before someone regulates us... When one 'white hat' can run code on a server he/she doesn't control (unpatched Shellshock) and thinks it's okay, where do we draw the line from what is right, and what violates the CFAA? Mr. Johnson looks for an answer with our Mr. Boettcher. 

Wikipedia SNMP article:http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

SNMP Primer: http://www.tcpipguide.com/free/t_SNMPProtocolOverviewHistoryandGeneralConcepts.htm

SNMP OIDS and MIBS: http://kb.paessler.com/en/topic/653-how-do-snmp-mibs-and-oids-work

SNMP vulnserabilities - http://packetstormsecurity.com/search/?q=snmp

SNMP Primer (IBM):http://pic.dhe.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtpc1%2Fpdus.html

SNMP amplification attacks: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

Securing SNMPv3: http://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051

 

 

 

Kevin Johnson/James Jardine DerbyCon Talk: http://www.irongeek.com/i.php?page=videos/derbycon4/t308-ethical-control-ethics-and-privacy-in-a-target-rich-environment-kevin-johnson-and-james-jardine

 

 

 Image courtesy of Wikipedia.de

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Keep Calm and take a tcpdump! :)

Oct 20, 2014 38:20

Description:

Tcpdump is just one of the tools that will make troubleshooting network issues, or testing applications, or even finding out what traffic is being generated on a host all that much easier.  This podcast is to help you understand the Tcpdump program, and how powerful it is...

 

http://danielmiessler.com/study/tcpdump/

http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/

http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

http://www.amazon.com/TCP-Illustrated-Vol-Addison-Wesley-Professional/dp/0201633469

http://www.computerhope.com/unix/tcpdump.htm

http://www.commandlinefu.com/commands/using/tcpdump  -- excellent examples

http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669/

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Part 2 with Jarrod Frates - how pentesting is important

Oct 13, 2014 31:37

Description:

Part 2 of our interview with Jarrod Frates (FRAY-tes). We ask him about the value that a pentest can create, the way that that 'perfect' pentest can change culture and help create dialogue.

Also, we talk about how to take your automated testing info and then shift gears to manual testing... when to stop doing automated testing, and do the manual testing.

Hope you enjoy, have a great week!

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

DerbyCon report and Shellshock news

Oct 6, 2014 40:57

Description:

We went a little off the beaten path this week. I wanted to talk to Mr. Boettcher about his experience at DerbyCon, and we ended up having another friend of ours who also attended DerbyCon, Jarrod Frates, join us for a bit of discussion. We discussed several talks, and even spent a little bit of time talking about ShellShock and it's larger implications for those programs that are ubiquitous, yet are not being audited, like bash.  (The llama graphic will make more sense next week...) :)

http://www.irongeek.com/i.php?page=videos/derbycon4/t109-et-tu-kerberos-christopher-campbell

http://www.irongeek.com/i.php?page=videos/derbycon4/t217-hacking-mainframes-vulnerabilities-in-applications-exposed-over-tn3270-dominic-white

http://www.irongeek.com/i.php?page=videos/derbycon4/t210-around-the-world-in-80-cons-jayson-e-street

http://www.irongeek.com/i.php?page=videos/derbycon4/t216-once-upon-a-time-infosec-history-101-jack-daniel

http://askubuntu.com/questions/529511/explanation-of-the-command-to-check-shellshock

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Marcus J. Carey Interview Part 2 - China, IP, coming cyber war

Sep 29, 2014 47:08

Description:

We finished up our odyssey with Marcus J. Carey this week.  We picked his brain about how he feel about China, the coming cyberwar, and what kinds of tools he uses in his toolbox (hint: he doesn't use Kali).

We also talk a bit about the entitlement of people, and what makes folks in poorer countries turn to hacking. We really enjoyed hearing his take on certifications and education. He's a Ruby nut, but suggests that people learn Python. He also talks about how he teaches people about security. The little everyday things that show you do security.

A thought provoking interview that will definitely inspire you to pour yourself into a Python book, or to grab a Raspberry Pi and start learning.

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Video: Using GPG and PGP

Sep 28, 2014 20:26

Description:

This month, I wanted to go over a piece of software that seems to give a lot of people problems. In business, there is always a need for sending secure communications, whether because a client asked for it, or because sending sensitive information unencrypted could result in loss of profit, competitve edge, reputation, or all of the above.

 

This month's tutorial is on setting up PGP or GPG to be able to be more secure when sending emails. I show you commands that allow you to create public/private key pairs, and also discuss the software to be used on either Windows, Linux, and Mac OS.I mentioned signing and encrypting email attachments, and also explain that your headers are still unencrypted, so email metadata tracking is still possible.

 

Brakeing Security Podcast on PGP/GPG: http://brakeingsecurity.com/pgp-and-gpg-protect-your-data

Windows GPG solution: http://www.gpg4win.org

Mac GPG solution: https://gpgtools.org/

Kali/Linux RNG daemon instructions:

1. apt-get install rngd

2. rngd -r /dev/urandom (should make PGP creation on Kali much faster)

 

Marcus J. Carey, FireDrillMe, and the Rockstars of Infosec

Sep 22, 2014 35:42

Description:

Marcus J. Carey, a security research and software developer came on to talk to us about FireDrill.me, a tool used to help people work out their Incident Response muscles.  He is also the creator of threatagent.com.

Marcus is well known in Security circles, and after we talked to him about FireDrill and ThreatAgent, we got his opinion of other subjects that interested us in the Infosec industry. Marcus is a man of his own mind, and he certainly did not disappoint. Hope you enjoy Part 1 of our conversation with him.

We also asked him about the celebrity that many in the industry face, and how it should be handled by people in the industry.

HoneyDocs - http://www.pcworld.com/article/2048881/honeydocs-lays-irresistible-bait-for-hackers.html

Malcolm Gladwell - http://en.wikipedia.org/wiki/Malcolm_Gladwell

http://www.firedrill.me

http://www.threatagent.com

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Mr. Boettcher interviewed Ed Skoudis!

Sep 15, 2014 44:03

Description:

While I'm stuck at work, Mr. Boettcher went to the Austin Hackformers and snagged an interview with Mr. Ed Skoudis, of InGuardians and of the SANS Institute, a top flight training academy.  He is to be one of the keynote speakers at DerbyCon this year. He gives us a peek about his keynote, and Mr. Boettcher asks his thoughts on the industry as a whole, SCADA security, Mr. Skoudis' opinion on Infosec as a whole.

 

Hackformers Austin: http://www.hackformers.org/

Ed Skoudis bio: http://www.sans.org/instructors/ed-skoudis

 

Bad Guys are Winning - Part 1: link

Bad Guys are Winning - Part 2: link

Bad Guys are Winning - Part 3: link

Bad Guys are Winning - Part 4: link

Bad Guys are Winning - Part 5: link

Netwars: Cybercity - http://www.sans.org/netwars/cybercity

Google Car: http://www.nbcbayarea.com/news/local/Google-to-Test-Self-Driving-Car-Without-Backup-Driver-275033691.html

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Malware, Threat Intelligence, and Blue Team talks at cons -- with Michael Gough Pt.2

Sep 8, 2014 36:27

Description:

We're back with part 2 of our discussion with Michael Gough.  Not only do we discuss more about malware, but we also ask Michael's opinion on how commercialized conventions like Black Hat and Defcon have gotten, how good threat intelligence feeds are, and why there aren't more defensive talks at cons.

Michael is currently slated to give a talk on logging at DerbyCon September 24th, 2014 on how logging can help to mitigate malware infections.

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Malware, and Malware Sentinel -- with Michael Gough Pt.1

Sep 1, 2014 36:50

Description:

Brian and I managed to get an interview with Michael Gough. If you remember, Michael was on to discuss Malware infections back in February, and we decided it was time to check up on him and his newly named 'Malware Sentinel'. This is part 1, where we discuss some of the recent malware infections, and where you need to look for new file creation, and what you can be looking for in your windows logs that are excellent indicators of malware compromise.

 

Windows logging cheat sheet - http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf

 

Malware Management Framework - http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Reconnaissance: Finding necessary info during a pentest

Aug 25, 2014 48:36

Description:

I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important.  We hash it out, and find some common ground this week.

People search links:

Spokeo - http://www.spokeo.com/

Pipl - https://pipl.com/

 

Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Mr. Boettcher made a thing! Setting up a proper Debian install!

Aug 23, 2014 19:07

Description:

Mr. Boettcher made a thing!  He created a video that highlights how to install Linux securely in a VM.  His next video will be how to setup OWASP's WebGoat to test for vulnerable web apps.  He noticed that documentation is a bit sparse, and often contradictory, so he wanted to help other folks who are having issues to get a proper install.

 

You will need an Network Install ISO of Debian, and you will need either VMware Player or Workstation.

His notes are below... Enjoy!

Secure the Goat #1 - Goat Pen

Create a directory where you will put the VM.  We'll call it 'goat'.
Download the Debian Network Install ISO and place it in the 'goat' directory.

Create a 'share' directory inside the goat directory
Place a (test) file in the share directory
In VMware Worstation create a new vm using a Debian ISO and run install

Update the sudoers file
$ su - root
$ update-alternatives --config editor
    change to vim.tiny by pressing 2 and enter
$ visudo -f /etc/sudoers
    copy the root line and add one for goat user

In order to install vmware tools, we'll need to install these packages
$ sudo apt-get install gcc linux-headers-$(uname -r) make

For the vmware tools install to work properly, these simlinks are required
$ cd /lib/modules/$(uname -r)/build/include/linux
$ sudo ln -s ../generated/utsrelease.h
$ sudo ln -s ../generated/autoconf.h

Insert vmware tools virtual CD
In the workstation menu select vm -> install vmware tools
$ tar -C /tmp/ -zxvf /media/cdrom/VMwarTools...
$ sudo /tmp/VMwareTools.../vmware-install.pl

Show desktop icons
$ gsettings set org.gnome.desktop.background show-desktop-icons true

change resolution in menu at top:
    applications/system tools/preferences/system settings/ then 'displays'

in Workstation under vm/settings, set virtual machine shared folder

remove ISO file, take snapshot

Ratproxy and on being a better Infosec Professional

Aug 18, 2014 37:15

Description:

This week, we go into a proxy program called "Ratproxy", discussed it's ins and outs.  Plus, Mr. Boettcher and I have a discussion about how we as infosec people should work with developers and IT professionals to provide them training and understanding of security concepts.

https://code.google.com/p/ratproxy/

http://blog.secureideas.com/2012/07/how-to-setup-ratproxy-on-windows.html

 

 

 

 

Ratproxy icon courtesy of honeytech and flicker

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Introduction to Nmap, Part 2

Aug 11, 2014 19:13

Description:

Here is Part 2 of our video for understanding the basics of Nmap.  I discuss some of the logging output, the scripts found in Nmap, and the output that Nmap gives you for reporting or comparison later.

 

I really did want to go more into the Lua portion of the scripting engine, and perhaps make a simple script, but time constraints halted that. I hope to get more adept at video creation and hopefully editing, to make a more concise video tutorial.

Nmap target specifications: http://nmap.org/book/man-target-specification.html

 

http://nmap.org/book/nse-usage.html

 

Explanation of all Nmap scripts: http://nmap.org/nsedoc/

 

nmap icon courtesy of insecure.org

Risk Management discussion with Josh Sokol - Part 2

Aug 10, 2014 32:58

Description:

This week we take some time to talk about risk management with Josh Sokol.  This is part 2 from our interview with him last week... We talk some more about Simple Risk from the POV of Risk Management, as well as the licensing/modification of Simple Risk.

Mr. Boettcher and Josh discuss the merits of Qualitative vs. Quantitative Risk Analysis, and which one is better...

We also discuss NIST 800 series guidelines, and how he used those to excellent effect in Simple Risk.

Josh also discusses OWASP, how the advocacy and outreach works and how flexible the organization is.

NIST 800 Series docs - http://csrc.nist.gov/publications/PubsSPs.html

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Interview with creator of Simple Risk, Josh Sokol! (Part 1)

Aug 4, 2014 27:46

Description:

Josh Sokol is on the International OWASP board of directors in addition to being the Information Security Program Owner at National Instruments in Austin, Texas. This week, he sat down with Brakeing Down Security to talk about Simple Risk, his homebrew application that assists people and organizations in managing their business risk, and at a much nicer cost that other GRC applications (it's free!) Check out Part 1 below. If you're at BlackHat 2014 this year, he will be showcasing it at Arsenal! 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Flashback: Sqlmap - a little how-to, and getting your developers involved in using it.

Jul 28, 2014 45:09

Description:

This is a flashback from July 2015. 

Mr. Boettcher and I discussed SQLMAP, a tool that can automate the process of pentesting databases and even registries on Windows.  We discuss some functions of the program and why developers should get training on these.

Mr. Boettcher and I talk about how Infosec professionals should help to educate QA and Developers to be able to look at their processes and incorporate security testing, using tools like sqlmap in the Software lifecycle.

 

SQLMAP links

SQLMAP Wiki and more detailed documentation - https://github.com/sqlmapproject/sqlmap/wiki

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap

http://hackertarget.com/sqlmap-tutorial/

https://www.owasp.org/index.php/Automated_Audit_using_SQLMap

http://www.binarytides.com/sqlmap-hacking-tutorial/

http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection.html

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Part 2 with Georgia Weidman!

Jul 21, 2014 46:04

Description:

It only gets better in Part 2 of our Interview with Georgia Weidman, Author, Security Researcher and Creator of the Smartphone Pentesting Framework.

 

She talks about how people underestimate the mobile platform for pentesting purposes, and we even find out that in addition to Teaching a class on exploit development at BlackHat this year, she's going to be helping a great organization overseas.

We also got her talking about some do's and don'ts of pentesting! ;)

Please enjoy!

 

Georgia's book on No Starch: http://www.nostarch.com/pentesting

on Amazon.com: http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641 (non-sponsored link)

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Nmap (pt1)

Jul 14, 2014 17:05

Description:

So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work.

I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches.

The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.

 

 

Nmap icon courtesy of livehacking.com

Part 1 with Author and Mobile Security Researcher Georgia Weidman!

Jul 14, 2014 42:11

Description:

We have a real treat the next two weeks.  Author and Mobile Security Researcher Georgia Weidman, who we also found out will be providing exploit development training at Black Hat this year.

She is the author of an awesome book "Penetration Testing: A Hands-On Introduction to Hacking" (http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1405304124&sr=8-1&keywords=georgia+weidman)

She sat down with us over Skype and gave a nice talk about where she came from,  and why she wrote the book, and even what she's about to do in the future (that's next week) ;) You'll have to listen next week to find out the awesome trip she's about to take.

http://www.bulbsecurity.com/

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Establishing your Information Security Program - Part 2

Jul 7, 2014 26:57

Description:

This is the continuation of our podcast from last week with Phil Beyer.

We started out talking about risk registers, and we end the podcast with a little Q&A about positions in companies (Chief Risk Officer, Chief Data Protection Officer), and whether these positions are useful.

 

 Risk registers - http://en.wikipedia.org/wiki/Risk_register

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Choose your adventure!

Jul 4, 2014

Description:

Hello valued Listener! I want to do another video, and I thought that you might want to decide which one piece of software I highlight. So here are three options:

1. Nikto
2. Nmap
3. OpenVAS

You can send me your choice to my twitter (@bryanbrake) or to my gmail account (bds.podcast@gmail.com).

I will be taking input until 0000 UTC on Sunday July 6th (1800 Saturday 5 July US/Eastern). You can only vote once.

Establishing your Information Security Program - Part 1

Jun 30, 2014 28:41

Description:

Establishing an Information Security program can make or break an organization. So what do you need to get that started? 

We have friend of the show Phil Beyer come in and discuss with us the five steps of the creation of an Information Security Program.  Join us for Part 1, and next week, we'll finish up with a little Q&A, as well as what a 'risk register' is.

 

 

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

OWASP Top Ten: 1-5

Jun 23, 2014 49:49

Description:

We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.  Find out what makes the Top 5 so special.

 

 

 

http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation

http://oauth.net/2/ - Great information on OAUTH 2.0.

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

OWASP Top Ten: Numbers 6 - 10

Jun 17, 2014 45:18

Description:

As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these.

So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard.

Next week is the big ones, the Top 5... all your favorites, in one place!

 

OWASP Top 10 (2013) PDF:  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

 

Talk with Guillaume Ross - Part 2 (all things cloud)

Jun 9, 2014 36:41

Description:

This is part 2 of our podcast interview with Guillaume Ross, Infosec professional who is well versed with the intricacies of various cloud architectures, whether they are IaaS, PaaS, or SaaS.  This part of the podcast discussed how contracts are established, and we ask if smaller cloud providers have a chance against behemoths like Google, Amazon, and Microsoft.

 

Links brought up during the interview:

 

Rich Mogull's $500 Epic fail - https://securosis.com/blog/my-500-cloud-security-screwup

Rich Mogull's write up on how the aftermath and investigation - https://securosis.com/tag/cloud+security

 

Amazon VPC: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Azure Endpoints (how-to): http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/?rnd=1

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

It all goes in "the cloud" (Part 1)

Jun 1, 2014 36:24

Description:

Brian and I interviewed Mr. Guillaume Ross (@gepeto42), an Information Security professional who helps organizations get themselves situated into cloud based solutions. We get a better understanding of why people would want to put their info into the 'cloud' and how they are different than traditional co-lo and datacenters.

 

Guillaume's Blog: http://blog.binaryfactory.ca/

 

AWS (amazon) Security Best Practices WhitePaper: http://aws.amazon.com/whitepapers/aws-security-best-practices/

Amazon EC2 FAQ: http://aws.amazon.com/ec2/faqs/

Microsoft's Azure FAQ:http://azure.microsoft.com/en-us/support/faq/?rnd=1

 

 

"cloud computing icon" courtesy of smartdatacollective.com

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Video 2: BONUS!!!! Kismet Video!

May 27, 2014 14:13

Description:

As promised, I am posting a video I made explaining how to setup Kismet to do wireless scans.

The only pre-requisites you need are Vmware (it will work the same in VirtualBox), and a VM of Kali linux. The only real difference is the message that asks where the wireless adapter should connect to.

It's my first attempt editing a video, so please be kind

Wireless scans with Kismet and Aircrack-ng

May 27, 2014 40:46

Description:

Mr. Boettcher and I had a great time this week.  We talked all about doing wireless audits for PCI using Kismet and Aircrack-ng, and talked about some capabilities of both.

 

Alfa AWUS051NH (works in Kali/Backtrack) (no sponsor link): http://www.amazon.com/gp/offer-listing/B002BFO490/ref=dp_olp_0?ie=UTF8&condition=all

kismetwireless.net

 Using Karma with a pineapple to fool clients into connecting unencrypted: http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html

Tutorial on hacking various wireless: http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm

 

Premium content by Bryan! I made a video as well that describes using your wireless dongle to make your Kali Linux into a powerful areal wireless sniffer.  http://brakeingsecurity.com/bonus-kismet-video

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

PGP and GPG -- protect your data

May 19, 2014 41:27

Description:

Sharing information between people and organizations can be a sensitive issue, especially if the information being shared is of mutual importance. 

This week, we break down PGP and it's open source cousin GPG.  We discuss how last week's podcast about hashing, encoding, and encryption are all bundled up neatly with PGP, and give you some examples of software you can use on Mac, Windows, and Linux.

 

GPG4Win - http://www.gpg4win.org/

GPG Suite (Mac OS) - https://gpgtools.org/

public PGP key server - pgp.mit.edu

NoStarch Press book: http://www.nostarch.com/pgp.htm

gpg commandline tutorial - http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html

 

Icon courtesy of NoStarch Press

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

clearing up some terminology (hashing, encryption, encoding)

May 13, 2014 33:45

Description:

Ever heard someone mention AES Encoding, or MD5 Encryption?

 

Many people in IT, Infosec, and Software development get confused about what Hashing, Encrypting, and Encoding.  We hack through the definition forest, looking for that Sequoia of understanding.

We also talk about Symantec's remarks that 'Antivirus is dead' and 'not a moneymaker', and what that means to the industy as a whole.

 

"Enkrypto" is the program I mentioned in the podcast.  It would appear that either s/he fixed it.  Still shouldn't be using an 'encoding' method to store SMS if they are of a sensitive nature... The screen shots still clearly show a Base64 encoded SMS, and still show it as a 'secured' message. :( plus, with a the option to allow an encrypted PIN with 4 characters, it would be trivial to crack even an AES encrypted message

Do not buy this app...

https://play.google.com/store/apps/details?id=org.enkrypto.sms

 

 

icon courtesy of http://www.differencebetween.info Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

 

Browsing more Securely

May 5, 2014 40:01

Description:

This week, we find ways to increase security when browsing the EWW (Evil Wide Web).

We give a shout-out to WhiteHatSec's Aviator browser as a way for everyone to have an eleveated security posture with very little configuration required. And Mr. Boettcher and I talk about some of the plugins we use to make ourselves more secure.

And Mr. Boettcher surprises me with his proclivities toward farmyard animals.

 

Aviator Browser: https://www.whitehatsec.com/aviator/

Sandboxie: http://www.sandboxie.com/

Browser plugins:

Firefox --- Request Policy: https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

Google --- Notscript: http://www.dedoimedo.com/computers/google-chrome-notscript.html

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Mandiant 2014 threat report

Apr 28, 2014 46:32

Description:

Mandiant put out their 2014 Threat Report, and we got into all the meaty goodness.  From the Syrian Electronic Army, Iran, and China's APT1 and APT12.

Find out if the bad guys are getting smarter, or if we are just making it easier for them? Have a listen and find out.

 

 

Mandiant 2014 report (registration required):  http://connect.mandiant.com/m-trends_2014

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 13 - 2014 Verizon PCI Report

Apr 21, 2014 41:03

Description:

Since 2006, Verizon has put out their yearly PCI report.  We break it down, and discuss the merits of the report.

 

2014 Verizon Report: www.verizonenterprise.com/resources/reports/rp_pci-report-2014_en_xg.pdf

 

 

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 12, Part 2 of our interview with Phil Beyer!

Apr 15, 2014 29:06

Description:

This is Part 2 of our interview with Phil Beyer.  We asked him about the difference between mentoring and coaching, and we end the podcast talking about influence, the types of influence and ways to gain influence.

 

 

 

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Special Report: Heartbleednado-apoco-geddon

Apr 14, 2014 24:20

Description:

Whois for heartbleed was registered 5 April 2014 by Marko Laasko:

 

Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: HEARTBLEED.COM
Registry Domain ID: 1853534635_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-04-05 15:13:33
Creation Date: 2014-04-05 15:13:33
Registrar Registration Expiration Date: 2015-04-05 15:13:33
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: email@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Marko Laakso
Registrant Organization: Codenomicon Oy
Registrant Street: Tutkijantie 4E
Registrant City: Oulu
Registrant State/Province: Oulu
Registrant Postal Code: 90590
Registrant Country: Finland
Registrant Phone: +358.451302656
Registrant Phone Ext:
Registrant Fax: +358.3588340141
Registrant Fax Ext:
Registrant Email: email@codenomicon.com
Registry Admin ID:
Admin Name: Marko Laakso
Admin Organization: Codenomicon Oy
Admin Street: Tutkijantie 4E
Admin City: Oulu
Admin State/Province: Oulu
Admin Postal Code: 90590
Admin Country: Finland
Admin Phone: +358.451302656
Admin Phone Ext:
Admin Fax: +358.3588340141
Admin Fax Ext:
Admin Email: email@codenomicon.com
Registry Tech ID:
Tech Name: Marko Laakso
Tech Organization: Codenomicon Oy
Tech Street: Tutkijantie 4E
Tech City: Oulu
Tech State/Province: Oulu
Tech Postal Code: 90590
Tech Country: Finland
Tech Phone: +358.451302656
Tech Phone Ext:
Tech Fax: +358.3588340141
Tech Fax Ext:
Tech Email: email@codenomicon.com
Name Server: NS-697.AWSDNS-23.NET
Name Server: NS-1338.AWSDNS-39.ORG
Name Server: NS-1621.AWSDNS-10.CO.UK
Name Server: NS-473.AWSDNS-59.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-04-13T12:00:00Z


NSA exploting HeartBleed for years:  http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

RFC6520 - TLS Heartbeat (co-authored by the the guy Robin Seggelmann) https://tools.ietf.org/html/rfc6520

 

Slashdot article: http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake

 

OpenBSD's Theo De Raadt having a rant about OpenSSL: http://it.slashdot.org/story/14/04/10/1343236/theo-de-raadts-small-rant-on-openssl

 

OpenSSL's malloc issues: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse and http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf

Custom Snort rules to detect HeartBleed: http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_10.html

 

 

Intro/Outro Music:

"All This" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

 

Episode 11, Part 1: Interview with Phil Beyer

Apr 7, 2014 38:15

Description:

This week, we're leaving the Infosec track a bit, but this interview may be more important to being a person's development as a good Infosec person.

We interviewed Mr. Phil Beyer, Director of Information Security for the Advisory Board Company.  In addition to being a past president of the Capitol of Texas ISSA Chapter, he co-founded the Texas CISO Council, a regional steering committee composed of security leaders from private industry and the public sector.

He recently gave a talk at Bsides Austin about leadership, and how anyone can be a leader of men. It was very inspiring and something Mr. Boettcher and I thought would be interesting for people in any line of work, not just infosec would benefit from.  If you would like to hear his Bsides Austin talk, we have an exclusive audio copy of the talk, which you can find with his slideshare link here: Brakeingsecurity.com

Please leave feedback if you like this, or please feel free to re-tweet/share this elsewhere.

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Video1: quick renaming shortcut with Sed

Apr 4, 2014 06:31

Description:

I take a few minutes to explain a quick mass renaming shortcut using sed I use when I have multiple files that I need to rename.  I used the example of spaces in filenames, but you can use this to append a name to multiple files.

Another way to easily change files is to use the 'tr' command. You can change a filename from all lowercase to all uppercase letters, or even remove non-printable characters from filenames.

 

Take a look, please leave feedback.  I know there are other ways using awk, perl, and others.  This is just another way to do it.

Phil Beyer's talk at Bsides Austin

Apr 1, 2014 51:16

Description:

We are pleased to be the only podcast to have audio of the talk Phil Beyer gave at Bsides Austin!  It is a very informative talk about leadership, not just in Information Security, but how to be a leader in any field you do.

 

Breaking Down Security will also carry a 2 part interview with Phil. The first will post on the 6th of April, and the 2nd part will be on the 13th of April.

Phil uploaded the slides of this presentation at Bsides Austin at http://www.slideshare.net/pjbeyer/choose-to-lead.

Brakeing Down Security would like to thank Phil Beyer for his time and generosity.

Episode 10: IDS/IPS

Mar 31, 2014 36:26

Description:

We discuss IDS and IPS, why they are needed, and why they get a pass on how easily they are bypassed, and why AV gets all the press...

 

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

 

 

 

Episode 9: Framework for Improving Critical Infrastructure Cybersecurity

Mar 24, 2014 33:59

Description:

This week, we got into some discussion about frameworks, and the different types of frameworks available (regulatory, "best practice", and process improvement)

We also looked at the new "Framework for Improving Critical Infrastructure Cybersecurity" ratified and released last month.

Does it meet with our high expectations? You'll just have to listen and find out.

 

http://www.nist.gov/cyberframework/

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 8: Why a simple password is not so simple...

Mar 18, 2014 43:18

Description:

Cracking great show this week!  Mr. Boettcher and I got all into authentications methods, why they don't always work, and what can we do to make passwords more secure, using Mike Murray's method of 'Passphrases' over passwords...

 

Finally, we talked about some adventure Mr. boettcher had with a friend's malware infection (it wasn't me, I promise!).  He took what we learned from @hackerhurricane (Michael Gough) and is actively doing forensics on it.

 

 

http://daleswanson.org/things/password.htm

Malware, Rootkits & Botnets A Beginner's Guide by Christopher Elisan

 

 

 

 

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 7, Part 2 with Kevin Johnson from SecureIdeas!

Mar 9, 2014 51:30

Description:

This is the Part 2 of our Interview with Kevin Johnson.  During our interview, we followed him down the rabbit hole.  We learned how to default rulesets in ANY rules based hardware solution sucks.  We learned that being a security professional is more than just a fancy title.  And finally, we learned that Kevin is a huge fan of Star Wars.

 

DB Visualizer --  http://www.dbvis.com/

 

Good article on how homomorphic encryption works:

http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-cipherspace

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

A thought experiment...

Mar 8, 2014

Description:

I was on LinkedIn this morning and came across this link in the 'Pentesting' group, one of the many groups I have joined there.

It's a series of case studies with a scenario and some questions to be answered in a 5,000 word essay format.

http://resources.infosecinstitute.com/computer-forensics-investigation-case-study/

I thought that in the coming episodes of Brakeing Down Security, it might be interesting to spend a little time breaking down one of these case studies, analyze all the info provided, and give our ideas on how we might go about solving the issue or mitigating what has occurred. Then, we could turn our rabid fans loose on the problem and see if we missed anything, or if someone comes up with a better response (highly likely, as we have many intelligent listeners)

Look for this to happen in the next few weeks.

Episode 7, Part 1 - Kevin Johnson of SecureIdeas!

Mar 4, 2014 38:23

Description:

During our SEC542, GIAC Web App Pentesting course, we got the pleasure and honor of sitting down with Kevin Johnson from SecureIdeas on who he is, how Samurai WTF came into being, and why we should be doing licensing for proper ethcial hackers.

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 6 - Malware Interview with Michael Gough (Part 2)

Feb 24, 2014 45:20

Description:

This is part 2 of our Interview with Malware researcher Michael Gough.  We talk about mobile device malware, and how the Sniper Forensic Toolkit, differs from Tripwire.

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

"Infectedpc_primary.jpg is from bugsrepair.com

Moon Pcap

Feb 20, 2014

Description:

I thought I'd try something a little different. I usually use the blogger.com to talk, but I didn't see a reason to waste all this excellent space, so I'll put my post here.

 

Last night on Twitter, someone had posted a pcap file of the MOON self-replicating malware running through many newer brands of Linksys router.  So I thought I would post the pcap file here for all you packet weasels to enjoy.

Also, we will be posting our Part 2 of Michael Gough, an Austin-based Malware researcher, who enjoys getting an infection for a living.

moon.pcap: http://bit.ly/1eRpvaw (redirects to google drive)

MD5:8138d3c4eb132269135ae174f703d0fb

SHA256:ed65982d9c6e7c4a1a95220af6817e4fa15662ddfd6647c55858dbc79d2bfe80

 

Episode 6 - Malware Interview Michael Gough (Part 1)

Feb 17, 2014 41:58

Description:

This week, we are excited to have Michael Gough, a local malware researcher from Mi2Security on with us to talk about types of malware, infection vectors, some of the tools that users have available to them to detect and prevent malware.  We also discuss who gains from malware infections, the 'bad guys', and even the AV/Malware detection companies.  We also talk about how his software program "Sniper Forensic Toolkit" would detect malware.

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 5 - Interview with Frank Kim

Feb 10, 2014 19:18

Description:

This week, we interviewed Frank Kim, an instructor from SANS, talks about developers methods, the challenges of getting developers to code securely, and the efforts to create a culture of secure coding.

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 4: Origin stories, and talking about reconnaissance

Feb 3, 2014 33:24

Description:

All superheroes have an origin story, Brian and I are not super, but we have a great origin story.  This week's podcast is about how we made it into the Infosec industry, and we also discuss the value of research from an OS point of view.  We also talk about mentoring and assistance for those looking to get into the InfoSec world.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 3 - Alerts, Events, and a bit of incident response

Jan 27, 2014 33:24

Description:

In this issue, we talked about upcoming podcasts with Michael Gough from MI2 Security discussing malware, and this week we get into everything about alerts, why they are important, types of alerts, levels that can occur, and even a bit of incident response in handling alerts.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 2 -- Feeling Vulnerable? - Vulnerability scanners - Go Exploit Yourself

Jan 20, 2014 40:45

Description:

This week Bryan and Brian talk about the uses, and sometimes pitfalls, of vulnerability scanners.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Episode 1: Kicking some Hash!

Jan 15, 2014 39:55

Description:

In this inaugural episode, Bryan and Brian discuss the history of hashes, how hashes are used and how to make them more secure.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/