Bryan Brake - CISSP | Information Security | Vuln Management

Brakeing Down Security Podcast

Brakeing Down Security Podcast

Description

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Categories

Technology

Episodes

2019-039-bluekeep_weaponized-npm_security_cracks-grrcon_report

Nov 4, 2019 53:42

Description:

Grrcon update

 

2019-039-  bluekeep Weaponized… and more

 

Bluekeep weaponized

https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ 

 

https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining

 

NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/

 

Null sessions and how to avoid them:
https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/

https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions

 

Linux has a marketing problem:

https://hackaday.com/2019/10/31/linuxs-marketing-problem/

 

20 accounts could pwn majority of NPM

 

https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/ 

 

Chrome 0day

 

https://thehackernews.com/2019/11/chrome-zero-day-update.html

 

India Nuclear plant is hacked

https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/

 

High Tea Security Podcast: 

https://www.podcasts.com/high-tea-security-190182dc8

 

https://TAGNW.org - Bryan

Panel and talking about networking

 

Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203 

Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667 

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA

Oct 30, 2019 01:16:55

Description:

OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)


https://www.tagnw.org/events/


Risk in Infosec

 

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’


Risk Analysis - systemic examination of the components and characteristics of risk

 

Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?

       

           

        Identification

            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?

 

https://en.wikipedia.org/wiki/Routine_activity_theory

 

            Scope of risk analysis?

            Threat modeling to find risks?

                https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?

                https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

                https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

 

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration 

 

        Estimation

            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate

 

        Implementation

            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?

           

        Evaluation

            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making

           

 

Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?

 

Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing - 

   

2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2

Oct 22, 2019 52:40

Description:

 

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail

2019-037-Lee Holmes, Powershell logging, and why there's an 'execution bypass'

Oct 17, 2019 50:01

Description:

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail

2019-036-RvrShell-graphql_defense-Part2

Oct 9, 2019 57:01

Description:

Secure Python course: 

https://brakesec.com/brakesecpythonclass 

PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

 

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

 

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

 

Vulns in the Wild

 

Abusing GraphQL 

 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

 

Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql

 

Protecting GraphQL

 

https://github.com/maticzav/graphql-shield

 

Magento 2 (runs GraphQL), hard to update…

 

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

 

GraphQL implementations inside (ecosystem packages?)

 

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

 

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-035-Matt_szymanski-attack and defense of GraphQL-Part1

Oct 2, 2019 42:29

Description:




Derbycon Discussion (bring Matt in)

 

Python course: 

https://brakesec.com/brakesecpythonclass 



PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

 

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

 

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

 

Vulns in the Wild

 

Abusing GraphQL 

 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html



Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql



Protecting GraphQL

 

https://github.com/maticzav/graphql-shield

 

Magento 2 (runs GraphQL), hard to update…

 

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

 

GraphQL implementations inside (ecosystem packages?)

 

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

 

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-034- Tracy Maleeff, empathy as a service, derbycon discussion

Sep 22, 2019 01:23:46

Description:

Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow

Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa

https://medium.com/@InfoSecSherpa

https://nuzzel.com/InfoSecSherpa 

 

 

Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching

https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511

 

 

Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA 

 

Plugs:

Nuzzel newsletter: https://nuzzel.com/infosecsherpa

OSINT-y Goodness blog: https://medium.com/@infosecsherpa 

 

Tomato pie: 

https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey

 

Infosec is a service industry job (gasp!)

 

Customer service is an attitude, not department

 

Reference Interview:
https://en.wikipedia.org/wiki/Reference_interview


Approachability

    Does your org make it easy to contact you?

    What is your tone of writing?
    What does your outgoing communication look like?

    Reign in your attitude, language, etc…

 

“I am using an online translator” (great idea!)

What is your department’s reputation?

    Create an assessment of your department…

 

“I didn’t know there was humans in security?” --

       

Interest

    Be interested in solving the problem.

    Make interaction a ‘safe space’

        No judging, mocking

    LOL, “EE Cummings”

        https://poets.org/poem/amores-i

Listening

    Pay attention to what the end user doesn’t say.

    Don’t interrupt the end user

   

   

Interviewing

    Repeat back what the user said or asked

    Tone: Ask clarification questions, not accusatory questions

   

Searching

    Did security fail the user?

Answering

    Teachable moments

        Building trust/relationship equity

        “While you’re on the phone…”

    “Thank you for your time”

Follow-Up

    Think of ways to create a culture of security

    Create canned emails

    Random acts of kindness

        cyberCupcakes!!!! Or potentially small value gift cards(?)

    Kindness as currency

        Christmas cookies 

            Spreading goodwill

        building relationship equity

            Reciprocity 

        Lunch and learns

 

People can’t be educated into vaccinations, but behaviorial nudges help

    “Telling people facts won’t change behavior”

 

 

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)

Sep 16, 2019 44:26

Description:

 

Topics:

Infosec Campout report

 

Jay Beale (co-lead for audit) *Bust-a-Kube*  

Aaron Small (product mgr at GKE/Google)

 

Atreides Partners

Trail of Bits

 

What was the Audit? 

How did it come about? 

 

Who were the players?

    Kubernetes Working Group

        Aaron, Craig, Jay, Joel

    Outside vendors:

        Atredis: Josh, Nathan Keltner

        Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik

    Kubernetes Project Leads/Devs

        Interviewed devs -- this was much of the info that went into the threat model

        Rapid Risk Assessments - let’s put the GitHub repository in the show notes

   

What did it produce?

    Vuln Report

    Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf

    White Papers

    https://github.com/kubernetes/community/tree/master/wg-security-audit/findings

 

    Discuss the results:

        Threat model findings

            Controls silently fail, leading to a false sense of security

                Pod Security Policies, Egress Network Rules

            Audit model isn’t strong enough for non-repudiation

                By default, API server doesn’t log user movements through system

            TLS Encryption weaknesses

                Most components accept cleartext HTTP

                Boot strapping to add Kubelets is particularly weak       

                Multiple components do not check certificates and/or use self-signed certs

                HTTPS isn’t enforced

                Certificates are long-lived, with no revocation capability

                Etcd doesn’t authenticate connections by default

            Controllers all Bundled together

                Confused Deputy: b/c lower priv controllers bundled in same binary as higher

            Secrets not encrypted at rest by default

            Etcd doesn’t have signatures on its write-ahead log

            DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes

 

            Port 10255 has an unauthenticated HTTP server for status and health checking

 

        Vulns / Findings (not complete list, but interesting)

            Hostpath pod security policy bypass via persistent volumes

            TOCTOU when moving PID to manager’s group

            Improperly patched directory traversal in kubectl cp

            Bearer tokens revealed in logs

            Lots of MitM risk:

            SSH not checking fingerprints: InsecureIgnoreHostKey

            gRPC transport seems all set to WithInsecure()

HTTPS connections not checking certs 

            Some HTTPS connections are unauthenticated

            Output encoding on JSON construction

                This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.

            Non-constant time check on passwords

Lack of re-use / library-ification of code

 

    Who will use these findings and how? Devs, google, bad guys? 

    Any new audit tools created from this? 

 

Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU

 

Aaron Small: 

https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 

https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster 

 

CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw 

 

Findings:

   

 

Scope for testing:

        Source code review (what languages did they have to review?)

            Golang, shell, ...

 

Networking (discuss the networking *internal* *external*

Cryptography (TLS, data stores)

AuthN/AuthZ 

RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)

Secrets

Namespace traversals

Namespace claims

 

Methodology:

 

Setup a bunch of environments?

    Primarily set up a single environment IIRC

    Combination of code audit and active ?fuzzing?

        What does one fuzz on a K8s environment?

Tested with latest alpha or production versions?

    Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.

Tested mulitple different types of k8s implementations?

    Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)

 

Bug Bounty program:

https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

the last Derbycon Brakesec podcast

Sep 7, 2019 50:43

Description:

This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.

 

We also got asked about how the show came about, and how we found each other.

 

**Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**

2019-032-kubernetes security audit dicussion with Jay Beale and Aaron Small

Aug 31, 2019 47:13

Description:

Topics:

Infosec Campout report

Derbycon Pizza Party (with podcast show!)  https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705

Mental health village at Derbycon

 

Jay Beale (co-lead for audit) *Bust-a-Kube*  

Aaron Small (product mgr at GKE/Google)


Atreides Partners

Trail of Bits

 

What was the Audit? 

How did it come about? 

 

Who were the players?

    Kubernetes Working Group

        Aaron, Craig, Jay, Joel

    Outside vendors:

        Atredis: Josh, Nathan Keltner

        Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik

    Kubernetes Project Leads/Devs

        Interviewed devs -- this was much of the info that went into the threat model

        Rapid Risk Assessments - let’s put the GitHub repository in the show notes

   

What did it produce?

    Vuln Report

    Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf

    White Papers

    https://github.com/kubernetes/community/tree/master/wg-security-audit/findings

 

    Discuss the results:

        Threat model findings

            Controls silently fail, leading to a false sense of security

                Pod Security Policies, Egress Network Rules

            Audit model isn’t strong enough for non-repudiation

                By default, API server doesn’t log user movements through system

            TLS Encryption weaknesses

                Most components accept cleartext HTTP

                Boot strapping to add Kubelets is particularly weak       

                Multiple components do not check certificates and/or use self-signed certs

                HTTPS isn’t enforced

                Certificates are long-lived, with no revocation capability

                Etcd doesn’t authenticate connections by default

            Controllers all Bundled together

                Confused Deputy: b/c lower priv controllers bundled in same binary as higher

            Secrets not encrypted at rest by default

            Etcd doesn’t have signatures on its write-ahead log

            DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes

 

            Port 10255 has an unauthenticated HTTP server for status and health checking


        Vulns / Findings (not complete list, but interesting)

            Hostpath pod security policy bypass via persistent volumes

            TOCTOU when moving PID to manager’s group

            Improperly patched directory traversal in kubectl cp

            Bearer tokens revealed in logs

            Lots of MitM risk:

            SSH not checking fingerprints: InsecureIgnoreHostKey

            gRPC transport seems all set to WithInsecure()

HTTPS connections not checking certs 

            Some HTTPS connections are unauthenticated

            Output encoding on JSON construction

                This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.

            Non-constant time check on passwords

Lack of re-use / library-ification of code

 

    Who will use these findings and how? Devs, google, bad guys? 

    Any new audit tools created from this? 

 

Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU

 

Aaron Small: 

https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 

https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster 

 

CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw 




Findings:

   

 

Scope for testing:

        Source code review (what languages did they have to review?)

            Golang, shell, ...

 

Networking (discuss the networking *internal* *external*

Cryptography (TLS, data stores)

AuthN/AuthZ 

RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)

Secrets

Namespace traversals

Namespace claims

 

Methodology:


Setup a bunch of environments?

    Primarily set up a single environment IIRC

    Combination of code audit and active ?fuzzing?

        What does one fuzz on a K8s environment?

Tested with latest alpha or production versions?

    Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.

Tested mulitple different types of k8s implementations?

    Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)


Bug Bounty program:

https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-031- Dissecting a Social engineering attack (Part 2)

Aug 16, 2019 50:05

Description:

 

Intro - Ms. DirInfosec “Anna”

Call Centers suffer from wanting to give good customer service and need to move the call along.

    Metrics are tailored to support an environment conducive to these kinds of attacks

https://en.wikipedia.org/wiki/Social_engineering_(security)

Social engineering will prey on people’s altruism 

    “Pregnant woman needing help through the security door”

    “Person on crutches”
    “Delivery person with arms full”

    “Can’t remember information, others filling in missing bits”

    Call Center Reps are _paid_ to be helpful. “Customer is never wrong”

 

Creating a sense of urgency to spur action

 

Real-life scenario: "bob calls asking about status of an order"

Questions: 

What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :)

Pre-training audio (#1 and #2)

 

What was their reaction about the calls received?

 

Did the training take the first time? What difficulties did you have after the first training? ‘Getting better Audio’ (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes

 

https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/

https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud

 

@consultingCSO on twitter

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2019-029-dissecting a real Social engineering attack (part 1)

Aug 1, 2019 47:07

Description:

Intro - Ms. DirInfosec “Anna”

Call Centers suffer from wanting to give good customer service and need to move the call along.

    Metrics are tailored to support an environment conducive to these kinds of attacks

https://en.wikipedia.org/wiki/Social_engineering_(security)

Social engineering will prey on people’s altruism 

    “Pregnant woman needing help through the security door”

    “Person on crutches”
    “Delivery person with arms full”

    “Can’t remember information, others filling in missing bits”

    Call Center Reps are _paid_ to be helpful. “Customer is never wrong”

 

Creating a sense of urgency to spur action


Real-life scenario: "bob calls asking about status of an order"

Questions: 

What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :)

Pre-training audio (#1 and #2)

 

What was their reaction about the calls received?

 

Did the training take the first time? What difficulties did you have after the first training? ‘Getting better Audio’ (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes

 

https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/

https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud

 

@consultingCSO on twitter

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-028-fileless_malware_campaign,privacy issues with email integration-new_zip_bomb_record

Jul 24, 2019 59:51

Description:

FIleless malware campaign - https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats

 

https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/


https://www.extremetech.com/computing/294852-new-zip-bomb-stuffs-4-5pb-of-data-into-46mb-file 

 

https://articles.forensicfocus.com/2019/07/15/finding-and-interpreting-windows-firewall-rules/



https://www.theregister.co.uk/2019/02/11/google_gmail_developer/     

Privacy issues:

    Companies integrating with email systems

    Pulling all information from the inboxes

    Collecting that information

    Storing for long periods of time (‘training the AI’)

    Check for SOC2 and press them on their data storage and privacy policies

    Have language in your 3rd party agreements to understand sharing and collection

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 



Cool Tools:

https://github.com/AxtMueller/Windows-Kernel-Explorer

https://github.com/TheSecondSun/Revssl

2019-027-GDPR fines for British Airways, FTC fines Facebook, Zooma-palooza

Jul 14, 2019 43:23

Description:

MITRE Pre-Attack techniques https://attack.mitre.org/techniques/pre/

https://www.bbc.com/news/business-48905907

Zoom - https://www.wired.com/story/zoom-flaw-web-server-fix/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2019-026-Ben Johnson discusses hanging your shingle, going independent

Jul 9, 2019 38:12

Description:

 

 

Starting a new business (hanging the shingle)

 

What’s a way to become an independent consultant?

Especially if you don’t have a reputation?

 

Ben's reading list:

“Mindset: the New Psychology of success”

“Essentialism”

“Extreme ownership”

“Team of teams”

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2019-025-Ben Johnson discusses identity rights management, and controlling your AuthN/AuthZ issues

Jul 2, 2019 41:43

Description:

Identity analytics

 

“Identity analytics is the next evolution of the IGA (Identity Governance & Administration) market. Identity professionals can use this emerging set of solutions combining big data and advanced analytics to increase identity-related risk awareness and enhance IAM processes such as access certification, access request and role management.” --gartner

Identity related risk awareness

Access certification is the process of validating access rights within systems. ... With access certification, organizations and regulations aim to formally validate users within systems and ensure their access rights are appropriate.

 

Access request - a system must validate that a user has need-to-know

Role management - users must be validated in a particular role or roles (admin, superuser, backup controller, launch manager, code committer)

What kind of threats are you protecting against?

What do you solve that proper administration of users can do?

How does technology like this improve IAM processes? 

If it gathers heuristics, what happens when a user changes? (loses an arm, finger, or sneezes during password login, or just ages?)

 

Where is the best fit for these kinds of systems? 

Where should you put these systems if you’re in a blended environment? And how does this work with systems like Active Directory?

Privacy issues… what if any do you have to deal with in this case? 

That was my next question

Entitlements? What’s the difference between AuthN?

Identity creep -Ben gave a talk on it  https://www.brighttalk.com/webcast/17685/362274

Does this monitor, or will it also prevent? 

If it doesn’t, can it send alerts to you IPS to isolate?

“Blast radius”

https://whatis.techtarget.com/definition/behavioral-biometrics

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-024-Tanya_Janca-mentorship-WoSec_organizations_what-makes-a-good-mentor

Jun 24, 2019 53:53

Description:

Tanya Janca (@shehackspurple)

 

DevOps Tools for free/cheap.

    They are all on github right, so they are all free?

    Python, Docker, k8s, Jenkins

    Licensing can be a problem

    Free-mium software, or trialware is useful?

OWASP DevSlop

    Module

    Nicole Becker

        Pixie - insecure instagram

“Betty Coin”

SSLlabs - Qualys

 

Mentoring Monday:

    What is “Mentoring Monday”?

    What does it take to be a good mentor?

    Should a mentee have a goal in mind?

        Something other than “I want to be just like you”?

    Do you assist in creating the relationship?

        What if they don’t meld?

        Are there any restrictions?

    Any place in someone’s career?

    How do you apply?

    Advocating -


Leading Cyber Ladies: https://twitter.com/LadiesCyber

WoSec International - https://twitter.com/WoSECtweets

    19 Chapters worldwide

        Africa, No. America, Europe

    Goal? (hacker workshops)

    Submitting talks at cons

    Outreaching (how would people get involved)

    Mentorship involved in this?

 

Global AppSec

 

Videos on youtube:

    OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A

    https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A


Blog Site: https://dev.to/shehackspurple

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-023-Tanya Janca, Dev Slop, DevOps tools for free or cheap

Jun 18, 2019 40:37

Description:

Announcements:

InfoSec Campout Conference (Eventbrite, social contract, etc): https://www.infoseccampout.com

All Day Devops (https://www.alldaydevops.com) free talks online... Next conference starts 06 November 2019

------

Tanya Janca (@shehackspurple)

@wosectweets - Women of Security

DevOps Tools for free/cheap.

    They are all on github right, so they are all free?

    Python, Docker, k8s, Jenkins

    Licensing can be a problem

    Free-mium software, or trialware is useful?

OWASP DevSlop

    Module

    Nicole Becker

        Pixie - insecure instagram

“Betty Coin”

SSLlabs - Qualys

 

Mentoring Monday:

    What is “Mentoring Monday”?

    What does it take to be a good mentor?

    Should a mentee have a goal in mind?

        Something other than “I want to be just like you”?

    Do you assist in creating the relationship?

        What if they don’t meld?

        Are there any restrictions?

    Any place in someone’s career?

    How do you apply?

    Advocating and being a good ally

Leading Cyber Ladies: https://twitter.com/LadiesCyber

WoSec International - https://twitter.com/WoSECtweets

    19 Chapters worldwide

        Africa, No. America, Europe

    Goal? (hacker workshops)

    Submitting talks at cons

    Outreaching (how would people get involved)

    Mentorship involved in this?

 

Global AppSec

 

Videos on youtube:

    OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A

    https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A


Blog Site: https://dev.to/shehackspurple

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-022-Chris Sanders-Rural_Tech_Fund-embracing_the_ATT&CK_Matrix

Jun 9, 2019 01:01:09

Description:

ANNOUNCEMENTS: INFOSEC CAMPOUT TICKETS ARE STILL ON SALE. Go to https://www.infoseccampout.com for Eventbrite link and more information.

 

 

Part 2 of our Discussion with Chris Sanders (@chrissanders88)

Topics discussed:

Companies dropping existing frameworks for ATT&CK Matrix, why?

Rural Technology Fund - What it is, how does it work, Who can help make it more awesome.

 

https://chrissanders.org/2019/05/infosec-mental-models/

 

I’ve argued for some time that information security is in a growing state of cognitive crisis…

 

Demand outweighs supply

Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training.

That’s an HR and hiring manager issue, right? --brbr  No. --bboettcher

 

Information cannot be validated or trusted

    There are few authoritative sources of knowledge about critical components and procedures.

 

Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.

    The industry is unable to organize or widely combat the biggest issues they face.

    Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr

 

https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html

https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/

 

Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3

 

https://en.wikipedia.org/wiki/Cognitive_revolution

https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/

 

How do we solve it?

 

We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think.

https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned)

 

Mental Model?

    We use them all the time? Gotta simplify the complex...

    Distribution and the Bell Curve

    Operant Conditioning

https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html

    The Scientific Method

 

Applied Models

 

    13 Organ Systems

    4 Vital Signs

    10 Point Pain scale

Defense in Depth

OSI model

Investigation Process

 

https://en.wikipedia.org/wiki/Inductive_reasoning

 

Model Desperation

    Companies dumping existing models and embracing something else

 

The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.

 

What makes a good model?

Simple

Useful

Imperfect? (wuh?)-brbr

 

Creating models

    Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)

        What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)

 

Discuss the Rural Tech Fund https://twitter.com/RuralTechFund

    https://ruraltechfund.org/

Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018

Practical Packet Analysis - https://nostarch.com/packetanalysis3

 

 

Suggesting books:

https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555

https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776

More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/

 

Book Club

Cult of the dead cow - June

Tribe of Hackers - July

The Mastermind - August

The Cuckoo’s Egg - September

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-021-Chris Sanders discusses a cognitive crisis, mental models, and dependence on tools

Jun 4, 2019 47:55

Description:

https://chrissanders.org/2019/05/infosec-mental-models/

 

I’ve argued for some time that information security is in a growing state of cognitive crisis…

 

Demand outweighs supply

Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training.

That’s an HR and hiring manager issue, right? --brbr  No. --bboettcher

 

Information cannot be validated or trusted

    There are few authoritative sources of knowledge about critical components and procedures.

 

Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.

    The industry is unable to organize or widely combat the biggest issues they face.

    Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr

 

https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html

https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/

 

Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3

 

https://en.wikipedia.org/wiki/Cognitive_revolution

https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/

 

How do we solve it?

 

We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think.

https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned)


Mental Model?

    We use them all the time? Gotta simplify the complex...

    Distribution and the Bell Curve

    Operant Conditioning

https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html

    The Scientific Method

 

Applied Models

 

    13 Organ Systems

    4 Vital Signs

    10 Point Pain scale

Defense in Depth

OSI model

Investigation Process

 

https://en.wikipedia.org/wiki/Inductive_reasoning

 

Model Desperation

    Companies dumping existing models and embracing something else

 

The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.

 

What makes a good model?

Simple

Useful

Imperfect? (wuh?)-brbr

 

Creating models

    Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)

        What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)

 

Discuss the Rural Tech Fund https://twitter.com/RuralTechFund

    https://ruraltechfund.org/

Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018

Practical Packet Analysis - https://nostarch.com/packetanalysis3

 

Suggesting books:

https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555

https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776

More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/

 

Book Club

Cult of the dead cow - June

Tribe of Hackers - July

The Mastermind - August

The Cuckoo’s Egg - September

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-020-email_security_controls-windows_scheduler

May 29, 2019 01:03:01

Description:

Bryan got phished (almost) - story time!

 

https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564/

 

Through OpenDNS

https://learn-umbrella.cisco.com/product-videos/newly-seen-domains-in-cisco-umbrella

Available January 2017, Umbrella filters newly seen or created domains. By using new domains to host malware and other threats, attackers can outsmart security systems that rely on reputation scores or possibly outdated block lists. Umbrella now stops these domains before they even load.

 

Also “unknown” category? pros/cons

 

Good filter time for domains?

 

Amanda: windows logging issues

well…. FUCKING EVERYTHING CREATES TASKS IN SCHEDULER

 

https://www.microsoft.com/en-us/windowsforbusiness/windows-atp

 

Breach news:

 

https://www.dutchnews.nl/news/2019/05/hackers-steal-key-info-about-home-hunters-from-housing-agency/

FTA: The hackers now have their name, address, contact information and copies of their passport or ID card, which includes their personal identification number, or BSN.

This is sufficient to allow the hackers to open bank accounts or take out loans by using other people’s identity.

 

https://www.bleepingcomputer.com/news/security/over-757k-fraudulently-obtained-ipv4-addresses-revoked-by-arin/

Mostly colos, data centers, ‘aaS’ providers

Many in the Mid-West

 

Book Club

Cult of the dead cow - June

Tribe of Hackers - July

The Mastermind - August

The Cuckoo’s Egg - September

 

https://www.infoseccampout.com

EventBrite Link:

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-019-Securing your RDP and ElasticSearch, InfoSec Campout news

May 20, 2019 53:11

Description:

https://static1.squarespace.com/static/556340ece4b0869396f21099/t/5cc9ff79c830253749527277/1556742010186/Red+Team+Practice+Lead.pdf


https://www.reddit.com/r/netsec/comments/bonwil/prevent_a_worm_by_updating_remote_desktop/

 

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system



https://www.bleepingcomputer.com/news/security/unsecured-survey-database-exposes-info-of-8-million-people/

https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

https://www.elastic.co/blog/found-elasticsearch-security

https://dzone.com/articles/securing-your-elasticsearch-cluster-properly

Auth is possible, using reverse proxy… this is basic auth :( https://github.com/Asquera/elasticsearch-http-basic

 

Here’s one that uses basic auth and LDAP: https://mapr.com/blog/how-secure-elasticsearch-and-kibana/

2fa setup: https://www.elastic.co/guide/en/cloud/current/ec-account-security.html

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-017-K8s Security, Kamus, interview with Omer Levi Hevroni

May 5, 2019 49:49

Description:

K8s security with Omer Levi Hevroni (@omerlh)

 

service tickets -

Super-Dev

 

Omer’s requirements for storing secrets:

 

Gitops enabled

Kubernetes Native

Secure

    “One-way encryption”

 

Omer’s slides and youtube video:

https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret

https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s

 

We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni

 

Kubernetes Secrets

    Bad, because manifest files hold the user/password, and are encoded in Base64

        Could be uploaded to git = super bad

https://kubernetes.io/docs/concepts/configuration/secret/

https://docs.travis-ci.com/user/encryption-keys/

 

Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/

https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-fb5cec0417b2

    “FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions.”

Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

https://github.com/owasp-cloud-security/owasp-cloud-security

https://www.omerlh.info/2019/01/19/threat-modeling-as-code/

https://telaviv.appsecglobal.org/

 

https://github.com/Soluto/kamus

 

https://kamus.soluto.io

 

Infosec Campout = www.infoseccampout.com

2019-016-Conference announcement, and password spray defense

Apr 29, 2019 46:11

Description:

Agenda:

 

Announce the conference

CFP: up soon

CFW: up soon

Campers: Friday night/Saturday night

    Like “toorcamp”, but if it sucks, you can drive home… :D

 

Limiting tickets, looking for sponsors

To support the conference and future initiatives:

“Infosec Education Foundation”

    501c3 non-profit (we are working on the charity part)

 

www.infoseccampout.com

Password spraying

https://github.com/dafthack/DomainPasswordSpray

 

Stories:

 

https://blog.stealthbits.com/using-stealthdefend-to-defend-against-password-spraying/

 

http://blog.quadrasystems.net/post/password-spray-attacks-and-four-sure-steps-to-disrupt-them

 

https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

 

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/simplifying-password-spraying/

 

Detecting one to many…..and at what point/threshold during an attack would it be a PITA for the redteam to slow down to

 

Annoying NXLog CE limitation

 

Log-MD can help detect?  Yep

 

CTF Club is happening again

    Pinkie Pie is running it.

    Saturdays at 2 -3 pm

 

 

2019-015-Kevin_johnson-incident_response_aftermath

Apr 22, 2019 01:24:27

Description:

Announcements:

https://www.workshopcon.com/

    SpecterOps (red Team operations) and Tim Tomes (PWAPT)

 

Bsides Nashville

 

https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html

 

“We take security seriously and other trite statements“

 

Wordpress infrastructure (supply chain failure)

    WordPress plugin called Woocommerce was at fault.

    Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/

    “According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”

 

https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

 

You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?

 

Timeline:
“[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”

    What is the line they should not cross in this case?

 

You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?

 

[2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.

 

Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?

 

Lessons Learned? Anything you’d do differently next time?

    Update IR plan?

    Did they reach out for additional testing?

    Did the people who got admin get removed?

    Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*

 

https://www.wordfence.com/

 

https://en.wikipedia.org/wiki/Gremlins

 

Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/

 

https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/

https://www.guardicore.com/2018/11/security-incident-response-plan/

 

https://www.zdnet.com/article/security-risks-of-multi-tenancy/

 

Upcoming SI events

IANS forum (Wash DC)

ShowmeCon

Webcasts

ISC2 security Congress (Wash DC)

 

Patreon

Slack

Twitter handles

iTunes

Google

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2019-014-Tesla fails encryption, Albany and Sammamish ransomware attacks.

Apr 15, 2019 50:41

Description:

Announcements:
WorkshopCon Training with SpecterOps and Tim Tomes

www.workshopcon.com

redteam operations with SpecterOps

PWAPT with Tim Tomes

 

Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019

 

Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time.



https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/

 

My last car sync’ed the contact list.

Video is a different story, but safety for the vehicle and owner, they’ll probably continue to store it.

Telemetry data is for changing road conditions, navigation, etc

Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected

    Level of difficulty, no fuse, requires hardware upgrade

    Encryption at rest, ensuring HTTPS on all incoming/outgoing.

 

https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/

    Annoying “do you want notifications from this site?”

    Like an annoying RSS feed… ‘Hey, we added a new banner ad!’


https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches

    Why add the switches to allow vulnerabilities?

    Slippery slope  --disable-dirtycow?

 

https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/

 

https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack

Threat intelligence and software detections…

Got an email… *Story Time from Mr. Boettcher*

Twitter: why do companies not allow copy/paste in password fields? Tesla

2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2

Apr 7, 2019 56:35

Description:

Announcements:

SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com

Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/

Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663

SHOW NOTES:

Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.

https://github.com/OWASP/ASVS

“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “

 

#ASVS team:

Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman

 

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx

 

https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing

 

https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version

http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode

 

ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”

 

What are the biggest differences between V3 and V4?


Why was a change needed? 

https://xkcd.com/936/ - famous XKCD password comic

David Cybuck: Appendix C:  IoT

    Why was this added?

    These controls are in addition to all the other ASVS controls?

How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.

 

You added IoT, but not ICS or SCADA?

    https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project

 

BrakeSec IoT Top 10 discussion:

http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3

http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3

 

Seems incomplete… (Section 1.13 “API”)

    Will this be added later?

    What is needed to fill that in? (manpower, SME’s, etc?)

 

3 levels of protection… why have levels at all?

    Why shouldn’t everyone be at Level 3?

    I just don’t like the term ‘bare minimum’ (level 1)--brbr

 

Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf

https://www.youtube.com/watch?v=2C7mNr5WMjA

Cost to get to L2? L3?

https://manicode.com/ secure coding education

 

https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1

Apr 1, 2019 51:51

Description:

Show Notes


SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com

Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/

 

Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.

 

https://github.com/OWASP/ASVS

“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “

 

ASVS team:

Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman

 

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx

Don’t post these links in show notes

ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd

 

ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing

 

https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version

http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode

 

ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”

 

What are the biggest differences between V3 and V4?


Why was a change needed?

 

https://xkcd.com/936/ - famous XKCD password comic

 

David Cybuck: Appendix C:  IoT

    Why was this added?

    These controls are in addition to all the other ASVS controls?

How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.

 

You added IoT, but not ICS or SCADA?

    https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project

 

BrakeSec IoT Top 10 discussion:

http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3

http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3

 

Seems incomplete… (Section 1.13 “API”)

    Will this be added later?

    What is needed to fill that in? (manpower, SME’s, etc?)

3 levels of protection… why have levels at all?

    Why shouldn’t everyone be at Level 3?

    I just don’t like the term ‘bare minimum’ (level 1)--brbr

Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf

https://www.youtube.com/watch?v=2C7mNr5WMjA

Cost to get to L2? L3?

https://manicode.com/ secure coding education

 

https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-011-part 2 of our interview with Brian "Noid" Harden

Mar 24, 2019 47:13

Description:

 

Log-MD story

    SeaSec East meetup

    Gabe (county Infosec guy)

https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/

New Slack Moderator (@cherokeeJB)

Shoutout to “Jerry G”

 

Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407

www.Workshopcon.com/events and that we're looking for BlueTeam trainers please

 

Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet

 

Noid - @_noid_

noid23@gmail.com

 

Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3

Slides (PDF)

https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf

 

Security view was a bit myopic?

“What do we win by playing?”

Cultivating relationships (buy lunch, donuts, etc)

Writing reports

Communicating findings that resonate with developers and management

    Often pentest reports are seen by various facets of folks

    Many levels of competency (incompetent -> super dev/sec)

Communicating risk? Making bugs make sense to everyone…

The three types of power:

https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 (yas!)

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Transcription (courtesy of otter.ai, and modified for readability by Bryan Brake)

Bryan Brake 0:13
Hello everybody this is Bryan from Brakeing Down Security this week you're gonna hear part two of our interview with Noid, we did a lot of interesting discussions with him and it went so well that we needed the second week so for those of you here just catching this now Part One was last week so you can just go back and download that one. We're going to start leading in with the "one of us" story because one of the one of the slides he talked about was how you know he you know learned how to be one with his dev team and one of the last topics we had was kind of personal to me I do a lot of pentest writing for reports and stuff at my organization "Leviathan" and and you know, we talked about you know What makes a good report how to write reports for all kinds of people, whether it be a manager that you're giving it to, from an engagement for a customer, or, you know, the technical people who might be fixing the bugs that an engagement person might find, or a pen tester might find in this case. So, yeah, we're we're going to go ahead and lead in with that. Before we go though, SpectreOps is looking for people to go to their classes. They're learning adversary tactics and red team Operations Training course in Tysons Corner, Virginia. It's currently $4,000 to us and it's from April 23, April 26 of this year 2019. That doesn't include also airfare and hotel, so you're gonna have to find your way to Tysons Corner the Hyatt Regency there's a link in the show notes of course to the to the class if you'd like to go You'll learn things like designing and deploying sophisticated resilient covert attack infrastructure, gaining initial access footholds on systems using client side attacks, and real world scenarios cutting edge lateral movement methods to move through the enterprise and a bunch of other cool things... so yeah if you're interested in and hooking that up you can you there's still you still got more than a month to sign up for it it looks like there might still be tickets so knock yourselves out they're also looking for blue team people. "Mike P" on our Slack channel, which will tell you about the end of the show here on how to join if you'd like, he said http://www.workshopcon.com/events they're looking for blue team trainers... you can hang out with folks like you know, SpecterOps and Tim Tomes (LanMaster53) as well there when you you know we can you sign up for the blue team stuff and yeah http://www.workshopcon.com/events and then you can you know learn to be a blue team trainer or actually give blue team training if you so choose. So that said it's pretty awesome. Alright, so without further ado, we're going to get started with part two of our interview with Noid here, hope you have a great week. And here we go.

Okay. So I think we've gotten down to like the "one of us" story. So we're in our hero finally starts to get it and begins to bridge the gap. Some of the things some of the points are the lessons learned in this story. And you can tell us about story was that language makes all the difference in the world. This is what got me on to the part about the reporting, which we'll talk about a little while, but maybe you could fill us in on this discovery, this the story that got you to these points.

Brian "Noid" Harden 3:37
Okay, so the team I'm working on I get asked the the thing in question is it was a pretty massive product and it had never had any threat modeling done,

Bryan Brake 3:50
okay.

Brian "Noid" Harden 3:51
So had never had any threat modeling done and this this particular product was made up of tons of little sub products. So what I did is I sat there first in a kind of a complete panic going, this is overwhelming. I don't have nearly enough time or resources to be able to do this. But you know how to eat the elephant, right? The small pieces and get at it. So I had one dev lead, who I know, had worked previously on a security product. And he was a nice guy. So I sat down with them and basically said, "Hey, could you walk me through visually diagramming how your service works, building that data flow diagram, and then we're going to talk about it from a security perspective". And he was sort of like, oh, that'd be fun. Yeah, let's do that. And so we sat there and he diagrammed and the whole time he's diagramming, he'd stop and erase things and go, Wait, no, no, we were going to do it that way. But we didn't. And then oh, and we stopped doing it this way, because we added this other thing and we had to be able to break communication out number channels and then he stopped at one point and was like, get a picture of this was like I think this is probably the most accurate diagram of our service we've ever had. And then when we started doing the threat modeling side of it, like, you know, talking about trust boundaries and you know, it's like all right, so what makes sure that you know data from point A to point B and it's not filled with that kind of thing? And I'm saying okay well, could you could you you know, do this over HTTPS rather than just regular HTTP

Bryan Brake 5:29
right

Brian "Noid" Harden 5:31
you know you get non repudiation you know, and it's like, not talking about even the security value of it, but talking more about the you know, you the integrity be there and then at one point, he stops and he looks at me and he says, Man, I never had a threat modeling would generate so much feature work. And in my mind, I was like, talking about feature work like, these are bugs you need to fix. Now, all of a sudden, it was like, Oh, crap, I've been approaching this entirely the wrong way my entire career. Devs look at things that have looked at depth look at things from bug fixing, and feature development. And as a security person, what i, every time I'd been bringing up stuff they needed to do in my mind, it was implied it was feature development. But they saw this bug fixing, because in the "dev world" security fixes or bug fixes. He saw the value here and went, Oh, this is going to generate a ton of feature work. And it's like, oh, so I gotta stop calling the security work. I've got to start calling this feature work. And sure enough, not only if you start calling it feature work. And of course now once you're talking about feature work, you can start talking about the drivers. Why are we building a feature because you know, you don't build features nobody wants. Unless you're certain software companies. But yeah, but you build.. you build features that come out of customer requests, you know, you get features that hey, you know, I look at things like say Microsoft Office, how that's evolved over the years. And that's because people who use Office come back and say, you know, this is really cool. But I'd really like it if when I'm giving my PowerPoint presentation, I had a timer on the screen. So I know I'm on mark, you know, and Okay, that's a feature requests. And so that's how these things evolve. And so once I started talking about security work from the perspective of feature development you know, we have existing features that need to be worked on to give them new functionality in order to be able to pick up new customers and we have new features that we need to build that will also help because the other thing too I also noticed is that well... well I care about things like confidentiality and integrity. Devs care about things like availability and performance, right, these two these two things can kind of be almost used interchangeably, depending on the circumstance, so when, when devs are talking about stability, I'm thinking about integrity. When I'm when I'm talking about availability, they're, they're thinking about performance. And so all of a sudden, I'm now giving them ideas for like new proof counters, basically, like new metrics to check the health of the thing that we're building. And the way I looked at it was almost... Yeah, this is what this is the business driver for the, you know, customer X wants it customer Y needs it, you know, and here's the benefit, you know, the product gets out of it. Here's the benefit that developers get out of it. And what a security get out of it? Hey, don't worry about it. Purely, purely any value I derived from this work is purely coincidental.

Brian Boettcher 8:57
*Chuckles*

Brian "Noid" Harden 9:00
And that, in turn, helps start driving the conversation a lot better. Because the other value I got out of it, too is by having somebody on the development side of the house who had a name and had some, you know, reputation behind him, he was able to go to his respective peers and say, Man, I did this thing with Noid and it was really valuable. And we got a lot of cool stuff out of it. So he's gonna hit you up about it. And I totally recommend doing

Bryan Brake 9:27
right

Brian "Noid" Harden 9:28
and at which point because because some of the folks I worked with were either indifferent towards me, they were just busy. I did have some folks that I work with, though, that were just flat out adversarial towards me. They frankly they didn't want me doing what I was doing. They didn't really want me parking and poking around like the dark corners of the product. You know, because it was going to make work, but having somebody on their side say, No, I actually got value out of this. Okay, well, I'll give it a try. Holy crap, I got value out of this, too. So that was that was where I suddenly realized that my languagein my mind, I'm not saying anything differently. But yet, it turns out that when it comes to the words coming out of my mouth and how they were being received, it radically changed how I was expressing myself to people. And it totally changed the response I got.

Brian Boettcher 10:26
So maybe we need a new "CIA" triad that has the other words on it, you know, the, the translated words for development and product teams,

Brian "Noid" Harden 10:35
possibly!

Bryan Brake 10:36
performance... integrity is stability.

Brian "Noid" Harden 10:43
Yeah, stability. availability...

Bryan Brake 10:48
What's confidentiality then? what does the other bit that they talk about or worry about?

Brian "Noid" Harden 10:52
I don't know if only we had a dev lead on this call.

Brian Boettcher 10:55
*chuckles*

Bryan Brake 10:56
Yeah. Do you know one? *laughs*. So, so the lessons learned, you said, language makes all the difference. You know the way you speak is like, you know, if you're, if you only know English, like most Americans and go over to France, speaking louder in English to somebody who only speaks French is not going to help here to help you so "look for the helpers" So let's say you don't, let's say we're not lucky enough to have somebody like the person you found in your organization is is it it's going to take a little bit longer maybe to get them onto your side to you know, poke at him like that or, you know, maybe grease the wheels with some donuts or you know, maybe take them to lunch or something. Would that be helpful at all?

Brian "Noid" Harden 11:35
Well, first off Yes, you'd be amazed at how much showing up with donuts

Bryan Brake 11:48
Oh, I know

Brian "Noid" Harden 11:49
Oh yeah. No, actually actually it's funny too because I actually just a couple of weeks ago and other team at my company came over and gave my team donuts

They gave my team the IT team and the tech team donuts because of all the work we've been putting in form... as far as I'm concerned. Yeah, I'll march directly into hell for those people right now, because they gave me donuts...

Bryan Brake 11:56
niiiice.

they better be Top Pot donuts or something legit not like...

Brian "Noid" Harden 12:13
Oh, yeah, they were. They were Top Pot donuts. But yeah, so part of its that something else, too is doing some of the work yourself. So, in addition to all this work I'm doing I'm also managing the development of security features. And I had gone over the product spec for one of these security features. And I built a data flow diagram. And then during one of my little weekly Scrum meetings where I sit down with my devs. I showed it to them. and I remember one of them to and he immediately stopped and was like, "What is this?" He's like, "what is this doesn't make sense",

Bryan Brake 12:53
This is forbidden knowledge This is your thing.

Brian "Noid" Harden 12:56
Yeah, you wrote this. Okay, you wrote this, this is just a visual representation of the thing that you wrote. And once I explained it him, sort of the steps one through eleventy, you know, and showed him what had happened. He was sort of like a "Oh, that's interesting". Still somewhat dismissive of it, but it was still kind of a file. So in addition to, you know, buttering people up with donuts, and lunch and things like that, but also sometimes you gotta just buckle down and do it yourself, and then show the value. And I mean, I'll be blunt. That's how I've gone by through most of my career is when I can't get traction. I'll go do it. And then pop up and go. Hey, guys, check this thing out. Oh, wow. That's really neat. How do you do that? Where did you do that? It's like oh, you can do it too. Right now I can show you how I can work with you on it. I'm certainly not going to tell you to RTFM and walk out of the room. So part of it is it also shows a little bit of commitment on your part, sort of one of the things I've picked up that security, not even in the equation here. But just having worked in a lot of software development organizations with the devs and the PMs is the devs is frequently see the PM is not doing anything of value except for when you are. So when you are willing to put that kind of effort into deliver something like that, like, Hey, I thought modeled our service,it sort of shows this, "oh, I take it back. All those things I said about you know, you're not worthless after all." So there's definitely some value there too, because a lot of times too people are willing to say because it's easy to stand back and issue edicts, it's easy to stand back and just, you know, get up on your soapbox and tell everybody else what to do. But when you're when you show you're willing to eat your own dog food. That really gets people's attention because it's like, "Okay, this dude clearly cares about this a lot" And now that he's done it, I see what he's talking about. Yeah. You know, like we should do that there's value here.

Bryan Brake 15:11
So very cool. Yeah. So when you on the last slide here, when you wrapped it all up, you said engage early and often... Does it have to be so when we're talking about communication, open communication, trying to, you know, some of its, you know, cultivating relationships. So, you kind of need to, you know, if you're introverted, you kind of need to step out of your shell a little bit and go and talk to people, get out of your cubes for once a while. Turn on the lights, that kind of thing. How often did you talk with these teams to help build this relationship after a while, because obviously there had to be some team building there?

Brian "Noid" Harden 15:48
Yeah, so in my case, since I was in the team, we thought weekly, okay, weekly, and sometimes daily because they were literally down the hall from me, right, but in terms of where I've had to work in other organizations Where I've been in back in a centralized organization and having to work with remote teams or work with teams that I'm telling them to do things but I'm not in their org... like a weekly basis okay like we're going to meet up this weekbecause like for example like when I was a back when I was at Microsoft I worked in the MSRC before I left yeah and I was handling me and another guy we're handling all the (Internet Explorer)IE cases. Okay. That was a lot of cases because there's a lot of versions i right. So we would go meet with those cats once a week. And we would sit down with them and say, Okay, here's here's the queue. Here's what's new from last time. You know, here's sort of what we think is the priority for fixing things you know, what do you think about it, but it's it's that you always want them to know who you are, and you want them to know that you're just as busy as they are, and that you end that you're also respectful of their time, right? You know, so we'd make the meeting short... personal pet peeve of mine are people that set meetings deliberately long with the expectation of all just go ahead and give everybody 30 minutes. I'll give everybody 30 minutes back, right? Like, well thanks jerk. Like how about you could have just made a 30 minute meeting in the first place? You know it just tells that that that tells me you're not that doesn't tell me you're a magnanimous person that tells me you can't manage your time, you know. So I try to be really concise. Like, I'm going to set up a meeting with these devs. I'm going to include them agenda in the meeting invite. I'm going to set it for exactly how long I think it's like we're going to 30 minute meeting, you know, 30 minute meeting to go over the bugs that are in the queue. There's four new ones from last week one of them's really nasty, you know, that probably is probably going to be a non negotiable.. You know, but the other three are up for negotiation and you show up you sit down with them you know some pleasantries and then you just, you get to work and then you get them back out doing their thing and you get back to your thing. And that really flows well... It really flows well because, you know, none of us like meetings. And the closer you are to touching computers, the more meetings disrupt your flow the more they just disrupt your life and the thing that you're effectively getting usually paid a lot of money for.And so by kind of doing it that way, you keep that cadence up to keep that that sort of friendship and that that rapport up but the other thing too is a another point I wanted to make, but I'm getting tired... but yeah, but but along those lines to Yeah, yo get that rapport there. You're respectful of their time and then you... I can't remember what I was going to say next.

Bryan Brake 19:20
So the last bit was, let's see, don't talk about securities, talk about feature development. We talked about that threat modeling your developers, you and Dr. Cowan, my, my car pool buddy, you and Crispin need to you know get get together and talk about the the threat modeling he's doing... he doesn't do trust boundaries so much, one of the talk he gave at SeaSec East was about how we do threat modeling in our organization but a lot of companies are starting to see value in that before we do engagements because we can prioritize what's the more important thing to test versus just testing all the things in the environment

Brian "Noid" Harden 19:42
Threat modeling and software development is huge too, like that was one of the one of the things I think a lot of my developers I've done this with over the years have taken away from it is one you have to make it fun... You can't make a complete slog. But one of the nice things about threat modeling, is when you're visually looking at the thing you're going to build, that's when you make the realization that like, Oh, hey, my post office has no door... You know, and it's like the best time to figure that out. Then you always like, I always tell people that. Yeah, the best time to fix a bug is an alpha before you write anything... And the next best time to fix it is before it goes into production. And the worst possible time to fix a bug is after I've been in prod for 10 years, and it's a it's a load bearing bug at this point. It has dependencies on it

Bryan Brake 20:30
you know what, it's funny you mentioned that I've been seeing some like Linux kernel bugs they said there was one in there for like 15 years old at affected all of like 2.6.x to up to the latest version. It was a use after free bug, you know that I don't know if they found the bug 15 years ago and just never fixed it but yeah, bugs like that sit in there because people don't don't check for that kind of stuff...

Brian "Noid" Harden 20:51
that happens sometimes those the well I mean, God remember that. Remember the whole SYN flood thing in the 90s? Yeah, I mean it was it was it was in the RFC... One of those like, like, Oh, we found the bug. It's like what? You read the RFC. And just finally understood it. You know, so it's, it's that stuff. And there was an SSH bug that popped up recently. Yep. It was the same thing. It wasn't a terribly nasty critical bug. But it was, in a piece of code that had been in SSH for ever.

Bryan Brake 21:26
Yeah. I seem to remember that one, too. Yeah. I'll have to find a link to that one. So I know you're getting tired. I have one other topic I'd like to discuss because I do a lot of report writing. Well, I I probably should do a lot of report writing but at Leviathan we you know we're the PM grease the wheels we you know, work with a relationship with the the status meetings, we do the executive summary and such and I could be better writing reports some of our testers are way better at it than I am... You know, taking the taking the whole idea of the language and where where things go with this, when we, when we put findings out, we've won, we call them bugs where we call them findings, not necessarily bugs. But what I'm trying to figure out is how we can better communicate our reporting, when we're doing things like readouts, to you know, kind of resonate with both developers and management because the idea is the executive summary is supposed to be for the "managers" or senior folk and then we have like, you know, components that drill down and talk about specifics and be more technical, but, you know, often we find ourselves and I find myself because I come from a more technical background writing more technical to the executives and my question was, Is there ways of communicating risk to both the developers and the managers in the, you know, using using somewhat the same language? Or should we call the bugnot bugs or not findings. We call them, you know, hey, here's a feature you guys should implement, which would be, you know, HTTP or, you know, you must have seen a few pen test reports in your time. And I mean, what is what is your opinion of pen test reports?

Brian "Noid" Harden 23:13
So, my opinion, the most pen test reports, is that their garbage... Well, they're usually written to, they're usually written to one extreme or the other. So unfortunately, I have yet to find any really good language that appeases everybody.

Brian Boettcher 23:30
So what's the one extreme or the other?

Brian "Noid" Harden 23:32
What are the two extremes they're either hyper technical, the sort of stuff that like any of the three of us would probably look at and go, Okay, I get it, right. I understand the value here or there so high level that if I'm a business person, I might be sitting there going, Hey, okay, you know,you've you've reached out you've touched my heart. I understand that this this is a critical like this is a big issue we need to get fixed. But there's not enough meat there that if I took that report and handed it off to my dev lead and said, go fix this. The dev lead is going to sit there and go...

Brian Boettcher 24:09
Are you kidding me?

Brian "Noid" Harden 24:10
Yeah. Like, I don't know what to fix, according to this report says bad things can happen on the network. Are you telling me to go prevent bad things from happening on the network? So that's the thing. I find that Yeah, they either overwhelm you with details or there's not enough substance to them. Okay, so every once in a while, you get a really good one though, you get a you get a you get a really good one. If I could look at just a shout out to CoalFire actually, like their reports.

Unknown 24:39
I mean, okay, So, What is a happy medium type report for you? One that would satisfy the manager folks but also get with, you know, be technical enough. What kind of things would you like to see in reports that you get from them and feel free to you know, talk about the Coalfire thing I guess

Brian "Noid" Harden 25:02
*Chuckles*

Bryan Brake 25:06
*Chuckles* We're always trying to improve our reports that Leviathan we've gone through and done things like test evaluations and you know things like that and no it's fine you know they're they're cool with me doing my podcast on the side so but if you had when you get reports... the good ones... What do they look like well I mean what what kind of things that you're looking for and and and in a pen a proper pentest report?

Brian "Noid" Harden 25:30
Well for me being a technical person one of the things... the biggest thing I'm looking for in a report repro steps, right? If you haven't given me clear repo steps, then you have given me a useless report and that's the thing I've seen reports were basically it's... you know, hey man, we all we popped your domain controller you know, we did this we did that. Look at all freaking awesome we are... And you're like, Okay, I didn't hire you guys to be a circus sideshow. I hired you guys to show me where my risk is, and so I can focus my I know where to focus my efforts. And so those types of so those types of like, "look at how badass I am" reports don't do anything for me... what I do like there were reports that say hey you know we found a cross site scripting vulnerability on this particular product in this particular area. And here is not only screenshots of the cross site scripting vulnerability happening, but here's the repro steps because what's going to happen is, for example, you know, I see something like that and I go, Well, we got to fix that. I'm going to go to my developers. And the first thing my developers are going to ask me is, can you repro it? Can I read through it because one of the things they're going to do is after they fix it, they're going to validate the fix if they don't know how it was exploited in the first place. They're not going to know how to validate the fix. So being able to provide that information... down is is huge for me. Um, but then again, I'm also not, you know the business guy, I'm not the big money guy, I'm I want my report to be technical right so would the executives of my company get the same value out of the report? I probably not... you know when you're talking to the much higher level non technical people what you need to be doing is you need to be making sure you're talking in terms of risk. Sure, you know, you're talking in terms of risk and you're talking in terms of a not technical risk... You know, at the end of the day, the CEO of the company doesn't give a damn that SMBv1 is still on the network, right? They might not even know what that is, right? odds are I'm gonna I'm gonna go out and say they probably don't know what that is. Um, and even in that doesn't mean explain to them what it is because they're not going to care so first. We're going to go from not knowing what it is to not caring what it is. But if you express things in terms of risk of that, you know, the current network architecture, as it stands is very fragile and could be easily brought down, you know, through almost potentially accidental behavior, let alone. malicious behavior. You know, resulting in outages and SLA violations right now, you got their attention, because what they hear there is also if I don't fix this, it might cost me money.

Brian Boettcher 28:36
profit loss.

Brian "Noid" Harden 28:37
Yeah, and that's the thing. It's the, you know, depending on where they're at, in the org structure, you know, I've been in I've been in plenty of organizations before where downtime... downtime is bad... downtime is just, I mean, downtime is never good. But I mean, I've been in organizations where it's like, okay, so I just got promoted to like, super uber director guy. 48 hours into the gig. You know, we had like, a two hour outage,... I'm done.

Bryan Brake 29:08
Busted that SLA, big money...

Brian "Noid" Harden 29:10
even though even though I had nothing to do with it, I'm the accountable one. So, yeah, you have, you know, you need to be able to express things in terms that they translates to, you know, finding out like, like one of the things I back when I used to be a consultant, one of the things I always ask the executive types I'd meet on jobs is what keeps you up at night. You know, what keeps you up at night? Like what you know, don't don't worry about what I'm concerned about, what are you concerned about? Because they might be the same thing. I'm just going to talk to you about it using again, using the words that you care for and understand because I see a lot of technical people try to describe risk to non technical people and they do it by being highly technical and when it's not being understood. They fall back to being even more they take the approach of being in France... not speaking French. So I'm going to speak slower and louder, right? And, and at the end of the day, they're just going to keep shaking their heads going, Man, this guy really wants to express something to make.

Bryan Brake 30:18
Yeah, something must be really important...

Brian "Noid" Harden 30:20
...to agitated by it. I don't know what it is...

Bryan Brake 30:23
Great, now it's blue monkey poo. I don't know what's going on.

Brian "Noid" Harden 30:26
Yeah, so that's, that's it. So yeah. When you're when you're talking to leadership, expressing things in terms of the contract violations, SLA violations, financial financial impact, right? You know, like, like, one of the things I liked when PCI came out and they had like these ridiculous up to $10,000 per bit of PII that gets disclosed and then you explain to a room full of high level people that and if blank were to happen 40,000 bits of PII .would be exposed a you knnow and I'm not so good at math but my calculator here tells me at $10,000 a pop and you watch people in the room real quiet...

Bryan Brake 31:10
oh yeah no that now you know the thing is you just haven't seen a Leviathan one yet so you know if you want to you know reach out to us we'll do a pentest for you we when we don't mind coming out and hanging out doing pen tests for you so

Brian "Noid" Harden 31:24
Frank's a good friend, solid solid human being

Bryan Brake 31:26
no I mean will take your money and will give you a good will give you good drubbing. You will not get up and down left and right. You'll make it hurt. So anyway, actually, yeah, we we actually might need to talk about that a little bit later. I would not hate on that. I get money when people come in its new business. So yeah, I wouldn't hate on that at all.

Brian Boettcher 31:47
I like in in your last phrase or last sentence in your presentation. If you can, avoid even using the word security. I think that's a good summary of what we talked about.

Bryan Brake 32:00
Yeah, that got me too. I was like, Wow. Okay. So it's like, it's like the buzzword you're not supposed to say or, you know, like, you get a shock..

Brian "Noid" Harden 32:08
Treat it like a game. Yeah. Yeah, you got it like a game. But you you'd be amazed it works

Bryan Brake 32:16
hundred percent of the time. It works every time?

Brian "Noid" Harden 32:18
Yeah, hundred percent of the works every time. But, ya know, it it it definitely works because there are people too because there's conditioning, right. The history between security people and software developers is deep and it goes back

Bryan Brake 32:33
it's contentious

Brian "Noid" Harden 32:34
it's contentious at times. And, you know, obviously, you know, you try to try to try to be a good human being, trying to better the world around you. You know, try to,when you whenever you go somewhere, try to leave it in a better condition than you found it. But also understand that the person who may have been there for you may have just straight up just f the place up

Brian Boettcher 32:58
scorched earth

Brian "Noid" Harden 32:59
Yep, yeah. so and so. Yeah. And sometimes, because, I mean, I've got, I've rolled into organizations before where it's like, Why are these people so mad at me? I just got here... And it's like, oh, because the guy you replaced was just got off. And then and it sucks because it's not fair that you have to rebuild those damaged relationships because you didn't damage them. but life ain't fair?

Bryan Brake 33:22
Yep. Well, you know, what, the, the, the whole, you know, DevOps and those things, that was the, you know, the Elysian Fields for developers like, Oh, I can go do anything and enjoy everything, and then it's like, you know, we're, the "no" department where the, we're the where the ones are going to put manacles on them. So, you know, security folks have have got to learn to be flexible, compliance folks can't wield their hammer anymore, like they, they should, if they want to, you know, play with the developers in the devops and the management folks, we talked about this with Liz rice couple weeks ago about getting, you know, security into the devops area and it's like one we got it we gotta learn to be flexible we've got to help them understand that now yeah the bug feature stuff if I'd heard this when we were talking to her I'm almost certain she would agree with us on the fact that you know we can't treat security like security we have treated as feature enhancement in this case

Brian "Noid" Harden 34:16
it is a feature, you know it is a feature and increase the stability of the product that can get increases the customer base of the product it's right it has all the same things to it that any other feature would, but yeah but as far as the security being the note apartment thing to something else is like I still run into security people that they look at themselves as the "No" department that kind of pride themselves on Yeah, and when you find those people just call them out. I mean, just just tell them like, Look, man, that doesn't work. It's never work. Stop it now. Because when you're viewed as the "no" department, no one will ever want to work with you. Why would you want to?

Bryan Brake 34:57
Yep... you're a non-starter

Brian "Noid" Harden 34:59
Yeah, what's go because that was a bit of career advice I got at one point was that basically be solutions focused. You know, nobody wants to basically you're not going to go anywhere if you're the person who's calling out the problem and you might be calling out the problem more articulately than anybody else in the room, you might have a better understanding of the scope of them the depth of the problem, but there is a whole class of manager out there that will just be like, Man, that Noid guy, nothing but problems. Whereas if you instead say, you know, you kind of focus on the sort of the not really the problem, but rather you focus on the solution... "be solutions oriented" to sound like a business guy for a second. And it's like, yeah, you'd be that solutions oriented person, and especially if you can do it with a sort of positive spin, like I had a boss at one point I would stop in his office pissed off every once in a while, and I just be like this is screwed up and that screwed up and blah, blah blah. And he stopped and go "leave my office now and come back in and restate everything you just said. But in a positive way." I don't even know how it will then go sit in the hallway for a few minutes she would come back and I'd be like, okay,we have an opportunity for us. And I tell you I hated them for it. But name if it didn't work.

Bryan Brake 36:32
Oh god. Yeah, that would make complete sense. Yeah, coming in with a positive instead of negative.

Brian "Noid" Harden 36:40
So that's the thing. It's like yeah, even when your negativity is spot on and accurate. There's a lot of people that are like.. "ugh the person is always negative" And then sure enough, yeah, you start focusing on like, oh, you're the positive solutions oriented guy. Even while you're telling them that it's all basically like we're all going to Hell, but I'm doing it in a positive solutions oriented manner, and you'd be amazed how much traction I get you.

Bryan Brake 37:06
Mr. Boettcher, do you have any other thoughts or questions? I want to let Mr.Noid go, cuz he's getting a little ty ty, he's a bit sleepy and he needs to go to bed...

Brian Boettcher 37:15
There's a lot of great tidbits in here. I'm gonna have to listen to it again, and get all of them. And, and again, there's a lot of manager tools references here and, and manager tools, if you're not a manager, that's okay. It's not for managers, all that stuff they talk about is is really valuable to all employees.

Brian "Noid" Harden 37:39
What's it called, the manager tools podcast?

Bryan Brake 37:42
Yep.It's been going on for 12 years.

Brian Boettcher 37:45
Since 2006

Bryan Brake 37:46
Yeah, something like that. It's it's very big. We put a link to the three powers three types of power and one to rule them all in the in the show notes as well. So yeah, go listen to that. I listened to that it's it's one of my regular non-info sec podcast that I listened to, so I listen to it every Monday morning, and when I'm on the treadmill at the gym, so yeah, really, really excellent stuff. If you're, you're out there and, you know, yeah, I mean, it'll help you kind of understand, but if you're out there and you're not a manager yet, it might help you understand where your managers coming from, too.

All right. Mr. Noid how would people get a hold of you if they wanted to maybe have you for more podcasts appearances or, you know, speaking engagements or whatever? Are you going to be speaking anywhere soon?

Brian "Noid" Harden 38:39
Am I I don't know. No, I don't think I am right. Sorry. Are you going anywhere? So question? I am there you go. I am speaking soon. Yeah, I'm, I'm speaking at the NCC group. Open Forum. Oh, that's right. That's next weekend. I don't think it's actually been announced yet. Okay. It's I mean, it's cool for me to talk about it. But yes, it's...

Bryan Brake 39:02
the 12 (of March)

yeah it is the 12th in Fremont, so if you're outside of the Seattle area you're going to be SOL..

yeah they don't record that

Brian "Noid" Harden 39:15
but but I'm going to be giving basically the abbreviated version of my besides talk. they had they had an empty slot they needed to fill up... and they basically said could you do it I said sure and then they said it's 30 minutes long and I'm like well my talks an hour, but how will will make it work... they're I think they're a Tableau up in Fremont...

Bryan Brake 39:37
yeah I'm on that list and yeah I know Miss Crowell over there who's one of the senior managers at NCC she's great lady... she's actually not running she used to run it and and gave somebody else but she still helps out a when she can but yeah, really, really great quarterly open forum that NCC group puts out. Plus they put out a nice spread for dinner certainly good

Brian "Noid" Harden 40:00
I haven't been the one in a while, but they usually a lot of fun. I wouldn't last one of those I went to was a TLS 1.3

Bryan Brake 40:09
I was at that one too.

Brian "Noid" Harden 40:10
That worked out great. Because literally the following weekend, I spoke at DC 206 nice about TLS 1.2 right? and ended up getting Joe to come along and speak about TLS 1.3 and a much more authoritative manner than I could have. It's bad ass.

Bryan Brake 40:24
Yeah, Joe. Joe was on the steering committee for that.

Brian "Noid" Harden 40:28
Yep. Yeah, I think but yeah, that was also nice. He kept me honest. While I was given my talk. I periodically just look at them any kind of nod. I'm not going into the weeds yet. But yeah, as far as getting a hold of me goes the best way to do it is I'm on Twitter @_noid_ or you can email me at noid23@gmail.com

Bryan Brake 40:52
Yeah so yeah if you're in the Seattle area and the downtown Seattle area or Fremont area that's really nice place I think parking I think was at a premium The last time we were there

Brian "Noid" Harden 40:52
It's Fremont, parking is always at a premium

Bryan Brake 40:52
they're dodging bikes or whatever like motorized bicycles or whatever so you know

Brian Boettcher 40:52
scooters now

Bryan Brake 40:52
yeah I mean Fremont area they're really weird about their bicycle laws and stuff up there so

Brian "Noid" Harden 41:07
...and zoned parking so watch for your park too

Bryan Brake 41:32
I'm going to get Miss Berlin because you know she's got a lot going on she's you know heading up the mental health hackers group.. you can find her

was it hacker... god I hate this, um... she's @infosystir on Twitter. hackers mental health is her nonprofit. She's running that and you can find that @hackershealth on Twitter, she will come to your convention or conference and do a village. And and, you know it's a nice chill area you can go to, if you're interested in doing that

Brian "Noid" Harden 42:12
is truly doing the Lord's work too.

Bryan Brake 42:14
Yes she is. And we're very proud of her for all that she's doing. So yeah, her and Megan Roddy who's also one of our slack slack moderators... So speaking of our slack we have a very active slack community we just like I said we have "JB" who was promoted to moderator because it's been far too long and he's been doing the the European and Asia book club and he should have been a moderator for a while so did that today gave him access to our secret moderator channel and such and but yeah we have a social contract you can join us by emailing bds.podcast@gmail.com or hitting our Twitter which is the the podcast Twitter @brakesec and you can follow me on Twitter.@bryanbrake. Mr. Boettcher, you got a lot going on to sir how would people find you if we wanted to talk about the log MD stuff?

Brian Boettcher 43:10
yeah you just go to log-MD.com... Don't forget the dash right otherwise you'll you'll get some well nevermind...

Bryan Brake 43:20
Is it like WhiteHouse.com *laughs* that's an old joke kids!

Brian Boettcher 43:26
I'd like to say though if you if you do go by your developers donuts or whoever don't eat any between the pickup and drop off right because then you'll show up with four donuts and they'll be like oh thanks great there's 10 of us and you bring us for Donuts

Bryan Brake 43:41
{imitating Forrest Gump]"I had some sorry" Don't do that yeah

yea buy 13 donuts and then eat one for yourself and then say you got it doesn't you go yeah so you're making an appearance you're going to be Bsides Austin at the end of the month along with Ms. Berlin's going to be that one as well. I think?

Brian Boettcher 44:00
I am... Megan's going to be there I'm not sure. Very cool as her home base so we'll see. Nice. Yeah and the classes are cheap. I don't know if they're sold out yet but it's like $100 bucks.

Bryan Brake 44:13
Okay, awesome. Cool. Before we go, we have a store. If you want to go buy a T shirt for the Brakeing Down Security logo, you know, you can definitely go do that or get one with Miss Berlin's face on it. Which is very weird but it's still very cool I'm going to probably by pink one here in the next few weeks and thank you to our patrons people who help support the podcast but donating some money helps pay for hosting pays for the time that we're doing this also we're looking into adding some possible transcription services we've gotten a couple emails from people who are saying they want to get transcriptions of us saying "uh, um, ah" lot so I actually actually it was a gentleman by the name of Willie I think was said head hearing difficulties so he wanted to know if we had a transcription of the podcast and I feel really bad because I'm like I don't know how to reply to him and say I you know we're just a little mom and pop shop here so we're looking at transcription services maybe something like Mechanical Turk or there was one called otter.ai that we're we're looking at to maybe kind of make it better for people to hear these things

Brian "Noid" Harden 45:26
I'm actually actually suffer from degenerative hearing loss. I'm slowly going deaf myself

Bryan Brake 45:31
I've got tinnitus is from the Navy

Brian "Noid" Harden 45:32
same here. It's permanent and ongoing. And just yeah, it's like I feel for him. Yep. And hopefully transcriptions will be a thing at some point. Yeah, god's I hope so. Yeah, I mean, other than the US and about 800 times during podcast I apologize for that. But yeah, so we're, we're trying to look into that if if we can make it work we will we will do our utmost to make the podcast as available as possible to everybody. So in end up to be we have to hire somebody, he'll do it for us. So that that may be another thing, which means will need more pot Patreon money, you know that kind of thing. So if you're interested in getting full transcripts we may make that possible if we can get another maybe 20 to 30 people a 20-30 bucks a month. So but we do appreciate that the tips the you know we call them tips because you're helping to support the podcast and helping us get this out. And yeah, so for Miss Berlin who's not here sadly. And she's going to be kicking yourself because this was a really awesome podcast and Mr. Boettcher. This is Brakeing Down Security from a world headquarters here in Seattle. Have a great week. Be nice to another. Please take care of yourselves because you're the only you have and we'll talk again soon.

Brian Boettcher 46:45
Bye bye

Brian "Noid" Harden 46:46
Bye Internet people.

Transcribed by https://otter.ai

2019-010-Zach_Ruble-building_a_better_cheaper_C2_infra

Mar 18, 2019 01:12:04

Description:

Shout-out to Thomas…

    Tried to meetup while at SEA comic-con

Patreon

Log-MD

Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?)

4 podcasts?

SpecterOps Training / workshopCon  - https://www.workshopcon.com/events

Zach Ruble- @sendrublez

C2 infra using Public WebApps

TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it...

C2 Basics

    Local HTTPd server (bashfile)

    Python scrapes web server

3 components

-Servers

-Communication channels

-Malware and client

-

3 Requirements of a C2

-victim receives commands

-Vic executes

-Send results back

Web server serving a static file

Malware on machine scraping site with python requests and executing it as commands.

Crontab @reboot

 

State change = change the text field

https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/

https://uwbacm.com/

 

Long haul/short haul server

Long haul - regain persistence

Short haul - sends commands to victims

 

Slack as C2 - Blends in to the Env

    Send and receive messages

    Using Real Time Messaging API

https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html

https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24

https://glitch.com/

Https://github.com/bkup/SlackShell

 

Reddit as a C2

    “Reddit Rising”

 

Glitch.com

    Serverless platform

 

Using Google search results as

    Would Google Algos see odd behavior of hundreds of hosts searching for the same thing?

Log file analysis?

    How can we protect against this?

C2 News (If we go short) :

https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining

Automating OSINT

https://twitter.com/jms_dot_py

http://www.automatingosint.com/blog/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-009- Log-MD story, Noid, communicating with Devs and security people-part1

Mar 12, 2019 51:00

Description:

Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)

    SeaSec East meetup

    "Gabe"

 

https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/

 

New Slack Moderator (@cherokeeJB)

Shoutout to “Jerry G”

 

Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407

www.Workshopcon.com/events and that we're looking for BlueTeam trainers please

 

Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet

 

Noid - @_noid_

noid23@gmail.com

 

Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3

Slides (PDF)

https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf

 

Security view was a bit myopic?

“What do we win by playing?”

Cultivating relationships (buy lunch, donuts, etc)

Writing reports

Communicating findings that resonate with developers and management

    Often pentest reports are seen by various facets of folks

    Many levels of competency (incompetent -> super dev/sec)

 

Communicating risk? Making bugs make sense to everyone…

 

The three types of power:

https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-008-windows retpoline patches, PSremoting, underthewire, thunderclap vuln

Mar 4, 2019 56:01

Description:

BrakeingDownIR show #10

GrumpySec appearance?

https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618

https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/

“Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.’

Retpoline = “Return Trampoline”

    “That’s because when using return operations, any associated speculative execution will 'bounce' endlessly.”

    https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html

Cool site (Andrei) *long time podcast supporter*

UndertheWire.tech - powershell wargame

---

PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6

https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/

https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/

Caveats:
Network connection you’re on must be set to “private”, not public

WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr)

 

https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/

http://time.com/5349896/23andme-glaxo-smith-kline/

http://thunderclap.io/

https://int3.cc/products/facedancer21 -  USB

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-007-bsides_seattle_recap-new_phishing_vector-Kernel_use_after_free_vuln

Feb 25, 2019 44:45

Description:

Bsides Seattle recap (Bryan)

New phishing technique to bypass email filters-

https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/

https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships

Use after free in Linux kernel:

https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/

https://www.webopedia.com/TERM/U/use-after-free.html

https://cwe.mitre.org/data/definitions/416.html

https://www.acodersjourney.com/top-20-c-pointer-mistakes/

https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html

https://nvd.nist.gov/vuln/detail/CVE-2019-8912

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-006: CSRF, XSS, infosec hypocrites, and the endless cycle

Feb 18, 2019 40:40

Description:

https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/

 

 

https://www.owasp.org/index.php/DOM_Based_XSS


CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

 

Google Cloud Platform - tip tricks, stuff ms. berlin learned

 

Layer 8 conference - Rhode Island’’


I was wrong…..cycles don’t sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-005: Security Researcher attack, disabling SPECTER, and Systemd discussion

Feb 11, 2019 55:23

Description:

SpecterOps Class:  https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902

 

 

https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html

 

Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448

 

https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/

https://liliputing.com/2019/02/mozillas-project-fission-brings-site-isolation-to-firefox-spectre-and-meltdown-protection.html

https://capsule8.com/blog/exploiting-systemd-journald-part-1/

 

Segue from systemd/journald into:

“Super daemon for all daemons”

    Replaced things like sysvinit, rc.d, and even inetd

Lennart Poettering and Kay Sievers

Systemd (PID1)

    Configured using only text files

        .service

        .device

        .swap

        .timer (.service file of the same time must exist)

            ‘Transient timers can be created’

            https://wiki.archlinux.org/index.php/Systemd/Timers

/etc/systemd/system/foo.timer

[Unit]
Description=Run foo weekly and on boot

[Timer]
OnBootSec=15min
OnUnitActiveSec=1w

[Install]
WantedBy=timers.target

Logs are in binary format

Cgroups - control groups

    Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes

    Bound by the same criteria

    Used a lot of places (hadoop, k8s, docker, LXC)

http://without-systemd.org/wiki/index.php/Arguments_against_systemd

https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/

https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/

http://0pointer.de/blog/projects/systemd.html

https://en.wikipedia.org/wiki/Systemd

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-004-ShmooCon, and Bsides Leeds discussion, Facetime bug (with update), a town for ransom

Feb 4, 2019 44:51

Description:

Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html

 

ShmooCon discussion

 

Bsides Leeds discussion

 

@largeCardinal

@bsidesLeeds

https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244

 

https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple

 

https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police

 

https://www.cnbc.com/2019/01/28/apple-facetime-bug-lets-you-listen-even-if-someone-doesnt-answer.html

 

https://www.news5cleveland.com/news/local-news/oh-cuyahoga/trio-of-current-and-former-officials-indicted-in-cuyahoga-county-corruption-probe

 

https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-003-Liz Rice, creating processes to shift security farther left in DevOps

Jan 28, 2019 01:03:34

Description:

 

BIO:

Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O’Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London.

Liz Rice (@lizrice on Twitter) https://www.lizrice.com/

https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341

https://www.forbes.com/sites/adrianbridgwater/2018/07/23/shift-happens-why-your-software-needs-to-shift-left/#41aac6047f8c

https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/

https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/

https://changelog.com/gotime/56 - podcast with Liz

https://kubernetes-security.info - co-author of O’Reilly Kubernetes security book

https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides

https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017

https://docs.docker.com/config/containers/container-networking/ - docker portmapping

https://techbeacon.com/9-practical-steps-secure-your-container-deployment

 

If security needs to “Shift Left”, what can devs do to accommodate the change?

    Everyone will have to make adjustments, not just security… right?

 

Reverse uptime…

Forgotten data?

 

Test Driven Development

Why do we need security as far left?

    “We don’t patch, we just push a fix, ”

    “We’ll fix it in production…”

    Or we pump more resources to overcome perf issues

    Is there time for code reviews?

    “We don’t need change management…”

 

https://testssl.sh - @drwetter

 

Automation: How does security that solve security issues?

    Do Microservices solve everything?

    What don’t they solve?

        What does security need to embrace to make the shift less painful?

        What does development need to embrace to make the shift less painful?

            Cause security wants to get in there…

There are already DevSecOps processes a-plenty and many . Why aren’t companies adopting them?

    Maturity?

    Lack of resources?

    Negligent devs - how can you ignore the news of breaches?

 

Setting Goals

    “Start Small” - what’s an example of a small goal?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman

Jan 22, 2019 46:04

Description:

intro

CFP for Bsides Barcelona is open! https://bsides.barcelona

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

 

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2019-001: OWASP IoT Top 10 discussion with Aaron Guzman

Jan 14, 2019 36:54

Description:

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

 

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

2018-045: end of the year podcast!

Dec 27, 2018 01:11:26

Description:

Join the combined forces of:

Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/)

Bill Gardner from the "RebootIt! podcast"

https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2

 

Ms. Berlin and Bryan Brake for the end of the year podcast!

BrakeSec Podcast = www.brakeingsecurity.com

RSS: https://www.brakeingsecurity.com/rss

2018-044: Mike Samuels discusses NodeJS hardening initiatives

Dec 18, 2018 56:11

Description:

Mike Samuels

https://twitter.com/mvsamuel


https://github.com/mikesamuel/attack-review-testbed

https://nodejs-security-wg.slack.com/



Hardening NodeJS

 

Speaking engagement talks:

A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw

Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009

Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781



What is a package: (holy hell, why is this so complicated?)

   

A package is any of:

a) a folder containing a program described by a package.json file b) a gzipped tarball containing (a) c) a url that resolves to (b) d) a @ that is published on the registry with © e) a @ that points to (d) f) a that has a latest tag satisfying (e) g) a git url that, when cloned, results in (a).


https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

 

https://blog.risingstack.com/node-js-security-checklist/

 

https://www.npmjs.com/package/trusted-types

https://github.com/WICG/trusted-types/issues/31

2018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure

Dec 11, 2018 01:11:15

Description:

Adam Baldwin (@adam_baldwin)

Director of Security, npm

 

https://foundation.nodejs.org/

https://spring.io/understanding/javascript-package-managers

 

Role in the NodeJS project

    Advisory? Active role? Maintain security modules?

    Are there any requirements to being a dev?

    Are there different roles in the NodeJS environment?

    Is there any review of system sensitive packages? (or has that ship sailed…)

 

Discussion of timeline from NodeJS security team

    When were you notified? (or were you notified at all?)

    What steps were taken to fix the issue?

    Lessons learned?

 

Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)

 

Event-stream (initial bug report):   https://github.com/dominictarr/event-stream/issues/116

 

Only affected bitcoin Wallets from ‘Copay’

                    https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/

“Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :

We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (

 

https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”

 

https://thehackernews.com/2018/11/nodejs-event-stream-module.html

“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”

 

https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/

 

Hacker News (with comments): https://news.ycombinator.com/item?id=18534392

 

Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of

https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018

 

2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm

 

According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)

 

Dependency hell in NodeJS:

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

    “Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”

 

History of NodeJS security issues:

 

ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/

Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

 

How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)

What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?

 

What the responsibility is of consumers of open source?

 

What can be done to ensure vetting for ‘important’ packages?

Can someone manage turnover? (or is that ship sailed?)

 

Security scanners:

https://geekflare.com/nodejs-security-scanner/

https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0

 

Threat assessment or ‘what could go wrong in the future’?

    Bad code

    “Trust issues”

    Repo corruption

    Hijacking packages

   

Keep up to date on NodeJS security issues:

https://nodejs.org/en/security/

https://groups.google.com/forum/#!forum/nodejs-sec

 

^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?

npmjs.com/advisories or @npmjs on twitter


https://rubysec.com/ -Ruby security group

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-042-Election security processes in the state of Ohio

Dec 3, 2018 01:24:50

Description:

Where in the world is Ms. Amanda Berlin?

    Keynoting hackerconWV

 

Election Security

 

Cuyahoga County:

 

Intro: Jeremy Mio (@cyborg00101

Name?

Why are you here?

 

Discussing Ohio does election operations.

    Walk through the process

Pre-Elections

Elections Night

Post Elections

 

All about the C.I.A.

Votes must be confidential

Votes must not be compromised (integrity)

Voting should be available and without outage

 

Did a tabletop exercise with all counties in Ohio (impressive!)

    Gamified, using role-reversal

    Points based system

    Different technology has different point values

 

Physical security/chain of custody

Retention

 

EI-ISAC - election infra ISAC

https://www.cisecurity.org/services/albert/ - Albert system

https://www.cisecurity.org/best-practices-part-1/ - election security best practices

 

How does the Ohio election process stack up against other states?

 

Media Perception in Elections Hacking and threats

11 year olds ‘hacking election’

    Yes, good for a new article title

    Goes to show how easy it is to actually hack systems

        Train someone on SQLI, pwn the things

 

Elections Security Operations and Preparation

Technology types

    Ballot

    Booths

    Mail-in ballots

 

Securing election infra

    What can be done to make it more secure?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-041: part 2 of Kubernetes security insights w/ ian Coldwater

Nov 26, 2018 44:57

Description:

@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

 

She’s working on speaking schedule for 2019

 

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -


Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

2018-040- Jarrod Frates discusses pentest processes

Nov 19, 2018 01:21:18

Description:

Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

   

TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

 

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

    “limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

    “Finance doesn’t use Powershell”

- Defense in Depth

    “moving from passwords to pass phrases…”

“Improper disposal of information assets”

 

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome



Before the Test

Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in ‘test/dev’, NOT PROD Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

 

During the Test

Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?)

 

After the Test

Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don’t blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing

 

Ms. Berlin’s Legit business - Mental Health Hackers

 

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

 

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

 

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

 

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-039-Ian Coldwater, kubernetes, container security

Nov 12, 2018 50:16

Description:

Ian Coldwater-

@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

She’s working on speaking schedule for 2019

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -

 

Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-038-InfosecSherpa, security culture,

Nov 5, 2018 59:12

Description:

@InfoSecSherpa

 

I have two talks coming up:

Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)

 

 

 

*Shameless Plug* My Nuzzel newsletters
https://nuzzel.com/InfoSecSherpa

https://nuzzel.com/InfoSecSherpa/cybersecurity-africa


News stories -



Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law)

 

https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html


Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-037-iWatch save man's life, Alexa detects your mood, and post-derby discussion

Oct 22, 2018 44:31

Description:

Health & Tech?

https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/

 

https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)

 

(def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow

 

https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/

 

https://www.adheretech.com/

Privacy implications?

Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/

Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/

https://www.papercall.io/dachfest18

Make plans for next year! Follow @derbycon on Twitter!

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-036-Derbycon 2018 Audio with Cheryl Biswas and Tomasz Tula

Oct 15, 2018 39:57

Description:

Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there.

This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website...

Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas

Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas

I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection...

Tomasz Tuzel: http://www.irongeek.com/i.php?page=videos/derbycon8/track-4-18-who-watches-the-watcher-detecting-hypervisor-introspection-from-unprivileged-guests-tomasz-tuzel

Make plans for next year! Follow @derbycon on Twitter!

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-035-software bloat is forever; malicious file extensions; WMIC abuses

Oct 1, 2018 52:43

Description:

Pizza Party Link -

https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046

 

News stories-

 

Software/library bloat

 

http://tonsky.me/blog/disenchantment/

 

https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f

 

https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/

    https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html

 

https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/

 

https://attack.mitre.org/wiki/Technique/T1170  - HTA file malware examples

 

https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/

 

https://www.bbc.com/news/technology-45686890 -

(facebook account hack)

 

https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc  IOC’s from various malware

 

UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/


Block These Extensions:

 

File Extension    File Type

.adp Access Project (Microsoft)

.app Executable Application

.asp Active Server Page

.bas BASIC Source Code

.bat Batch Processing

.cer Internet Security Certificate File

.chm Compiled HTML Help

.cmd DOS CP/M Command File, Command File for Windows NT

.cnt Help file index

.com Command

.cpl Windows Control Panel Extension(Microsoft)

.crt Certificate File

.csh csh Script

.der DER Encoded X509 Certificate File

.exe Executable File

.fxp FoxPro Compiled Source (Microsoft)

.gadget Windows Vista gadget

.hlp Windows Help File

.hpj Project file used to create Windows Help File

.hta Hypertext Application

.inf Information or Setup File

.ins IIS Internet Communications Settings (Microsoft)

.isp IIS Internet Service Provider Settings (Microsoft)

.its Internet Document Set, Internet Translation

.js JavaScript Source Code

.jse JScript Encoded Script File

.ksh UNIX Shell Script

.lnk Windows Shortcut File

.mad Access Module Shortcut (Microsoft)

.maf Access (Microsoft)

.mag Access Diagram Shortcut (Microsoft)

.mam Access Macro Shortcut (Microsoft)

.maq Access Query Shortcut (Microsoft)

.mar Access Report Shortcut (Microsoft)

.mas Access Stored Procedures (Microsoft)

.mat Access Table Shortcut (Microsoft)

.mau Media Attachment Unit

.mav Access View Shortcut (Microsoft)

.maw Access Data Access Page (Microsoft)

.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)

.mdb Access Application (Microsoft), MDB Access Database (Microsoft)

.mde Access MDE Database File (Microsoft)

.mdt Access Add-in Data (Microsoft)

.mdw Access Workgroup Information (Microsoft)

.mdz Access Wizard Template (Microsoft)

.msc Microsoft Management Console Snap-in Control File (Microsoft)

.msh Microsoft Shell

.msh1 Microsoft Shell

.msh2 Microsoft Shell

.mshxml Microsoft Shell

.msh1xml Microsoft Shell

.msh2xml Microsoft Shell

.msi Windows Installer File (Microsoft)

.msp Windows Installer Update

.mst Windows SDK Setup Transform Script

.ops Office Profile Settings File

.osd Application virtualized with Microsoft SoftGrid Sequencer

.pcd Visual Test (Microsoft)

.pif Windows Program Information File (Microsoft)

.plg Developer Studio Build Log

.prf Windows System File

.prg Program File

.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)

.reg Registration Information/Key for W95/98, Registry Data File

.scf Windows Explorer Command

.scr Windows Screen Saver

.sct Windows Script Component, Foxpro Screen (Microsoft)

.shb Windows Shortcut into a Document

.shs Shell Scrap Object File

.ps1 Windows PowerShell

.ps1xml Windows PowerShell

.ps2 Windows PowerShell

.ps2xml Windows PowerShell

.psc1 Windows PowerShell

.psc2 Windows PowerShell

.tmp Temporary File/Folder

.url Internet Location

.vb VBScript File or Any VisualBasic Source

.vbe VBScript Encoded Script File

.vbp Visual Basic project file

.vbs VBScript Script File, Visual Basic for Applications Script

.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)

.vsw Visio Workspace File (Microsoft)

.ws Windows Script File

.wsc Windows Script Component

.wsf Windows Script File

.wsh Windows Script Host Settings File

.xnk Exchange Public Folder Shortcut

.ade ADC Audio File

.cla Java class File

.class Java class File

.grp Microsoft Widows Program Group

.jar Compressed archive file package for Java classes and data

.mcf MMS Composer File

.ocx ActiveX Control file

.pl Perl script language source code

.xbap Silverlight Application Package

 ------------------------------

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-034-Pentester_Scenario

Sep 25, 2018 40:03

Description:

Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018--033-Chris_Hadnagy-SE-OSINT-vishing-phishing-book_interview-pt2

Sep 15, 2018 01:00:28

Description:

Part 2 of our interview with Chris Hadnagy
Discuss more about his book,
best ways to setup your pre-text in an engagement
how you might read someone on a poker table
a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch”
and we talk about “innocent lives foundation”, something near and dear to Chris' heart.

We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it physical engagements?”

 

Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure

 

Social Engineering - the different aspects:

Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.

 

Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018-032-chris Hadnagy, discusses his new book, OSINT and SE Part 1

Sep 8, 2018 37:52

Description:

Christopher Hadnagy Interview:

Origin story connoisseur  of moonshine Social Engineering: The Science of Human Hacking 2nd Edition



Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure



Social Engineering - the different aspects:

Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.



Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!

Sep 1, 2018 01:08:27

Description:

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!

 

Thanks to our Patrons!

Gonna be at Derbycon, come see us!

 

Congrats to our Derbycon Ticket CTF winners!

Winner:  @gigstaggart

2nd Place: @ohai_ninja

3rd Place: @SoDakHib

 

Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t

 

Ms.Berlin’s Challenge:

 

potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN

Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7

Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN

 

Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8

 

Update on Mental Health GoFundMe: http://www.derbycon.com/wellness

Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.

 

Missing event issues:

https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen

https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement

 

https://github.com/palantir/windows-event-forwarding

 

https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html



https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

 

https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

 

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

 

https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/

 

https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/

 

http://bpatty.rocks/blue_team/weffles.html

 

https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/

 

Some issues with missing events… Everyone is affected by this!

 

WEF & PowerBI is good for small installations.

 

Any GPOs involved?

Can it be done on a server by server basis?

Can an attacker simply disable the service once initial access is achieved?

 

Pros and Cons of feeding the WEF output to a MapReduce system?

 

Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?

 

Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...

https://www.malwarearchaeology.com/logging/

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-030: Derbycon CTF and Auction info, T-mobile breach suckage, and lockpicking

Aug 26, 2018 01:01:35

Description:

CTF information:

    Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)

    Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site.

View the page, submit the flags, leave everything else alone...

 


Derbycon Auction - starts September 8th at 9am Pacific Time

    Slack only -

        Opening bid is $175

        Increments of $25 only

    100% goes to Chris Sanders’ “Rural Technology Fund”

        https://ruraltechfund.org/donate/

 

Amanda’s mental health workshop - AWESOME!  http://www.derbycon.com/wellness/

https://www.gofundme.com/derbycon-mental-health-amp-wellbeing

 

Mandy Logan - hacking her way out of a coma!  https://www.gofundme.com/hacking-recovery-brainstem-stroke

 

https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers

https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html

https://art-of-lockpicking.com/single-pin-picking-skills/

 

Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr)

Tools:

Tension Wrench Picks

Parts of lock:

Cylinder Driver Pins Key Pins Springs

Sites:

https://toool.us/ https://art-of-lockpicking.com/how-to-pick-a-lock-guide/  - This is a good guide if you can get past the ADs

 

Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich

 

Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/

https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/

 

https://twitter.com/InfoSystir/status/1032343381328973827

 

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-029-postsummercamp-future_record_breached-vulns_nofix

Aug 17, 2018 55:31

Description:

Post-Hacker Summercamp

 

IppSec Walkthroughs

Brakesec Derbycon ticket CTF -

 

Drama - (hotel room search gate)

  AirconditionerGate

  Personal privacy

  Ask for ID

  Call the front desk

  Use the deadbolt - can be bypassed

  Plug the peephole with TP

        Hotel rooms aren’t secure (neither are the safes)

            Probably the most hostile environment infosec people go into to try and be secure/private

 

https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/

This is the company behind a sort-of threat intel site (vulnDB) The original marketing site I figured it was marketing… it smacked of a ‘buy our product’ site\, but we don’t have to mention vulnDB

 

https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/

    Based on study by Juniper Research

 

https://www.teepublic.com/user/bdspodcast

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-018-runkeys, DNS Logging, derbycon Talks

Aug 9, 2018 50:36

2018-027-Godfrey Daniels talks about his book about the Mojave Phonebooth

Aug 1, 2018 37:46

Description:

Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com

 

https://en.wikipedia.org/wiki/Mojave_phone_booth

https://www.tripsavvy.com/the-mojave-phone-booth-1474047

 

https://www.dailydot.com/debug/mojave-phone-booth-back-number/

 

https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth

 

https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/

 

https://twitter.com/mojavefonebooth

 

https://www.google.com/maps/place/Mojave+Phone+Booth/@35.2873088,-115.6911087,3155m/data=!3m1!1e3!4m5!3m4!1s0x80c587e7172e7259:0xbc30709b3558dd90!8m2!3d35.2856782!4d-115.6844312

 

https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/

http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/

https://twitter.com/_noid_?lang=en

 

https://www.monoprice.com/product?p_id=8136&gclid=CjwKCAjwy_XaBRAWEiwApfjKHuwvafwlgj6K3bNw6Qoy06i0KlXrTcPu8RLUSnhdEur5Y8PlVNaB1hoClJoQAvD_BwE

 

http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-026-insurers gathering data, netflix released a new DFIR tool, and google no longer gets phished?

Jul 27, 2018 43:52

Description:

Stories and topics we covered:

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

 

https://osquery.io/

 

https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates

 

https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

2018-025-BsidesSPFD, threathunting, assessing risk

Jul 19, 2018 34:53

Description:

Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery.

Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including:

@icssec
@bethayoung
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr

We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it.

https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

@icssec
@bethayoung
@bryanbrake
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr

2018-024- Pacu, a tool for pentesting AWS environments

Jul 12, 2018 55:20

Description:

Ben Caudill @rhinosecurity

Spencer Gietzen @spengietz

 

Rhino Security - https://rhinosecuritylabs.com/blog/

 

AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

 

What is the difference between this and something like Scout or Lynis?

 

Is it a forensic or IR tool?

 

How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?

 

S3 bucket perms?

 

Security Group policy fails

 

Some of the hardening policies for Security groups?

RDS?

 

Where are you speaking… BSLV? DefCon?


https://aws.amazon.com/whitepapers/aws-security-best-practices/

 

https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf

 

https://aws.amazon.com/whitepapers/

 

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/

 

https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/


Slack

Patreon

Bsides Springfield

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-023: Cydefe interview-DNS enumeration-CTF setup & prep

Jul 2, 2018 55:25

Description:

Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs

    @cydefe

CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development

 

https://www.heroku.com/

www.exploit-db.com

 

BrakeSec DerbyCon

   

@dragosinc dragos.com

 

DNS Enumeration:

https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md

 

DNS Tools:

https://dnsdumpster.com/

https://tools.kali.org/information-gathering/theharvester

 

DNS Tutorial

https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS)

 

https://pentestlab.blog/tag/dns-enumeration/

 

    DNS

Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines.

 

DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection.

 

NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, “Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed.” From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies.

 

How difficult has that become with the advent of GDPR and whois record anonymization?

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-022-preventing_insider_threat

Jun 26, 2018 47:32

Description:

After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens.

 

news stories referenced:

https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/

 

https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/

 

https://en.wikipedia.org/wiki/Insider_threat

 

https://en.wikipedia.org/wiki/Insider_threat_management

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-021-TLS 1.3 discussion, Area41 report, wireshark goodness

Jun 20, 2018 42:43

Description:

Area41 Zurich report

Book Club - 4th Tuesday of the month

https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

TLS_DHE_RSA_AES_256_GCM_SHA256

 

TLS = Protocol

DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)

    Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are

Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_secrecy)

 

RSA = Digital Signature (authentication)

    There are only 2 (RSA, or ECDSA)

 

AES_256_GCM - HMAC (hashed message authentication code)

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

https://en.wikipedia.org/wiki/HMAC#Definition_.28from_RFC_2104.29

 

https://en.wikipedia.org/wiki/Funicular

 

https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-020: NIST's new password reqs, Ms. Berlin talks about ShowMeCon, Pwned Passwords

Jun 13, 2018 36:44

Description:

https://nostarch.com/packetanalysis3  -- Excellent Book! You must buy it.

 

DetSEC mention

 

ShowMe Con panel and keynote

 

SeaSec East standing room only. Crispin gave a great toalk about running as Standard user

 

Bsides Cleveland -

 

https://www.passwordping.com/surprising-new-password-guidelines-nist/

1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck

https://twitter.com/troyhunt/status/1006266985808875521

https://1password.com/sign-up/

https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/

 

1,300 complaints of GDPR breaches in the first 6 days of enablement:

https://iapp.org/news/a/irish-dpc-received-1300-complaints-since-gdpr-implementation-date/



https://www.pcisecuritystandards.org/about_us/leadership




2018-019-50 good ways to protect your network, brakesec summer reading program

Jun 6, 2018 47:22

Description:

Ms. Berlin’s mega tweet on protecting your network

 

https://twitter.com/InfoSystir/status/1000109571598364672

 

Utica College CYB617

    I tweeted “utica university” many pardons

 

Mr. Childress’ high school class

Laurens, South Carolina

 

Probably spent as much as a daily coffee at Starbucks… makes all the difference.

 

CTF Club, and book club (summer reading series)

 

Patreon

SeaSec East

 

Showmecon

Area41con

bsidescleveland



Here are 50 FREE things you can do to improve the security of most environments:

 

Segmentation/Networking:

Access control lists are your friend (deny all first)

Disable ports that are unused, & setup port security

DMZ behind separate firewall

Egress Filtering (should be just as strict as Ingress)

Geoblocking

Segment with Vlans

Restrict access to backups

Role based servers only! DNS servers/DCs are just that

Network device backups



Windows:

AD delegation of rights

Best practice GPO (NIST GPO templates)

Disable LLMNR/NetBios

EMET (when OSes prior to 10 are present)

Get rid of open shares

MSBSA

WSUS

** run as a standard user ** no ‘localadmin’




Endpoints:

App Whitelisting

Block browsing from servers. Not all machines need internet access

Change ilo settings/passwords

Use Bitlocker/encryption

Patch *nix boxes

Remove unneeded software

Upgrade firmware



MFA/Auth:

Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899

Setup centralized logins for network devices. Use TACACS+ or radius

Least privileges EVERYWHERE

Separation of rights - Domain Admin use should be sparse & audited



Logging Monitoring:

Force advanced file auditing (ransomware detection)

Log successful and unsuccessful logins - Windows/Linux logging cheatsheets



Web:

Fail2ban

For the love of god implement TLS 1.2/3

URLscan

Ensure web logins use HTTPS

Mod security

 

Other:

Block Dns zone transfers

Close open mail relays

Disable telnet & other insecure protocols or alert on use

DNS servers should not be openly recursive

Don't forget your printers (saved creds aren't good)

Locate and destroy plain text passwords

No open wi-fi, use WPA2 + AES

Password safes



IR:

Incident Response drills

Incident Response Runbook & Bugout bag

Incident Response tabletops

 

Purple Team:

Internal & OSINT honeypots

User Education exercises

MITRE ATT&CK Matrix is your friend

Vulnerability Scanner

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-018-Jack Rhysider, Cryptowars of the 90s, OSINT techniques, and hacking MMOs

May 30, 2018 34:15

Description:

https://darknetdiaries.com/

 

Jack Rhysider



Ok I think these topics should keep us busy for a while. Topics for discussion:



Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital

 

The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html



In the 90's strong crypto was illegal online. https://en.wikipedia.org/wiki/Data_Encryption_Standard https://en.wikipedia.org/wiki/EFF_DES_cracker

 

The NSA scrapes social media and regular OSINT techniques to figure out how to best attack a network. Manfred made a living hacking MMORPGs for the last 20 years. And he tried to do it as ethically as possible. When a single CA is breached, it breaks the security for the whole internet. Toy companies aren't securing children data What are options when you find a major security flaw in a home router but the vendor refuses to acknowledge it much less fix it? And there's no bug bounty.

2018-017- threat models, vuln triage, useless scores, and analysis tools

May 23, 2018 39:38

Description:

Vuln mgmt tools CVE scores suck.

 

Threat modeling is good.

 

Forces  you to know your environment

 

https://en.wikipedia.org/wiki/Kanban

 

https://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.html

 

https://twitter.com/lnxdork/status/998559649271025664

https://www.google.com/search?q=house+centipede&rlz=1C5CHFA_enUS759US759&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiypKyfpZjbAhWJjlkKHd0lASYQ_AUICigB&biw=1920&bih=983

https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

 

https://www.theregister.co.uk/2018/05/17/nethammer_second_remote_rowhammer_exploit/

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-016- Jack Rhysider, DarkNet Diaries, and a bit of infosec history (Part 1)

May 15, 2018 37:13

Description:

Converge Detroit


Jack Rhysider- Podcaster, DarkNet Diaries

https://darknetdiaries.com/

 

Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital

 

The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-015-Data labeling, data classification, and GDPR issues

May 7, 2018 52:07

Description:

GDPR will affect any information system that processes or will process people… like it or not.

 

Derby Tickets

    CTF and auction

Keynote

    Converge Detroit

I’ll be at nolacon too

Boettcher

    Recap BDIR #3

https://blog.netwrix.com/2018/05/01/five-reasons-to-ditch-manual-data-classification-methods/

https://blog.networksgroup.com/data-loss-prevention-fundamentals



 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-014- Container Security with Jay Beale

Apr 29, 2018 01:05:30

Description:

 

 

Container security

 

Jay Beale  @inguardians , @jaybeale

 

Containers

What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we’ve had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don’t keep the image running for so long? Don’t run as root More Containment stuff Non-privileged containers Remap the users, so root in container isn’t root outside Drop root capabilities Seccomp for kernel syscalls AppArmor or SELinux All of above is about Docker, what about Kubernetes Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements Network policy (egress firewalls) RBAC (define what users and service accounts can do what) Use namespaces per tenant and think hard about multi-tenancy Use the CIS guides for lockdown of K8S and the host Kube-bench

Difference between containers and sandboxing

 

Roll your own -

    Containers

        Using public registries - leave you vulnerable

        Use your own private repos for deploying containers

 

Reduce attack surface

Reduce user access

 

Automation will allow more security to get baked in.

 

https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html



https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide





https://www.vagrantup.com/downloads.html

 

https://www.vmware.com/products/thinapp.html

 

https://www.meetup.com/SEASec-East/events/249983387/





S3 buckets / Azure Blobs

 

https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services

 

https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-013-Sigma_malware_report, Verizon_DBIR discussion, proper off-boarding of employees

Apr 20, 2018 01:05:21

Description:

Report from Bsides Nash - Ms. Berlin

New Job

Keynote at Bsides Springfield, MO

Mr. Boettcher talks about Sigma Malware infection.

 

http://www.securitybsides.com/w/page/116970567/BSidesSpfd

**new website upcoming**

Registration is coming and will be updated on next show (hopefully)

DBIR -https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

 

VERIS framework

http://veriscommunity.net/

 

53,000 incidents

 

2,216 breaches?!

 

73% breaches were by outsiders

 

28% involved internal actors (but needs outside help?)

 

Not teaching “don’t click the link”, but instead teach, “I have no curiosity”

   

Discuss "Dir. Infosec" Slack story as method to halt infection

 

https://www.tripwire.com/state-of-security/security-awareness/women-information-security-amanda-berlin/

The “Living off the Land” trend continues with attack groups opting for tried-and-trusted means to infiltrate target organizations. Spear phishing is the number one infection vector employed by 71 percent of organized groups in 2017. The use of zero days continues to fall out of favor.

 

Off boarding people… so much process to get people on, but it’s just not mature getting people out...

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-012: SIEM tuning, collection, types of SIEM, and do you even need one?

Apr 12, 2018 01:00:43

Description:

Bryan plays 'stump the experts' with Ms. Berlin and Mr. Boettcher this week...

We discuss SIEM logging, and tuning...

How do SIEM deal with disparate log file types?

What logs should be the first to be gathered?

Is a SIEM even required, or is just a central log repo enough?

Which departments benefit the most from logging? (IT, IR, Compliance?)

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-011: Creating a Culture of Neurodiversity

Apr 4, 2018 01:10:36

Description:

Megan Roddie discusses being a High functioning Autistic, and we discuss how company and management can take advantage of the unique abilities of those with high functioning autism.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-011.mp3

 

Matt Miller's Assembly and Reverse Engineering Class:

Still can sign up! The syllabus is here:  https://drive.google.com/open?id=1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0

 

 

SHOW NOTES:

 

Link to Megan’s slides

 Megan Roddie (@megan_roddie

Diversity - Why managers should strive for diverse teams - First, Break All the Rules: What the World's Greatest Managers Do Differently Strengths - hire people based on their strengths, not their weaknesses (see StrengthsFinder 2.0) regarding Grant and Lee Megan: 1. Achiever, 2. Learner, 3. Intellection, 4. Focus, 5. Harmony Bryan:  Learner, Ideation, Futuristic, Significance, Focus Amanda: Restorative, Learner, Input, Ideation, Focus Brian: Maximizer, Learner, Responsibility, Individualization, Belief Scores Weaknesses - weaknesses are made irrelevant by the strengths of others.  If one employee has a weakness, you can hire someone who has great strength in that area. Sports teams quote (Slide 6) What is it? (vs. neurotypical) What are weaknesses of HFAs? What are strengths of HFAs? (Slides 17 - 22) HFA One-on-one time is the SINGLE most effective management tool, works with HFAs and neurotypicals alike → guide Examples (Slide 28) Pants Introductions (vendor meet at BSides example) Some (most?) neurotypicals get offended How to manage or work with HFAs Tips (slides 32-34) Structure and Routine → Productivity Clarity → Thorough Work Patience and Understanding → Dedicated & Passionate Employee Needs

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-010 - The ransoming of Atlanta, Facebook slurping PII, Dridex variants

Mar 28, 2018 37:46

Description:

 

Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

 

 

Stories:

https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/

TLS1.3 - https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/

https://slate.com/technology/2018/03/facebook-acknowledges-it-kept-records-of-calls-and-texts-from-android-users.html

https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html

https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13

 

 

Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-009- Retooling for new infosec jobs, sno0ose, Jay Beale, and mentorship

Mar 19, 2018 01:12:03

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3

Topics discussed:

How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs. Best methods to retool yourself if you are trying to move to a new industry Why 'hitting the ground running' isn't the sign of an immature organization...

Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

SHOW NOTES:

 

Guests: Mr. Jay Beale

Guest: Mr. Brad Ammerman @?????????

 

Announcements:

RE/ASM class (Matt Miller)

SeaSec East Meetup at Black Lodge

Jay’s class at Black Hat

https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html

Slack channel

“M3atshield”

 

What jobs are good segues into either blue or red teams/pentesting?

SOC Analyst (network security, pcap, IR)

SysAdmin (obviously)

Cod devs (audits, binary analysis, they know the code internals)

System architects (they know the nuts and bolts)

Security architects (segue to red team, they know how to defend, threat analysis)

Project management /management (client/customer facing, can understand the business side)

 

Journeyman pipelines vs. intern pipelines

Different than interns = Already highly skilled in ‘something’

Code devs

Physical security

audit/compliance

project/program management

System admin

Management

“generalist”

 

Retooling can be difficult

May be a paycut

Fear of failure

How do we alleviate that? (mentorship model?)

 

Companies looking for skilled people can’t look for what they want

Think in the bigger picture

 

Is not being able to see the value in a non-infosec person coming to the team a sign of immaturity in a company?

The phrase “must be able to hit the ground running”

Turn off for those wanting to make that change

Feel they must already know the job

 

People should be considered as like a block of clay, not an immutable stone.

People can change if they want to…

2 party comfort zone. Both the person changing role/title, and the company understanding where the person sits in the position.

 

mentorship/menteeship in an org

BDIR-001: Credential stealing emails, How do you protect against it?

Mar 13, 2018 01:35:37

Description:

BDIR Episode - 001

Our guests will be:

Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry
Topic of the Day:

CREDENTIAL STEALING EMAILS WHAT CAN YOU DO

 

Join us for Episode-001, our guest will be:

Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry

Topic of the day will be:

"CREDENTIAL STEALING EMAILS WHAT CAN YOU DO"

Show Notes:

Introductions Introduce our Guest Martin Brough Twitters - @HackerNinja Blog - InfoSec512.com

 

More show notes at https://www.imfsecurity.com/podcasts/2018/2/28/bdir-podcast-episode-001

2018-008- ransomware rubes, Defender does not like Kali, proper backups

Mar 12, 2018 58:12

Description:

https://www.auditscripts.com/free-resources/critical-security-controls/

Thanks to Slacker Ben Chung, who heard about this from John Strand...

 

BsidesIndy report - Amanda

Bsides Austin - Brian

 

Log_MD 2.0 - www.log-md.com

 

https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/

https://itsfoss.com/kali-linux-debian-wsl/

https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-packages-as-threats/


Matt Miller’s #Assembly and #Reverse #Engineering class

$150USD for each class, 250USD for both classes

Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing

Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd

To sign up for both classes: https://paypal.me/BDSPodcast/250usd

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

  

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

2018-007- Memcached DDoS, Secure Framework Documentation, and chromebook hacking

Mar 6, 2018 45:59

Description:

Topics:

Secure Framework documents Modifying chromebooks so you can use Debian/Ubuntu Memcached is the new DDoS hotness Announcement of the next BrakeSec Training Class (see Show Notes below for more info)

Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

  

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

--Show Notes--

Announcements:

Matt Miller’s class on Assembly and Reverse engineering

Starts 2 April - 6 sessions

2nd Class - 6 sessions, beginning 21 May

Beginner course on Assembly

Advanced course, dealing with more advanced topics

$150 for each class, or a $250 deal if you sign up for both classes

paypal.me/BDSPodcast/150USD - Specify in the NOTES if you want the “Beginner” or “Advanced” course

paypal.me/BDSPodcast/250USD - If you want both courses

We need a minimum of 10 students per class

 

Projects:

Chromebook with Debian

Bit of a pain, if I could be honest..

Needed USB hub with eth0, and a USB soundcard

USB3 low profile thumbdrives would be better

https://www.amazon.com/gp/product/B01K5EBCES/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

https://www.securecontrolsframework.com/ ←--well well worth the signup

https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d - ‘secure.xlsx’

http://www.dummies.com/programming/certification/security-control-frameworks/

Numerous security frameworks already exist:

Cisco

NiST

CoBIT

ITIL (can be utilized)

SWIFT  https://www.accesspay.com/wp-content/uploads/2017/09/SWIFT_Customer_Security_Controls_Framework.pdf

“My weird path to #infosec” on twitter

https://en.wikipedia.org/wiki/Hydrocolloid_dressing

2018-006- NPM is whacking boxes, code signing, and stability of code

Feb 27, 2018 46:18

Description:

Topics on today's show:

NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems?

Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it.

Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'

 

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

SHOW NOTES:

Previous podcast referenced:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3

NPM -

https://www.techrepublic.com/article/series-of-critical-bugs-in-npm-are-destroying-server-configurations/

https://www.bleepingcomputer.com/news/linux/botched-npm-update-crashes-linux-systems-forces-users-to-reinstall/

Using ‘pre-production’ software without testing is not advisable

Unfortunately, many assume all software is stable

A product of ‘devops’ - failing forward “we’ll just fix it in post”

 

Talked last podcast about ‘supply chain security’

https://givan.se/do-not-sudo-npm/


https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

 

Developers can leave a project, leaving code unmaintained… or dependencies

 

Also, a modicum of trust is required… verifying the code before you use it.

Verification that the code came from where it was supposed to

 

Many important code bases aren’t signed or have verification

Wordpress does not appear to publish file hashes

Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf


Bsides NASH-

https://bsidesnash.org/2018/02/20/interview-and-resume-workshop/

2018-005-Securing_your_mobile_devices_and_CMS_against_plugin_attacks

Feb 14, 2018 48:24

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3

Topics:

Discussion of Ms. Berlin's course

CAPEC discussion

RTF malware MS Office

A Phishing story...

Mobile Supply Chain Security

CMS Supply Chain Security

Ms. Berlin’s course - recap of 2nd session

 

Brakeing Down IR -date?

 

Any malware of note?

Upgrade your Office!  Just double-clicked, used rtf and document never opened, just the script ran.

 

Supply chain isn’t just Hardware… software stacks abound and not followed

 

Wordpress plugins, CMS plugins/themes… not monitored, weakly secure

Keeping track is as important as asset management

Do you know what your CMS is running, plugin wise?

And if plugins aren’t bad enough, you have PHP to deal with

 

Suggestions:

Buy plugins - you get what you pay for

Check what support  you get (always a good idea)

Require reviews for new plugins, and old ones, esp if they haven’t updated in a while

Are they still maintained? (abandonware bad)

New owners? (many plugins and apps get bought and then start changing permissions, or worse, serving malware)

 

Joomla -

Vulnerable Extensions list - https://vel.joomla.org/live-vel

Wordpress - WPScan     https://wpvulndb.com/plugins

https://capec.mitre.org/


https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485

PYPI - https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

CCleaner -

https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security

News:

https://hotforsecurity.bitdefender.com/blog/uh-oh-how-just-inserting-a-usb-drive-can-pwn-a-linux-box-19586.html

Adversary generation systems

Red Baron - https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/february-2018/introducing-red-baron

https://github.com/uber-common/metta

https://github.com/NextronSystems/

https://www.kitploit.com/2018/02/venom-1015-metasploit-shellcode.html

Quickly building Redteam Infrastructure

https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/

If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

2018-004 - Discussing Bsides Seattle, and Does Autosploit matter?

Feb 5, 2018 38:39

Description:

Show Notes:

https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing

Topics Discussed:

New tool : AutoSploit - Does it lower the bar?

How should Blue teamers be using Shodan?

Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about. 

 

ANNOUNCEMENTS:

Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast, send as a 'gift' 

Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit

 

  If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

BDIR-000 ; The Beginning

Jan 30, 2018 01:04:54

Description:

Here is the inaugural episode of the "Brakeing Down Incident Response"

 

Please check it out!

 

BDIR Episode - 000

Our guests will be:

Dave Cowen - Forensic Lunch Podcast and G-C Partners
Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering

Topic of the Day:

WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER?

"Incident Response, Malware Discovery, and Basic Malware Analysis,
Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"

SHOW NOTES:
https://www.imfsecurity.com/podcast/2018/1/18/bdir-podcast-episode-000

 

 

 

2018-003-Privacy Issues using Crowdsourced services,

Jan 27, 2018 01:06:30

Description:

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here:  2017-040

#infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like.

One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms.

We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, CrowdFlower, or CircleCi 2

Direct Show Download:   http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3

 

ANNOUNCEMENTS:

Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast 

Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit

 

  If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

 

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

   

 

Show Notes:  

 

Mr. Boettcher gave a talk (discuss) http://DETSec.org 

Brakeing Down Incident Response Podcast

 

Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)

 

I need to mention HITB Amsterdam

David’s Resume Review -- Bsides Nash Resume Review 

SANS SEC504 Mentor course

Guest: Nicolas Valcarcel

Twitter: @nxvl

 

Possible News to discuss:

https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/

 

Mechanical Turk

https://www.mturk.com/

CrowdFlower

https://www.crowdflower.com/

CircleCi 2.0

https://circleci.com/docs/2.0/

 

TaskRabbit

https://www.taskrabbit.com/

 

Historically:  https://en.wikipedia.org/wiki/The_Turk

 

Expensify using Amazon Mechanical Turk

https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy

 

https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/

FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”

 

https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/

“About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”

 

“Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.”

Kind of like a Yelp for HIT reviewers?

 

Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties?

Is it an acceptable risk?

 

Privacy questions to ask for companies that employ ML/AI tech?

Are they using Mturk or the like for training their algos?

Are they using Master level doers for processing?

 

Nxvl links:

Securely Relying on the Crowd (paper Draft):

https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf

How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/

How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/

The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/

How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/

AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/

Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/

2018-002-John_Nye-Healthcare's_biggest_issues-ransomware

Jan 20, 2018 01:03:28

Description:

John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes extortion or blackmail.   We go over some of the things he's found, and discuss how we could address these issues.

 

Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences.  The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD.

Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3

 

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

2018-001- A new year, new changes, same old trojan malware

Jan 12, 2018 01:05:37

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3

The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware).

Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D )

We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner.

We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline. 

I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q)

Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week!

#Spotify: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".     ---Show Notes---  

Music change

Couldn’t remember where I got the other music


Little more news than we used to

Try to shy away from news everyone will talk about

 

Brakeing Down Incident Response (BD-IR) podcast

Hosted by Mr. Boettcher and Michael Gough

Vendor talks

Sponsors (provisionally)


News:

http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/

https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/

https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/



Upcoming Training:

Amanda? - Cyber KillChain training

Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour)

Matt Miller - Reverse Engineering course

More advanced, still working on details with him (no promises yet)


Michael Gough - Malware Archaeology

Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org

Houston - April 3rd - 1 Day - HouSecCon

Preparing and Responding to an endpoint incident, what to configure, and look for

Tulsa - April 11-12th - 2 Days - BSides Oklahoma

Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for


Job postings on our Slack

Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA)

Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA

He’s on Twitter (https://twitter.com/mfourdraine) or join us in our Slack

Many positions he has will relocate you to lovely Bellevue, WA

MG just posted “James Avery Information Security Manager”


Teaching a mentor course in Seattle (SEC504) starting March 1st.

Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake

Great if you work a job where you get called a lot

Less likely to have to get up during class and walk away…


Bit of a technical discussion - PTF (pentester framework)

Setup, install software

Lighter than Kali

Works on debian, ubuntu, pretty much any linux


Slack

Invite only

Slack bot died

A new link every month is a bit of a PITA

Being popular invites bots… would like to reduce that risk by broadcasting an invite


Friend of mine was invited to speak on “A man’s view of women in technology” O.o (http://www.cmhwit.org/)

“ John ---- Actually, my plan at this point is to interview several of the successful woman I know in technology, followed by personal observations of how I've seen them become well respected leaders in the field.”

2017-SPECIAL005-End of year Podcast with podcasters

Dec 23, 2017 01:25:50

Description:

As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content.

Please enjoy! And please seek out these podcasts and have a listen!

Slight warning: some rough language

People and podcasts in attendance:

Tracy Maleef (@infosecSherpa)

Purple Squad Security Podcast (@purpleSquadSec) -

John Svazic (@JohnsNotHere)

Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe)

Danny Akacki (@dakacki) - RallySec Podcast (@rallysec)

Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin)

 

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio

Dec 16, 2017 01:06:30

Description:

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks.

While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. 

Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices.

We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss

Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. 

 

Direct Link: https://brakesec.com/2017-042

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

 

 

 

 

--Show Notes--

 

https://github.com/int0x80/githump

 

http://ptrarchive.com/

 

https://hunter.io/

 

https://www.data.com/

 

https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

 

2017-041- DFIR Hierarchy of Needs, and new malware attacks

Dec 8, 2017 01:02:18

Description:

Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals.

DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack.

In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program.

Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails.

 

 

Direct Download Link: https://brakesec.com/2017-041

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS 

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

--Show Notes--

 

Malware report

 

https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/

 

https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html

 

https://github.com/swannman/ircapabilities -  DFIR Hierarchy

 

Based on Maslow’s Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs

Requirements must be met before you can move on.

It’s not perfect, but gives a general idea of how needs should be met.

 

 

2017-040-Expensify_privacy_issues-Something_is_rotten_at_Apple

Dec 1, 2017 47:29

Description:

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world.

Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews.

Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way.

 

 

Direct Link: https://brakesec.com/2017-040

 

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

---Show Notes---

Agenda:

Trip report from Amanda to New Zealand

Did we talk about Amanda’s appearance on PSW?

 

Discuss last week’s show about custom training

Comments? Suggestions for custom training solutions?

 

https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake

Expensify -

https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/

https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy

 

How is this different than like a medical transcriptionist?

Don’t you go in and modify the receipts yourself? Or is that a feature you can force?

 

It’s a privacy issue.

Hotel receipts, boarding passes, even medical receipts

 

Turn off ‘smart scan’?

Many companies like using it, and some will only accept smart scanned receipts

Fat fingering receipts isn’t ‘cool’

Snap a photo, move along

 

Expensify is global, and could have wide reaching effects for this new ‘feature’...

Expensify used Mechanical Turk, a ‘human intelligence tasks’

Micropayments to do menial tasks

 

Example of why periodic review of your 3rd parties is necessary

New ‘features’ = new nightmares

Privacy requirements change

Functionality not in alignment with your business goals

Apple ‘passwordless root’

http://appleinsider.com/articles/17/11/29/apple-issues-macos-high-sierra-update-to-fix-password-less-root-vulnerability

 

HIgh Sierra before today (29 November 2017) had the ability to login as root with no password…

That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752

 

It also works on remote services, like ARD (apple remote desktop), and file shares…

Rolling IR

Was it necessary?

Serious, yes

Was discovered two weeks prior https://forums.developer.apple.com/thread/79235

Dev (chethan177) on the forum “didn’t realize it was a security issue”

 

Easy enough fix  (Bryan IR story)

Open Terminal

Sudo passwd root

Change password

 

Do you trust users to do that? Not across a large enterprise

 

2017-039-creating custom training for your org, and audio from SANS Berlin!

Nov 24, 2017 43:13

Description:

This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday.  

I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training.

 

Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics"

Take a listen and we hope you enjoy it!

 

Direct Link: https://brakesec.com/2017-039

 

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

---Show notes (from Bryan and JB)---

 

Ms. Berlin in New Zealand

 

Mr. Boettcher with the family

 

Training

 

What makes us despise training so much?

Cookie cutter

Scenarios do not match environments

Speaking is a little too perfect

Flash based

UI is horrible

Outdated

Easy questions

 

Infosec training is worse

2 hours of training each year

Not effective

 

Why not make your own?

Been doing it at work

No more than 7 minutes

Custom made

Tailored for your own company

 

Do you training like a talk at a con

Time limit: 7 (no more than 10 minutes)

Create some slides (5-7 slides)

Do it on a timely topic

Recent tabletop exercise results

Recent incident response

Phishing campaign

Script or no-script required

Sometimes talking plainly can be enough

 

https://screencast-o-matic.com/ - Windows (free version is 7 minutes long)

Quicktime - OSX (free) (Screenflow)

Handbrake (convert to MKV or MP4)

Microphone (can use internal microphones if you have a quiet place)


[begin notes: SANS Berlin REMOTE segment]
corresp. JB

reach jb at
(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange


--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/


--pre-NetWars chat with the SEC 503 class:
-what do you like about SANS conference
-european privacy laws, even country to country!
-biggest priority for next year:  building a SOC, working together with sales, asset management, constant improvement, password reuse

--special BrakeSec members only cameo


--“bring your own device” interview with an Information Security/forensics professional
password elimination or no reuse


--interview with Heather Mahalik (@HeatherMahalik)
Bio https://www.sans.org/instructors/heather-mahalik
-“game over” whatsapp, unpatched android, other known-historically weak tools as “assume breach of mobile”
-interesection of network forensics and mobile
-open source tools and the lack of, how to judge your tools
-Heather’s recent blog
-getting into mobile, decompiling, etc.
-number one topic for next year:  encryption for Andriod 8 Oreo, iOS 12
-“most popular android is still v4.4”

Heather’s blog we mentioned
http://smarterforensics.com

link to the book Heather mentioned:
https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/


--link to blog mentioned, jb’s initial reflections on SEC 503

https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost
JBs blog main link, or if you’re not a fan of linkedin
https://cherokeejb.blogspot.de/

small featured music clips used with permission from YGAM Records, Berlin
“Ж” by the artist Ōtone (Pablo Discerens), (c)(p)2016
Get it for free or donate at http://ygam.bandcamp.com !

book club EMEA!:
message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can’t make the main call !


--
-
[end segment]

 

2017-038- Michael De Libero discusses building out your AppSec Team

Nov 16, 2017 56:10

Description:

Direct Link: https://brakesec.com/2017-038

 

Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.

So I asked him on, and we went over the highlights of his talk. Some of the topics included:

Discussing with management your manpower issues

Who to include in your team

Communication between teams

 

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

 

 

----SHOW NOTES:

 

Amanda’s appearance on PSW

 

Building an AppSec Team - Michael de Libero (@noskillz)

 

https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\

 

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

 

https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett

 

Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing

 

Random Notes from Mike:

Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. “security health” Role of management Managing a “remote” team Handling incoming requests from other teams

 

How do you sell a company on having an appsec team if they don’t have one?

 

If you have an existing ‘security team’, how easily is it to augment that into an appsec team?

Can you do job rotation with some devs?

Do devs care enough to want to do code audits

“That’s not in my job description”

 

Skills needed in an appsec team

Does it depend on the tech used, or the tech you might use?

 

Internal security vs. consultants

 

Intro to RE course with Tyler Hudak

 

Bsides Wellington speaker Amanda Berlin

2017-037 - Asset management techniques, and it's importance, DDE malware

Nov 8, 2017 52:29

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3

We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this.

We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement.

Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand.

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us.

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

SHOW NOTES:

 

Oreilly con report

Malware report from Mr. Boettcher

DDE (Dynamic Data Exchange), all the rage

https://en.wikipedia.org/wiki/Windows_2.0

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf

http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216

https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/

 

Why asset management?

Know what’s in your environment

CIS Top 20...no wait, it’s the TOP THREE of the 20.

It all builds on this…

Know what’s in your environment

http://www.open-audit.org/

https://metacpan.org/pod/App::Netdisco

2017-036-Adam Shostack talks about threat modeling, and how to do it properly

Oct 30, 2017 01:34:54

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

 

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

SHOW NOTES:

 

Ideas and suggestions here:

 

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

 

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

 

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

 

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

 

https://en.wikipedia.org/wiki/Johari_window

 

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

 

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

 

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

 

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

 

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

 

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

 

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

 

Is the book still applicable?

New book

 

What traps do people fall into?  Attacker-centered, asset-centered approaches


Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

2017-SPECIAL004- SOURCE Conference Seattle 2017

Oct 22, 2017 48:09

Description:

After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered.

I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter

Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices  https://preossec.com/

 

Joe Basirico discusses the proper environment to get the best out of your bug bounty program. 

points from his abstract:

Bug Bounty Programs - Why you want to invite security researchers to hack your products

Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness.

How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix.

 

Source conference YouTube Channel:  https://www.youtube.com/channel/UCAPQk1fH2A4pzYjwTCt5-dw/videos (2017 is not available yet, but all talk from 2008-2015 is available)

agenda of the talks that occurred at Source Seattle 2017 

https://www.sourceconference.com/seattle-2017-agenda

https://www.sourceconference.com/copy-of-seattle-2016-agenda-details

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-035-Business_Continuity-After_the_disaster

Oct 16, 2017 59:20

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3

 

We are back this week after a bit of time off, and we getting right back into it...

What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done.

We also talk a bit about 3rd party vendor reviews, and what would happen if your 3rd party doesn't have a proper plan in place.

Finally, we discuss the upcoming #reverseEngineering course starting on 30 October 2017 with Tyler Hudak, as well some upcoming appearances for Ms. Berlin at SecureWV, GrrCon, and Bsides Wellington, #newZealand

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---SHOW NOTES---

You have enacted your BC/DR plan

Step 1. Panic

Step 2. Panic more, or let your management panic

Step 3. Follow the plan… you do have a plan, right?

 

Enacting a BC/DR plan

RPO/RTO - https://www.druva.com/blog/understanding-rpo-and-rto/

 

Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”

 

https://en.wikipedia.org/wiki/Recovery_point_objective

 

Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.

 

https://en.wikipedia.org/wiki/Recovery_time_objective

 

https://uptime.is/99.99

 

Excerpt from "Defensive Security Handbook" -

Buy from Amazon (sponsored link):  http://amzn.to/2zcmWBY

Recovery Point Objective

 

The recovery point objective (RPO) is the point in time that you wish to recover to. That is, determining if you need to be able to recover data right up until seconds before the disaster strikes, or whether the night before is acceptable, or the week before, for example. This does not take into account of how long it takes to make this recovery, only the point in time from which you will be resuming once recovery has been made. There is a tendency to jump straight to seconds before the incident; however, the shorter the RPO, the more the costs and complexity will invariably move upwards.

Recovery Time Objective

 

The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO.

 

To illustrate with an example, if you operate a server that hosts your brochureware website, the primary goal is probably going to be rapidly returning the server to operational use. If the content is a day old it is probably not as much of a problem as if the system held financial transactions whereby the availability of recent transactions is important. In this case an outage of an hour may be tolerable, with data no older than one day once recovered.

 

In this case the RPO would be one day, and the RTO would be one hour.

 

There is often a temptation for someone from a technology department to set these times; however, it should be driven by the business owners of systems. This is for multiple reasons:

 

It is often hard to justify the cost of DR solutions. Allowing the business to set requirements, and potentially reset requirements if costs are too high, not only enables informed decisions regarding targets, but also reduces the chances of unrealistic expectations on recovery times.

 

IT people may understand the technologies involved, but do not always have the correct perspective to make a determination as to what the business’ priorities are in such a situation.

 

The involvement of the business in the DR and BCP plans eases the process of discussing budget and expectations for these solutions.

 

RPO should be determined when working through a Business impact analysis (BIA)

https://www.ready.gov/business-impact-analysis

 

https://www.fema.gov/media-library/assets/documents/89526

 

There is always a gap between the actuals (RTA/RPA) and objectives

After an incident or disaster, a ‘Lessons Learned’ should identify shortcomings and adjust accordingly.

This may also affect contracts, or customers may require re-negotiation of their RTO/RPO requirements

 

If something happens 4 hours after a backup, and you have an hour until the next backup, you have to reconcile the lost information, or take it as a loss

Loss = profits lost, fines for SLAs

 

You may not be doing the same after the disaster. New processes, procedures

 

https://www.bleepingcomputer.com/news/security/fedex-says-some-damage-from-notpetya-ransomware-may-be-permanent/

Ms. Berlin’s appearances

Grrcon - http://grrcon.com/

 

Hack3rcon/SecureWV -  http://securewv.com/

 

Oreilly Conference - https://conferences.oreilly.com/security/sec-ny/public/schedule/detail/61290

Experts Table?

 

Bsides Wellington (sold-out)

----

CLASS INFORMATION

Introduction to Reverse Engineering with Tyler Hudak

Starts on 30 October - 20 November

4 Mondays

Sign up on our Patreon (charged twice, half when you sign up, half again when 1 November happens

2017-SPECIAL003-Audio from Derbycon 2017!

Oct 8, 2017 01:15:06

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3

Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend.

 

We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the last 7 years.

We talk to Ms. Wynter (@sec_she_lady) about her experiences at her first Derbycon.

Mr. Matt Miller (@milhous30) talked about some of his #reverse #engineering challenges that were in the #Derbycon #CTF

Lots of great talks happened there this year, check them all out over on @irongeek's site (http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-034-Preston_Pierce, recruiting, job_descriptions

Oct 2, 2017 01:02:06

Description:

*Apologies for the continuity this was recorded before we went to Derbycon 2017.*

 

Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate.

Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reputable companies.

We also discuss job descriptions, getting management buy in for a good candidate, and more. 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-034-Preston_Pierce_recruiting_job_descriptions.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 Show Notes:

 

https://news.slashdot.org/story/17/09/01/1729237/us-employers-struggle-to-match-workers-with-open-jobs

 

Blueteamers

 

Looking at job descriptions,

Fix if outdated or unnecessary

 

Managers

 

Be realistic about expectations

 

Recruiters

 

Better research of people

Discuss realistic demands from customers

 

You

Update your LinkedIn removing overly generalized terms (healthcare, for example)

When should you reach out to a recruiter? Right away? After you’ve already completed some leg work?

Companies do a poor job of marketing for their current openings.

2017-SPECIAL002-Derbycon-podcast with podcasters (NSF Kids/Work)

Sep 27, 2017 01:18:31

Description:

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3

 

SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner)

We actually did talk about the skills gap, resume workshop held at Derbycon, and so much else. 

 

If you haven't been to Derbycon, you should definitely make plans now to attend...

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-033- Zane Lackey, Inserting security into your DevOps environment

Sep 18, 2017 01:00:36

Description:

Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?)

So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen...

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--SHOW NOTES--

 

Security shifts from being a gatekeeper to enabling teams to be secure by default

Require a culture shift

Should that be implemented before the shift to CI/CD, or are we talking ‘indiana jones and the rock in the temple’?


How?

Secure coding?

Hardening boxes/Systems?

 

If it’s just dev -> prod, where does security have the chance to find issues (i.e. test and QA belong there)?

 

We used to have the ability for a lot of security injection points, but no longer

 

Lowers the number of people we have to harangue to be secure…?

 

Security success = baked in to DevOps

 

Shift from a ‘top down’ to ‘bottom up’

Eliminate FPs, and forward on real issues to devs

Concentrate on one or two types of vulnerabilities

Triage vulns from most important to least important

 

Go for ‘quick wins’, or things that don’t take a lot of time for devs to fix.

Grepping for ‘system(), or execve()’

Primitives (hashing, encryption, file system operations)

How do you stop a build going to production if it’s going out like that?

Do we allow insecurity to go to Production?

Or would it be too late to ‘stop the presses’?

“We’ll fix it in post…”


Instead of the ‘guardrail not speedbump’ you are the driving instructor...

 

But where does security get in to be able to talk to devs about data flow, documentation of processes?

5 Y’s - Why are you doing that?

 

Setup things like alerting on git repos, especially for sensitive code

Changing a sensitive bit of code or file may notify people

Will make people think before making changes

Put controls in terms of how they enable velocity

 

You like you some bug bounties, why?

 

Continuous feedback

 

Learn to find/detect attackers as early in the attack chain

 

Refine your vuln triage/response

 

Use bug reports as IR/DFIR...

 

https://www.youtube.com/watch?v=ORtYTDSmi4U

 

https://www.slideshare.net/zanelackey/how-to-adapt-the-sdlc-to-the-era-of-devsecops

 

http://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization

 

 

 

In SAST, a modern way to decide what to test is start with a small critical vuln, like OS command injection.  Find those and get people to fix it.  BUT don’t developers or project teams get unhappy [sic] if you keep "moving the goal post" as you add in the next SAST test and the next SAST test.  How do you do that and not piss people off?

 

[15:16]

How do you make development teams self sufficient when it comes to writing a secure application?  Security is a road block during a 3 month release schedule….getting "security approval" in a 3 day release cycle is impossible.

 

[15:17]

But then…what is the job for the security team?  If DevOps with security is done right, do you still need a security team, if so what do they do????  Do they write more code???

I don't think your Dev'ops'ing security out of a job...but where does security see itself in 5 years?

Last one if there is time and interest.  If Zane Lackey was a _maintainer_ of an open source project, what dev ops sec lessons would he apply to that dev model…to the OpenSource model?

(We've got internal projects managed with the open source model...so im interested in this one)

Even with out any of those questions the topics he covered in his black hat talk are FULL of content to talk about.  Heck, even bug bounties are a topic of conversation.

The idea of a feedback loop to dev...where an application under attack in a pen test can do fixes live....how that is possible is loads of content.

 

2017-032-incident response tabletops, equifax breach

Sep 12, 2017 47:38

Description:

Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc.

This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath.

And in case you've been under a rock, #equifax was breached.  143 million credit records are in the ether. We discuss the facts as of 9 September 2017, and what this means to the average user.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-032-incident_response-equifax-done2.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

---SHOW NOTES---

Incident response

 

Must go beyond ‘threats’.

What is in your environment

Struts aren’t a threat, or are they?

Equifax didn’t think so at the time…

Insider threat

External entities

Libraries

plugins/themes used (Wordpress)

 

Risk analysis

Qualitative

Quantitative

 

What makes a good incident response exercise (

 

 

 

Following the creation and implementation of security controls around use cases, can be the testing of tabletop exercises and drills as a proof of concept. A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.
While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.
Tabletop exercises are composed of several key groups or members.


During a tabletop exercise there should be a moderator or facilitator that will deliver the scenario to be played out. This moderator can answer “what if ” questions about the imaginary emergency as well as lead discussion, pull in additional resources, and control the pace of the exercise. Inform the participants that it is perfectly acceptable to not have answers to questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes to mitigate them prior to an actual incident.
• A member of the exercise should also evaluate the overall performance of the exercise as well as create an after-action report. This evaluator should take meticulous notes as well as follow along any runbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of situations. In this case having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.
• Participants make up the majority of this exercise. Included should be groups such as Finance, HR, Legal, Security (both physical and information), Management, Marketing, and any other key group that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise.


What to include in the tabletop:
• A handout to participants with the scenario and room for notes.
• Current runbook of how security situations are handled.
• Any policy and procedure manuals.
• List of tools and external services.


Post-exercise actions and questions:
• What went well?
• What could have gone better?
• Are any services or processes missing that would have improved resolution time or accuracy?
• Are any steps unneeded or irrelevant?
• Identify and document issues for corrective action.
• Change the plan appropriately for next time.


Tabletop Template
The Federal Emergency Management Agency (FEMA) has a collection of different scenarios, presentations, and tabletops that can be used as templates.

 

Derbycon channel on Slack

Intro to RE class

 

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

 

https://hackernoon.com/a-series-of-unfortunate-events-or-how-equifax-fire-eye-threw-oil-on-the-fire-c19285f866ed

2017-031-Robert_Sell-Defcon_SE_CTF-OSINT_source

Sep 4, 2017 01:03:47

Description:

This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-030-Vulnerability OSINT, derbycon CTF walkthrough, and bsides Wellington!

Aug 29, 2017 52:37

Description:

This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg.

We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3 

 

Ms. Berlin is going to be at Bsides Wellington!  Get your Tickets NOW!

https://twitter.com/bsideswlg

https://www.bsides.nz/

 

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--show notes--

 

NCC group talks in Seattle

NIST guidelines - no security questions, no SMS based 2fa

 

Vuln OSINT

 

Sites have information like Spokeo…

Breadcrumbs

 

Take Java for example (CVE-2017-10102): info is sparse

Other sites have more

https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle’s site (impressive crappery)

Some are better: RHEL is fairly decent

https://access.redhat.com/errata/RHSA-2017:2424

Ubuntu has some different tidbits

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10102.html

Arch has info

https://security.archlinux.org/CVE-2017-10102

Point is, just because you use a specific OS, don’t limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you.

 

https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102)

 

Derbycon CTF walkthrough

 

Looking for an instructor for an ‘intro to RE’ course.

Dr. Pulaski = Diana Maldaur

Dr. Crusher = Gates McFadden

 

2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware

Aug 20, 2017 01:17:41

Description:

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection.

What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update?

After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure.

Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--SHOW NOTES--

 

Gough says ‘something is bad about CIS’

 

CIS benchmarks need revamping -- BrBr

/var, /var/log in separate partitions?

Password to access grub?

Disable root login to serial pty?

Many cloud instances and VMs don’t have serial ports (not in a traditional sense)

 

What’s the use case for using them? What problem will they solve?

Misconfiguration?

Proper logging?

NTP sources?

 

So many, dilution possible

SCAP

OVAL

STIG (complex as well)

CIS

 

Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done.

What is a good baseline?

Write your own?

 

How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway)

On windows, they are needlessly complicated and cause more problems

Roles have to be created “backup admin”

Can cause unintended issues

 

https://twitter.com/HackerHurricane/status/898629567056797696

 

https://twitter.com/HackerHurricane/status/892838553528479745

 

Category            Sub Category                                      7/2008  8.1     2012    Win-7   Win-8.1 WLCS    ThisPC  Notes

 

Detailed Tracking   Process Termination                       NA      NA      NA      NA      NA      S/F     S

Object Access       File Share                                           NA      NA      NA      NA      NA      S/F     S/F    

Object Access       File System                                         NA      NA      NA      F       NA         S       S/F    

Object Access       Filtering Platform Connection           NA      NA      NA      NA      NA      S       S      

Object Access       Filtering Platform Packet Drop          NA      NA      NA      NA      NA      NA      NA

 

Log Sizes:

-------------

Security - 1 GB

Application – 256MB

System – 256MB

PowerShell/Operational – 512MB – 1 GB v5

Windows PowerShell – 256MB

TaskScheduler – 256MB

 

Log Process Command Line                                             (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

PowerShell Logging v5                                                    (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

TaskScheduler Log                                                          (5)     (5)     (5)     (5)     (5)     (1)     Yes

-----------------------------------------------------------------------------------------------------------------

 

(5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

2017-028-disabling WU?, Comcast wireless hack, and was it irresponsible disclosure?

Aug 13, 2017 54:45

Description:

 This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that.

We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network.

We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---SHOW NOTES---

Twitter discussion -

https://twitter.com/Computerworld/status/894611609355603968

 

http://www.computerworld.com/article/3214146/microsoft-windows/it-s-time-to-check-your-windows-machines-and-temporarily-turn-off-automatic-update.html

 

[sic] “tons of problems with Automatic Update patches so far this year”

[sic] “if you’re savvy enough to be reading this, you should consider turning Auto Update off, too”

 

Advocating disabling auto-updates in an OS is reckless.

Home networks for majority of users is completely flat

One Vlan (e.g. 192.168.1.0/24)

‘Savvy’ = technical

Which many of our users are not

 

Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer

 

Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible

 

Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled.

The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr

Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

 

http://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html

http://www.csoonline.com/article/3214487/security/pentest-firm-calls-carbon-black-worlds-largest-pay-for-play-data-exfiltration-botnet.html#tk.twt_cso

--this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure)

Agreed… that shiz is damaging -- brbr

 

 

 

NoStarch TCP guide - https://www.nostarch.com/tcpip.htm

IPV4 -https://en.wikipedia.org/wiki/IPv4

 

[graphic of IPv4 header from wikipedia article]

 

IHL - size of the header (minimum of 5)

DSCP - has to do with traffic shaping and QoS

ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate

Must be supported by both ends, and completely optional to enforce

Total Length - total size of the packet

Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it’s used for ‘used for uniquely identifying the group of fragments of a single IP datagram”

 

https://github.com/tcstool/Fireaway

 

http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

 

2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?

Aug 4, 2017 01:09:02

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3

Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics.

We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required?

We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow. 

Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

 

show notes

 

what is the required amount of data required to properly train the algorithms

 

how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)

 

Xoke Soru: "why are you trying to make skynet and kill us all?  Do you hate humanity?"

 

Who will ML replace? Who in security?

 

Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.

 

Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"

 

https://en.wikipedia.org/wiki/Artificial_neural_network

 

https://en.wikipedia.org/wiki/Machine_learning

 

https://en.wikipedia.org/wiki/Portal:Machine_learning

 

https://www.slideshare.net/allyslideshare/something-wicked-78511887

 

https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses

 

https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751

 

O’Reilly Conference 31 October

 

Mick douglas class

Derbycon CTF

Book club

 

Patreon

slack

2017-025-How will GDPR affect your Biz with Wendyck, and DerbyCon CTF info

Jul 23, 2017 01:10:49

Description:

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3

 

GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared.

This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK.

If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info.

ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started.  The info is also in the show notes, including the form you need to post your flag information.

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---Show Notes:----

 

 

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

 

 

Would it be better if companies stored less data, or de-anon it to the point where a breach

 

Massive fines for breaches. Usually some percentage of profits…

 

(up to 4% of annual global turnover or €20 Million (whichever is greater))

 

“Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).”

 

Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain

 

Right to be forgotten (not realistic):

“A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data “

 

GDPR full text:

http://ec.europa.eu/newsroom/document.cfm?doc_id=45631

 

Good intro:

https://www.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html

 

Controversial topics:

http://www.eugdpr.org/controversial-topics.html

 

Key Changes:

http://www.eugdpr.org/key-changes.html

 

Difficulty of doing GDPR in the cloud

https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662

US businesses largely ignoring GDPR

http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec

 

Fears of breach cover-up (due to massive fines ‘up to 4% of profits’)

http://tech.newstatesman.com/news/gdpr-cover-ups-security

 

From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2)

 

https://www.auditscripts.com/

 

CTF for derby ticket

Level 1-

The internet is a big place :) I’ve hidden 3 flags out on it and it’s your job to see how many you can find. I’ll give you a few hints to start.

 

Company Name = Big Bob’s Chemistry Lab There’s something illegal going on, find out what!! Submit flags here https://goo.gl/forms/iUEVHNuSYr34OZA22  

2017-024-infosec_mental_health_defcon_contest-with-rand0h-and-tottenkoph

Jul 17, 2017 01:30:56

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3

The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them.

So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do...

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--Show Notes--

Chris Sanders: Cult of Passion

http://chrissanders.org/2017/06/the-cult-of-passion/

 

Exercise

Start playing ingress or Pokemon Go, just to get out and gamify activity

 

Reduce alcohol consumption

Defcon : Friends of Bill W.

Agent X : 3/5K events at Defcon

 

Critics comments

You won’t please everyone, so don’t try

 

Spend time away from infosec

Family, friends

Hobbies

 

If you are in a job with ‘secrets’, find someone to talk to

Another person with the same ‘secrets’ or similar job

 

https://www.scientificamerican.com/article/gut-second-brain/

 

@DAkacki (what is your podcast @rallysec)

Da667’s book

[I love murder]@tottenkoph

@jimmyvo

@andMYhacks (works with Jimmy)

@infosecmentors

 

2017-023-Jay_Beale_Securing Linux-LXC-Selinux-Apparmor-Jails_and_more

Jul 10, 2017 01:09:44

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3

 

Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. 

Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it? 

We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage?

Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show.

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---

Show Notes:

 

AppArmor

 

SELinux

 

Privilege Escalation - InGuardians Murderboard

 

Port Knocking (Single Pack Authorization)

 

OSSEC

 

ModSecurity

 

Linux Containers

 

Jess frizelle -bane

 

Dan walsh - selinux

 

Selinux troubleshoot daemon

 

https://en.wikipedia.org/wiki/System_call

 

“In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.”

 

OpenBSD pledge(2): https://man.openbsd.org/pledge.2

 

https://www.raspberrypi.org/products/raspberry-pi-2-model-b/

 

Suhosin

 

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

@inguardians

@jaybeale

www.inguardians.com


----

 

What are you doing at Black Hat and Def Con?

 

Training class at Black Hat - 2 days Def Con Workshop - ModSecurity and AppArmor - 4 hours Packet Hacking Village Workshop - Container security Vapor Trail at Def Con Labs (Larry and Galen) Dancing my butt off?

2017-022-Windows Hardening, immutable laws of security admins, and auditpol

Jul 4, 2017 53:48

Description:

Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3

This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later?

 

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

--SHOW NOTES--

10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx

Really great stuff

On This Page

Law #1: Nobody believes anything bad can happen to them, until it does

Law #2: Security only works if the secure way also happens to be the easy way

Law #3: If you don't keep up with security fixes, your network won't be yours for long

Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with

Law #5: Eternal vigilance is the price of security

Law #6: There really is someone out there trying to guess your passwords

Law #7: The most secure network is a well-administered one

Law #8: The difficulty of defending a network is directly proportional to its complexity

Law #9: Security isn't about risk avoidance; it's about risk management

Law #10: Technology is not a panacea

https://www.linkedin.com/in/scott-culp-cissp-8b69572a/

 

 

http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html

 

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

 

auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx

 

https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings

 

 

https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager

 

 

https://www.databreaches.net/irony-when-blackhats-are-our-only-source-of-disclosure-for-some-healthcare-hacks/

 

https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

 

2017-SPECIAL- Michael Gough and Brian Boettcher discuss specific ransomware

Jun 30, 2017 19:26

Description:

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast.

 

Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic

They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus

Jun 23, 2017 01:18:47

Description:

This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly.

One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments.

So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community.

Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers.

Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music)

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-020-Hector_Monsegur_DNS_OSINT_Outlaw_Tech_eClinicalWorks_fine

Jun 15, 2017 01:16:37

Description:

Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.

 

We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?

 

We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---------- 

Show notes:

 

going beyond DNS bruteforcing and passively discovering assets from public datasets???

Very interested in hearing about this

Straight OSINT, or what?

Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:

Data from the certificate transparency project (https://www.certificate-transparency.org/) rDNS and forward dns dataset from https://scans.io/  Sonar Scans - Rapid7 Sublist3r: https://github.com/aboul3la/Sublist3r And other datasets that are out there Crime Flare https://krebsonsecurity.com/tag/crimeflare-com/ -> crimeflare.com Discuss why brute forcing DNS leaves such a heavy footprint for blue team forensics How cloud providers like CloudFlare, and others, do not take advantage of DNS bruteforcing error messages   Special shout out to Ryan Sears @ CaliDog Security for his research into this field https://en.wikipedia.org/wiki/Markov_chain Smart DNS Bruteforcing - https://github.com/jfrancois/SDBF

 

Training gained from internal phishing campaigns

Does it breed internal mis-trust?

Recent campaign findings

Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?

 

Outlaw Tech on Science Channel

What’s it about? (let’s talk about the show)

The show itself is on the Science channel (Discovery) The aim of the program is to discuss the technology behind many of the biggest crimes (heists, el chapo’s communication network, etc) And how I play a part in it https://www.spoofcard.com/ https://www.sciencechannel.com/tv-shows/outlaw-tech/ Rhinosecuritylabs.com  

 

http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting

 

https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit

-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/

 

http://securewv.com/cfp.html

 

 

 

OneLogin/Docusign breaches

OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/

Docusign:  https://www.inc.com/sonya-mann/docusign-hacked-emails.html

http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm

Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/

 

China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect

 

Facial recognition for plane boarding:  http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html

 

 

Keybase.io’s Chrome plugin  -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en

2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

Jun 7, 2017 01:11:34

Description:

 

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.

 

-------

Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class

Patreon: https://www.patreon.com/bds_podcast

 

If you want the videos and don’t care about the class, they will be released a week after class is over for free.

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

 

https://twitter.com/jessysaurusrex/status/859123589123121152

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.

 

Passwords Multifactor authentication Device encryption Ad blocking Browser hardening via extension/plugin Safe browsing (this breaks into a few different topics) Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser Social engineering (this breaks into a few different topics) Segmentation/compartmentalizing data + communications Secure storage(local vs cloud data) Media storage safety (thumbdrives! Charge-only cables for mobile devices!) Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late Regularly reviewing permissions granted to apps through oAuth Backups

 

http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/

“The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.”  summed up our entire industry in this paragraph --brbr

  

https://securingthehuman.sans.org/resources/security-awareness-report-2017

^^^^ saw this on Twitter yesterday -brbr

 

Key takeaways:

 

The study recommends the following for addressing communications:

 

Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value. Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting. Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications. Take communications training; they can be easily developed with the right focus. Align with human resources to ensure an awareness program is tied into company culture. Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. 

 

You writing a book?

 

I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)

 

You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.

 

Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.

 

Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?

 

Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?

 

If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?

  

And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use

Device encyption

2FA/MFA

 

What training do infosec people need? How important are the soft skills to help with communicating?

2017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details

May 30, 2017 50:40

Description:

We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out.

Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet?

We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities.  Details are in the show notes and in our Slack Channel.

 

Ms. Sunny Wear is doing a web app security class

Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC) 

Sign up for the class at the $20 dollar Patreon level (if you plan on attending)

Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along)

Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information)

https://www.patreon.com/bds_podcast

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3

RSS: www.brakeingsecurity.com/rss

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 SHOW NOTES:

 

SANS experience

Pity Quincenera - I (bryan) sucked

Need more experience

Speed kills (I (bryan) got flustered and I shutdown) you took speed?

No Kali - was surprised, until I thought of why :D

Was not helpful to my team (jacek, ryan, Michael C., David)

John Strand was phenomenal

Frank Kim was great

The audio was not, unfortunately :(

 

 

Samba/SMB (port 445) vulns

Use case for having it exposed?

**** OPEN TO SUGGESTIONS *****

What does that say about the company?

No security team, or the security team is ineffectual about telling people about the risks?

What

MS17-010 is the new MS08-067

http://thehackernews.com/2017/05/samba-rce-exploit.html

Over 400,000 open to the web

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

 

Training announcement:

 

Ms. Sunny Wear doing a web app security class

Starts June 14th

Sign up for the class at the $20 dollar Patreon level

Sign up for immediate video access at the $10 Patreon level 

https://www.patreon.com/bds_podcast

 

 

Who’s Slide is it Anyways? @ImprovHacker

https://docs.google.com/forms/d/e/1FAIpQLSeLS0barWRdKVjPPyZ82lvC0UQMaDTJXRwF11qItlbZOrrf6A/viewform?c=0&w=1

 

#infosec #podcast #webAppSec #application #security

2017-017-Zero_Trust_Networking_With_Doug_Barth,_and_Evan_Gilman

May 10, 2017 01:25:46

Description:

 Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?

Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.

Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.

Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

show notes:

 

The lines are blurring:

 

DevOps

NetOps

SDN

SDP

docker/containerization

2FA authentication

 

https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)

https://www.beyondcorp.com/

 

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

 

Where is this Google article???

http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html

https://cloud.google.com/beyondcorp/

https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/

 

Who benefits from this? Network engineers, apparently… :)

Devs?

IT?

Sounds like a security nightmare… who would get the blame for it failing

 

How do we keep users from screwing up the security model? Putting certs on their personal boxes?

 

Prior BrakeSec shows:  Software Defined Perimeter with Jason Garbis

http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

 

http://shop.oreilly.com/product/0636920052265.do

 

Doug Barth Twitter: @dougbarth

 

Evan Gilman Twitter:  @evan2645

 

Runs counter, right? We are used to not trusting the client…

 

A Mature company can only implement

Device inventory

Config management

Data flow

Asset management

 

Micro-services?  

Brownfield networks

Sidecar model -

Certain OSes not possible

2017-016-Fileless_Malware, and reclassifying malware to suit your needs

May 3, 2017 01:05:43

Description:

 Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys.

The latest marketdroid speak appears to be the term 'fileless malware', which by definition...

 

FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.”

 

https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not ‘fileless’

But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection.

This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects

 

https://business.kaspersky.com/targeted-attacks-trends/6776/

http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-015-Being a 'security expert' vs. 'security aware'

Apr 27, 2017 44:43

Description:

This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?

We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers

Apr 20, 2017 01:00:12

Description:

So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.

After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.

We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.

Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--- show notes----

 

Discuss AIDE with Ms. Berlin

 

Log-MD.com posted their first video.

 

Fingerprint Masters (a case against biometrics):

http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone

http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/


Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/

 

ShadowBrokers dump

“Worst since Snowden”

https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

Making policies, easier said than done

Discuss DefSec chapter on Policies

Difficulty: aligning policies with compliance standards

FedRamp, PCI, etc

Writing a good policy so that it follows the guidelines

 

http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook

2017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt

Apr 13, 2017 48:44

Description:

Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.

We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)

This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

What does MFA try to solve:

Mitigate password reuse Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials

 

Cred theft:

Getting to the point where old mate literally has more password dumps than time https://www.troyhunt.com/i-just-added-another-140-data-breaches-to-have-i-been-pwned/ Honestly not going away, and combined with password reuse makes things pretty bad

 

Phishing:

Happens. META: do we need to back this up with some stats?  https://blog.barkly.com/phishing-statistics-2016

 

MFA / Bad things happening with that:

AU Telecommunications provider sent multifactor SMS to wrong people https://www.itnews.com.au/news/telstra-sending-sms-to-wrong-numbers-after-exchange-fire-449690 RSA was owned years ago - and had to reissue a bunch of tokens http://money.cnn.com/2011/06/08/technology/securid_hack/ https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0 On the plus side, obviously increased cost to attacker significantly to do that Phishing frameworks are everywhere Misc / Turns out U2F makes phishing kind of dead? (Read first amendment) https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ Appears Backed up by the spec ( ‘Origin’ / https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf)

 

Phishing/2FA/Solutions?

a) What does multifactor actually solve? b) Are we (infosec industry) issuing multifactor solutions to people just so people make money? c)  Do these things give a *false* sense of security? d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.

 

Internal training / is this actually working?


Australia Post didn't think so

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

 

Counterpoints:

It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )

C: I don’t like running some silly app on my phone

C: I also don’t like running around with a physical token

C: Embedding a Yubico nano in my usb slot leaves me with one usb port left

Also doesn’t solve when someone just steals that token

 

Does any of it matter:

Beyondcorp / "Lets make the machines state be part of the credential"

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids

Is there some way we (not google) can make it so a credential is worthless?

 

Solutions:

Duo / “There's an app on my phone and it has context about what wants to do something right now”

Probably a step in the right direction

Kind of like some Aus banks which SMS you before transferring $X to Y account

Okta - (grab links to spec)

META // Does this actually solve it?

OAUTH - (grab links to spec)

Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower

META // Engineering things to short lived secrets is a better idea

 

I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:

The devices used everywhere are chromebooks run in standard mode rather than developer mode (Whitelisting For Free™) Everything is a web app Everything else can’t run due to app whitelisting built-in The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines Everything cares about the machine the user is using - It’s part of the credential Passwords are no longer important and it’s all single sign on Suddenly credential theft doesn’t matter The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters Caveat, someone will probably think of some cool technique and that’ll ruin everything See: Problem of induction / “Black swan event”

 

Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).

 

Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/

 

Duo Security // Beyondcorp

https://duo.com/blog/beyondcorp-for-the-rest-of-us



More info on Beyondcorp

https://www.beyondcorp.com

 

Misc// Hey google wrote a paper on U2F a while back

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)

https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf


META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing

https://risky.biz/RB448/

2017-012-UK Gov Apprenticeship infosec programs with Liam Graves

Apr 6, 2017 54:13

Description:

One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.

I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)

So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)

Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--

 

Show Notes:

UK apprenticeship schemes:

long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.

End Point Assessment - project based final assessment.

 

A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf

 

Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)

 

Other schemes include (new and existing):

Cyber Intrusion Analysts Cyber Security Technologists Data Analysts Digital Marketers Infrastructure Technicians IT Technical Salesperson Network Engineers Software Developers Software Development Technicians Software Testers Unified Communications Trouble-shooters (no idea what these ones are) Unified Communications Technicians

 

https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).

 

https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.

 

Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.

 

Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)

 

Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.

 

IBM has a trade school - hiring 2,000 US Veterans in the next 5 years

https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html

 

Technical schools

http://www.browardtechnicalcolleges.com/

http://www.bates.ctc.edu/ITSpecialist

 

DoL apprenticeship programs

https://oa.doleta.gov/bat.cfm

 

Difference between ‘for-profit’ and ‘trade schools’

 

Internships = some companies are paying fat bank:

http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries

 

Washington State trades/apprenticeships

Mostly ‘blue’ collar positions

http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/

Few ‘technical positions’

 

Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students

No ‘junior security architects’, or ‘junior pentesters’

Yet non-technical positions have junior slots

Manager / Senior manager, Project manager / Sr. Project manager

 

Difficulty in infosec apprenticeships

What are the ‘starter’ jobs?

IT related

Sysadmins

Log analyst

 

Useful links:

https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme

https://www.gov.uk/guidance/cyber-security-cni-apprenticeships

https://www.ncsc.gov.uk/new-talent

 

All available apprenticeships:

https://www.gov.uk/government/collections/apprenticeship-standards

 

Employer commitments:

https://www.gov.uk/take-on-an-apprentice

 

For people looking to pivot from non-Infosec jobs into cyber security:

https://cybersecuritychallenge.org.uk/about/new-to-the-challenge

https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/

https://www.gov.uk/government/publications/apprenticeship-levy-how-it-will-work/apprenticeship-levy-how-it-will-work

 

 

 

2017-011-Software Defined Perimeter with Jason Garbis

Mar 30, 2017 52:41

Description:

We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.

So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).

This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based...  So have a listen!

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---

 

Show Notes:

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter/

    Hmmm… seems like a standard created by companies selling their products for it

        Have a product, create a problem, fix the problem...

 

How much alike is this to things like ‘Beyondcorp’?

    https://www.beyondcorp.com/

    http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

 

De-perimeterization - removing all the bits ‘protecting’ your computer

    Treat your computers as ‘on the Internet’

    https://en.wikipedia.org/wiki/De-perimeterisation

https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf

 

https://github.com/WaverleyLabs/SDPcontroller

 

2FA becomes much more important, or just plain needed, IMO --brbr

 

Questions:

    How will development of applications change when attempting to implement these technologies?

   

    If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?

 

    Can this cut down on the “Shadow IT” issue? Does the user control the certs?

    How does this work with devices with no fully realized operating systems?

        Phones, HVAC, IoT

        Legacy SCADA or mainframes?

 

    What is the maturity level of a company to implement this?

        What minimum requirements are needed?

            Asset management?

            Policies?

        Who/how do you monitor this?

            More blinky boxes?

            Will WAFs and Web proxies still function as expected?

    Are there any companies companies were this is not a good fit?

        What’s the typical timeline for moving to this network model?

        What’s the best way to deploy this?

            Blow up old network, insert new network?

            Phase it in with new kit, replacing old kit?

    Compliance

        How do explain this to auditors?

            “We don’t have firewalls, that’s for companies that suck, we are 1337”

Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide

2017-010-Authors Amanda Berlin and Lee Brotherston of the "Defensive Security Handbook"

Mar 23, 2017 01:13:42

Description:

Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook"

We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you.

The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link)

Hope you enjoy!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 Previous Lee Brotherston episodes:

Threat Modeling w/ Lee Brotherston

Is your ISP MiTM-ing you

 Lee fills in for Mr. Boettcher, along with Jarrod Frates

TLS fingerprinting application

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-009-Dave Kennedy talks about CIAs 'Vault7', ISC2, and Derbycon updates!

Mar 15, 2017 01:15:18

Description:

Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).

This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.

To help us, we asked Mr. Dave Kennedy  (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.

Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2.  We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.

We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3

Youtube:  https://www.youtube.com/watch?v=lqXGGg7-BlM

iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--show notes--

http://www.bbc.com/news/world-us-canada-10758578

 

WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’

    Should they not have tools that allow them to infiltrate systems of ‘bad’ people?

    Promises to share information with manufacturers

        BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’

            Shit code, poor software design/architecture

            Security wonks aren’t without blame here either

 

http://www.bbc.com/news/technology-39218393  -RAND report

        Report suggested stockpiling is ‘good’

            “On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”

 

Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…  

http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668

 

(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)

 

Wikileaks - more harm than good?

    Guess that depends on what side you’re on

    What side is Assange on? (his own side?)

    Media creates FUD because they don’t understand

        Secure messaging apps busted (fud inferred by WL)

            In fact, data is circumvented before encryption is applied.

Some of the docs make you wonder about the need for ‘over-classification’


Vulnerabilities uncovered

 

Samsung Smart TVs “Fake-Off”

Tools to exfil data off of iDevices

    BrBr- Cellbrite has sold that for years to the FBI

        CIA appears to only have up to iOS 9 (according to docs released)

Car hacking tech

Sandbox detection (notices mouse clicks or the lack of them)

    Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html

Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html

    Not new: https://attack.mitre.org/wiki/Technique/T1093

**anything Mr. Kennedy feels is important to mention**

 

What can blue teamers do to protect themselves?

    Take an accounting of ‘smart devices’ in your workplace

        Educate users on not bringing smart devices to work

            And at home (if they are remote)

                Alexa,

        Restrict smart devices in sensitive areas

            SCIFs, conference rooms, even in ‘open workplace’ areas

           

    Segment possibly affected systems from the internet

    Keep proper inventories of software used in your environment

    Modify IR exercises to allow for this type of scenario?

    Reduce ‘smart’ devices

        Grab that drill and modify the TV in the conference room

        Cover the cameras on TV

            Is that too paranoid?

        Don’t setup networking on smart devices or use cloud services on ‘smart’ devices

    Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)

2017-008-AWS S3 outage, how it should color your IR scenarios, and killing the 'whiteboard' interview

Mar 6, 2017 01:14:23

Description:

If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah?

 "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?'

We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links)

Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk.  What do we mean? Listen to our show and find out.


#AIDE - https://appyide.org/events/ $60

more info: https://appyide.org/1313-2/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

---show notes---

 

AWS S3 outage (hopefully more information by the end of the week)

    Massive outages - many sites down

        IoT devices borked        https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/

 

TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

 

Brian: Water sprinkler story…

 

Do we put too much stock in Amazon?

        Email Story time: Recent IR exercise

            Mostly AWS shop

            “If we suspend reality” drinking game

            World War Z “the 10th man”

 

Not the 1st time AWS was involved in an outage:

    http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle

 

Realistic IR exercises need to examine the ‘ultimate’ bad…

    Even if you’re in ‘suspend reality’ mode

 

https://theoutline.com/post/1166/programmers-are-confessing-their-coding-sins-to-protest-a-broken-job-interview-process

http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/

 

No problem with copy/paste, hunting up functions, etc

    Problem comes when failure to understand the code you’re using, and the integration of that code therein

 

Programming Interviews Exposed

 

LOVED this idea….

https://letsjusthackshit.org/platypuscon2016.html

“In the spirit of what brought this community together, we’re aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we’re putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new.”

 

Patreon - just pop a dollar

CTF Club - Tuesdays 9am Pacific / 6pm Pacific

Book club - Defensive Security Handbook - Starting 15 March

2017-007- Audio from Bsides Seattle 2017

Mar 1, 2017 35:43

Description:

Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion.

We have 3 interviews here this week:

Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not.

Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles.

Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets...

If you are looking for some great content, a Bsides is nearby, just look around...

 

Other Twitter handles mentioned on the show...

@ben_ra
@firewater_devs  (both phone hackers)

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3

YouTube:

iTunes:

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2017-006- Joel Scambray, infosec advice, staying out from in front of the train, and hacking exposed

Feb 20, 2017 01:05:45

Description:

Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible.

Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series.

We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO.

 

From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/):

"Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office.

Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy."

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3

iTunes (generic link, subscribe for podcast):  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

-------

Show Notes:

 

Joel Scambray

 

In a bio:

    “Joel’s words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional’s challenge is to bring the most evidence possible to support those decisions, both technical and non.”

 

Building and maintaining a security program

    Which is better?

starting with a few quick wins

Or having an overarching project to head where you want to go

 

Starting companies (buyouts / stock options / lessons learned)

 

Hacking Exposed

    Will you stop at ‘7’?

    Will there be a “hacking exposed: IoT”?

        Medical devices

   

What leadership style works best for you?

 

Things we couldn’t cover due to time:

Security Shift from network layer to app layer

    Software defined networking, for example

        How to set policies to keep your devs from running amok

 

------

2017-005-mick douglas, avoid bad sales people, blue team defense tools

Feb 15, 2017 01:03:58

Description:

Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors.

But this week, we have a different Mr. Douglas.  This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering.

Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge.

Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X

Mick's document:

https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0

Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it:

http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3

https://attack.mitre.org/wiki/ATT%26CK_Matrix

 

 

Mick's last appearances on BrakeSec:

http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3

http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3

iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware

Feb 6, 2017 52:25

Description:

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.

Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.

We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD

----------

HITB announcement:

“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

 

 

 

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3

iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2

YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

-----------

Show notes:

 

Sandboxing tech  -  https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf

 

A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.

 

Various types of sandbox tech

 

Jails - freebsd

    Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian

        http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html

 

Pledge(8)  - new to OpenBSD

    Program says what it should use, if it steps outside those lines, it’s killed

    http://www.tedunangst.com/flak/post/going-full-pledge

    http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge

    http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html

 

Chroot - openbsd, linux (chroot jails)

    “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”

    Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’

 

Rules based execution - AppArmor, PolicyKit, SeLinux

    Allows users to set what will be ran, and which apps can inject DLLs or objects.

    “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”

https://en.wikipedia.org/wiki/Seccomp

https://en.wikipedia.org/wiki/Linux_Security_Modules

 

Android VMs

 

Virtual machines - sandboxes in their own right

    Snapshot capability

    Revert once changes have occurred

    CON: some malware will detect VM environments, change ways of working

 

Containers (docker, kubernetes, vagrant, etc)

    Quick standup of images

    Blow away without loss of host functionality

    Helpful to run containers as an un-privileged user.

https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/

 

Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

 

Emulation Vs. Virtualization

 

http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware  --seems like a good link

 

VMware Thinapp (emulator):

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224

 

(continued next page)

Malware lab creation (Alienvault blog):

https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide

 

https://www.reverse.it/

 

News: (assuming it goes short)

SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/

 

(whitelisting files in Apache)

https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937

 

http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html

https://github.com/robertkuhar/java_coding_guidelines

https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#

 

https://www.concise-courses.com/security/conferences-of-2017/

2017-003-Amanda Berlin at ShmooCon

Jan 30, 2017 30:46

Description:

Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It’s always amazing to watch people talk about what they are passionate about, and Shmoocon is a great relaxed environment where that happens frequently."

James Green @greenjam94
Aaron Lint @lintile  
Jon? @hackeducate

Melanie Rich-Wittrig @securitycandy

Amanda Berlin attended ShmooCon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Melanie Rich-Wittrig (@securitycandy) discusses how she's empowering kids to get into information security, even as early as age 10 or 11. She discusses how she motivates by teaching CTF and hacking concept, and gamifying by using point systems.

www.securitycandy.com

RSS: http://www.brakeingsecurity.com/rss

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-003-ShmooCon_Audio.mp3

YouTube:

 

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

2017-002: Threat Lists, IDS/IPS rules, and mentoring

Jan 22, 2017 01:05:41

Description:

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.

But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.

We discuss some of the issues using them, discuss how to use them in your #environment.

Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...

RSS: www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3

iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2

YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

Show Notes:

HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme

 

2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring

 

Threat Lists (didn’t have much time to research :/) THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/    Don’t use threat list feeds (by IP/domain) as threat intelligence Can use them for aggressively blocking, don’t use for alerting https://isc.sans.edu/suspicious_domains.html https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt http://iplists.firehol.org/ https://zeltser.com/malicious-ip-blocklists/ https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx Spamhaus: https://www.spamhaus.org/ leachers Open rulesets - You can always depend on the kindness of strangers Advantage is that these are created by companies that have worldwide reach Updated daily Good accompanying documentation You can buy large rulesets to use in your own IDS implementation Depends on your situation if you want to go managed or do yourself Regardless you need to test them Managed security services will do this for you I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself Only a good idea for one-off, targeted attacks DIY IDS/IPS rulesets https://securityintelligence.com/signature-based-detection-with-yara/ http://yararules.com/ http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/ Yara rules For Mentors Set expectations & boundaries Find a good fit Be an active listener Keep open communication Schedule time Create homework Don’t assume technical level Ask questions Do your own research Find a good fit Put forth effort It’s not the Mentor’s job to handhold, take responsibility for own learning Value their time Come to each meeting with an agenda For Mentees Mentoring frameworks? InfoSec Mentoring https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741 Podcasts (Courtesy of Ms. Hannelore) https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

2017-001: A New Year, malware legislation, and a new cast member!

Jan 12, 2017 43:44

Description:

We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender).

We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try to find some understanding.

With all the various secure messaging systems out there, we discuss how why secure messaging systems fail so poorly with regards to #interoperability and the difficulties in getting average non-infosec people to adopt one. We also discuss #Perfect #Foward #Security and how it prevents people from decrypting old messages, even if the key is compromised.

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

---Show Notes---

News story:

http://www.latimes.com/politics/la-pol-sac-crime-ransomware-bill-20160712-snap-story.html

 

“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” said Brandon Perry, a senior consultant for NTT Com Security. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”

 

Ransomware won’t infect you if you watch training videos:

http://thehackernews.com/2017/01/decrypt-ransomware-files.html

 

Secure messaging - stuck in an Apple ecosystem

    Too many, no interoperability

        Signal, Whisper, Wickr, Wire, WhatsApp, FB messenger

        I uninstalled Signal… can’t convince people to adopt something if everyone cannot message one another --BrBr

 

OpenPGP is ‘dangerous’

http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/

    Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy

        “A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm.” (input given gives the same output every time)

Perfect Forward Secrecy - “In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys.

   

Ms. Amanda’s pentest homework:

“https://docs.google.com/document/d/17NJPXpqB5Upma2-6Hu5svBxd8PH0Ex7VgCvRUhiUNk8/edit”

2016-051: Steps to fixing risks you found, and the State of the Podcast

Dec 25, 2016 41:30

Description:

It's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner.

I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps.

We also discuss some the previous episodes of the year, some recent developments to build our #community, like our book club and upcoming #CTF club.

Plus, there is one other surprise, but you'll have to wait until our next episode to find out!

 

Enjoy our final episode of 2016. Our regular show will return the week of 9 January 2017!

 

https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Legal_and_commercial_responses

iTunes:

YouTube: https://www.youtube.com/watch?v=w56W5gMMg0E

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-051-State_of_the_podcast_Finding_and_managing_risk.mp3

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until 31 December 2016. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

Google Play Store  https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

2016-050: Holiday Spectacular with a little help from our friends!

Dec 22, 2016 01:14:54

Description:

Brakesec Podcast joined:

Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec)

Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast

Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec)

And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also get to hear my lovely wife come in and bring me #holiday #sweeties and even dinner, as she had no idea we were recording at the time (she later told me "You sounded like you were having too much fun, so I assumed you weren't recording")

**there might be some explicit language**

Join us won't you, and listen to 3 fantastic podcasts mix it up for the holidays.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-050-holiday_spectacular-defsec-advpersistsec-brakesec-infosystir.mp3

#YouTube: https://www.youtube.com/watch?v=sJaAG0KRpDY

#iTunes: https://itunes.apple.com/us/podcast/2016-050-holiday-spectacular/id799131292?i=1000379206297&mt=2

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-049-Amanda Berlin, the art of the sale, and Decision making trees

Dec 15, 2016 56:47

Description:

 "Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters.

A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work...

We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether.

We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2

Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg

 

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!


Join our Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-048: Dr. Gary McGraw, Building Security into your SDLC, w/ Special guest host Joe Gray!

Dec 4, 2016 01:11:07

Description:

As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the  Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information).

Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production.  Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :)

Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry.

Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705

Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/

Gary's twitter is @cigitalgem

Joe Gray's twitter is @C_3PJoe

Special deal for our #BrakeSec Listeners:

"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2

YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4

Join our Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems

Nov 28, 2016 19:50

Description:

Just a quick episode this week...

As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM)

We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so.

Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts

http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html

You can find the github of this script and the audit software that I mentioned below:

https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA  

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-046: BlackNurse, Buenoware, ICMP, Atombombing, and PDF converter fails

Nov 21, 2016 44:50

Description:

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred.

After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do.

We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal?

All that and more this week on Brakeing Down Security Podcast! 

Check out our official #Slack Channel! Sign up at https://brakesec.signup.team

Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw  https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705  (ebook is available of Safari books online)

 

BlackNurse

https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

 

Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document:

https://twitter.com/boettcherpwned/status/799726266693713920

Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3

Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes:

https://twitter.com/newsyc200/status/799761390915424261

 

#BlackNurse

https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

ICMP

Type 3, Code 3 (Destination Port unreachable)  http://www.faqs.org/rfcs/rfc792.html

#SHA1 deprecated on website certs by Chrome on 1 January 2017

http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522

#Benevolent #malware (buenoware)

https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703

#Atombombing

http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions

https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/

http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2

Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ

 

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-044: Chain of Custody, data and evidence integrity

Nov 7, 2016 47:04

Description:

During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc.

This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help.

Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3

#YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI

#iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-043: BSIMMv7, a teachable moment, and our new Slack Channel!

Nov 2, 2016 01:14:10

Description:

 

**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.**

Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing.

We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices.

Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having.

We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it.

Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2

YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y

 

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-042-Audio from Source Seattle 2016 Conference

Oct 25, 2016 01:32:53

Description:

Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier.

I was able to interview a number of people from the conference. You can see a partial list of them here:

http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights


Interviewed

Chip McSweeney from OpenDNS (@chipmcmalware) and Rob Cheyne about the conference and got a bit of information about Chip's talk on "Domain Generating Algorithms" (DGA) that #malware use for domain C&C, and how to detect and reverse certain algos.

Rob Cheyne is the organizer of Source, so we talked a bit about the history and difficulties putting on 3 of these a year, and what makes the "Source" conference format so different.

Masha Sedova was one of the keynote speakersto discuss how she gamified her information security program and got everyone involved. Really excellent talk about changing organizational behavior.

Rob Fuller gave two days of Metasploit training, to show the versatility and to teach about the effectiveness of this tool. I also ask if Metasploit has reached it's end, since it's easily detected in many environments. Rob is a great interview and gives me his unvarnished opinion.

Mike Shema from https://cobalt.io/ discussed expanding and tailoring your bug bounty program to suit your organization and to ensure that your bug bounty program is mature. Using private bug bounties, and ensuring proper follow through in a timely manner can ensure maximum bang for the buck.

Last but not least, Deidre Diamond who did a keynote about 'Words to Stop Using now'. Deidre is the CEO of a national cyber security staffing company (Cyber Security Network) and Founder of a not-for-profit that empowers women in the infosec industry. Hear her thoughts on how leadership training is needed in the corporate environment, I ask her why we still need recruiters with hiring sites and why job descriptions are still a thorn in everyone's sides.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-042-Source_Seattle_2016_audio.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-042-audio-from-source/id799131292?i=1000377063127&mt=2

YouTube: https://www.youtube.com/watch?v=sj_SD2k7zXw

#RSS: http://www.brakeingsecurity.com/rss

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-041- Ben Johnson, company culture shifts, job descriptions, cyber self-esteem

Oct 17, 2016 01:11:23

Description:

Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry.

Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community.

We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your company culture better.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-041-Ben_johnson.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-041-ben-johnson-company/id799131292?i=1000376744922&mt=2

YouTube: https://www.youtube.com/watch?v=HrTPH97-YIY

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-040: Gene_Kim, Josh_Corman, helping DevOps and Infosec to play nice

Oct 10, 2016 01:01:40

Description:

If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great.

If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out.

But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how we can make security, compliance, and DevOps to play nice with one another.

Gene Kim's new book (excerpt): http://itrevolution.com/handbook-excerpt

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-040-Gene_Kim-Josh_Corman-Getting_Security-and_DevOps_playing_nice.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-040-gene-kim-josh-corman/id799131292?i=1000376417012&mt=2

YouTube:  https://www.youtube.com/watch?v=fOuSRYJtiKo

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-039-Robert Hurlbut, Threat Modeling and Helping Devs Understand Vulnerabilities

Oct 4, 2016 01:15:00

Description:

Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws.

We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and managers.

 

Robert's Website is chock full of good information about threat modeling and secure coding practices at http://www.roberthurlbut.com

 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-039-Robert_Hurlbut-threat_modeling_and_analysis.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-039-robert-hurlbut-threat/id799131292?i=1000376171899&mt=2

YouTube: https://www.youtube.com/watch?v=P5jEVJTymOg

 

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-038-Derbycon Audio and 2nd Annual Podcast with Podcasters!

Sep 29, 2016 01:24:14

Description:

Mr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast.  It is truly a labor of love and something that we hope everyone can learn something from.

We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensics-af-int0x80-of-dual-core) and how to evade log monitoring with Mr. Brian Boettcher and Michael Gough. (shout-out to @mattifestation, @dualcore, @baywolf88, @carlos_perez)

We sat down with Mr. Osman (@surkatty) from the Sound Security Podcast (@SoundSec), who was a first time attendee to #DerbyCon. We get his thoughts about DerbyCon and what talks he enjoyed.

Finally, our 2nd Annual podcast with our fellow podcasters was on. We had it in Bill Gardner's room (ReBoot-It podcast) (@oncee), Amanda Berlin (@infosystir) from #Hurricane #Labs Podcast, Jerry Bell (@MaliciousLink) from #Defensive #Security Podcast, Ben Heise (@benheise) from Rally #Security Podcast, Tim DeBlock (@TimothyDeBlock) from Exploring Information Security Podcast, and SciaticNerd (@sciaticnerd) from Security Endeavors podcast

IronGeek's website has all the videos available to listen to here: http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist

 

Whiskey Bent Valley Boys:  http://whiskeybentvalley.tumblr.com/ or iTunes: https://itunes.apple.com/us/artist/whiskey-bent-valley-boys/id318874442

 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-038-Derbycon_podcast.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-038-derbycon-audio-2nd/id799131292?i=1000375934157&mt=2

YouTube: https://www.youtube.com/watch?v=W7ylsfwGyhc

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-037: B1ack0wl, Responsible Disclosure, and embedded device security

Sep 14, 2016 01:06:51

Description:

Have you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in?

This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users...  We also find out how B1ack0wl learned his stock and trade.

https://www.exploit-db.com/exploits/40332/

Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening to the finding.

http://www.devttys0.com/  -- #embedded device hacking blog

http://io.netgarage.org/ -- #wargame site #B1ack0wl mentioned

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-037-b1ack0wl_responsible_disclosure-belkin_routers.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-037-b1ack0wl-responsible/id799131292?i=1000375462991&mt=2

YouTube: https://www.youtube.com/attribution_link?a=kChiecG0Sv4&u=/watch%3Fv%3D9_qS2s3GrT4%26feature%3Dem-upload_owner

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson

Sep 11, 2016 01:08:12

Description:

Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs.  During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere.

Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/

So, we wanted to have Nick on to discuss any updates that occurred, and also asked an MSSP owner, Kevin Johnson, from SecureIdeas (@secureideas on Twitter), as Kevin is well versed with both sides, being a customer, and running an MSSP with his product, Scout (https://secureideas.com/scout/index.php)

We go over what an MSSP is (or what each person believes an MSSP is), we discuss the facts from Nick and his client's side, we try and put ourselves in the shoes of the MSSP, and if they handled the issue properly.

We also find out how Nick managed to save the day, the tools they used to solve the problem.  We did a whole podcast on it, and maybe it's time to re-visit that...

Finally, we discuss the relationship between an MSSP and the customer, what expectations each party should see from each other, and what are the real questions each should ask one another when you're searching out an MSSP.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-036-mssp-nick_selby-kevin_johnson.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-036-mssp-pitfalls-nick/id799131292?i=1000375157370&mt=2

YouTube:  https://www.youtube.com/watch?v=b1rEpaBAKpQ

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

2016-035-Paul Coggin discusses the future with Software Defined Networking

Sep 6, 2016 01:13:28

Description:

Paul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN)

Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer.  Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications.

And there's more good news (if you're a black hat), there's no role based security, parts of the #specification isn't fully fleshed out yet, and there are vendor specific frameworks of their own, that may not be fully interoperable with each other...

Paul talks to us about some background of #SDN, some of the pitfalls and what you need to think about when implementing Software Defined Networking.

 

Links referred to in the Show:

https://www.rsaconference.com/writable/presentations/file_upload/tech-r03-sdn-security-v3.pdf

https://www.blackhat.com/docs/eu-14/materials/eu-14-Pickett-Abusing-Software-Defined-Networks-wp.pdf

http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/

https://people.eecs.berkeley.edu/~rishabhp/publications/Sphinx.pdf

https://www.opendaylight.org/

https://www.opennetworking.org/certification

Ras Pi as an OpenFlow controller: https://faucet-sdn.blogspot.com/2016/06/raucet-raspberry-pi-faucet-controlling.html

Zodiac FX SDN boards (Excellent customer service!):  http://northboundnetworks.com/

Excellent site discussing SDN:  http://www.ipspace.net/Main_Page

Coursera SDN course:  https://www.coursera.org/learn/sdn

 

Brakeing Down Security RSS: http://www.brakeingsecurity.com/rss

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2016-035-Paul_Coggin_SDN.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-035-paul-coggin-discusses/id799131292?i=1000374972931&mt=2

YouTube: https://www.youtube.com/watch?v=YuuNzeiexUY

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-034: Sean Malone from FusionX explains the Expanded Cyber Kill Chain

Aug 28, 2016 01:40:44

Description:

Another great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking.

In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts.

This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems or networks, like the #SWIFT banking transfer. This discussion also is great for showing management the time and effort required to gain access to systems.

We also talk about the #OODA loop (https://en.wikipedia.org/wiki/OODA_loop) and how disrupting that will often cause attacks to go awry or to be stunted, reducing the effectiveness.

Sean T. Malone website: http://www.seantmalone.com/


Slides and presentation referred to in the podcast: http://www.seantmalone.com/docs/us-16-Malone-Using-an-Expanded-Cyber-Kill-Chain-Model-to-Increase-Attack-Resiliency.pdf

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-034-CyberKillChain.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-034-sean-malone-from/id799131292?i=1000374642630&mt=2

YouTube:  https://www.youtube.com/watch?v=eBOCjaGmbMg

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-033: Privileged Access Workstations (PAWs) and how to implement them

Aug 22, 2016 57:33

Description:

Bill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled)  Here is the synopsis of his talk that you can now see at DerbyCon:

Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other techniques I've used to limit exposure to credential theft and lateral movement. I hope to show fellow blue teamers these types of controls are feasible to implement, even in small environments. 

TechNet article referenced on the show:

https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-033-PAWs-Bill_Voecks-Rejected_Talks.mp3

RSS: http://www.brakeingsecurity.com/rss

iTunes: https://itunes.apple.com/us/podcast/2016-033-privileged-access/id799131292?i=1000374432509&mt=2

YouTube: https://www.youtube.com/watch?v=0DwR9RcEBo0

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-032-BlackHat-Defcon-Debrief, Brakesec_CTF_writeup, and blending in while traveling

Aug 15, 2016 59:56

Description:

Co-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp"

Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare for the contest next year, and steps it took to solve the challenges.

The final item of the night was about travel security, since the Olympics are on, and there was a report about Olympic athletes who were robbed at gunpoint. We discuss safety while traveling, keeping a low profile, reducing risk, and reminding you to leave the overly Patriotic shirts and apparel at home.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-032-Defcon-blackHat_debrief-travel-security_CTF-writeup-final.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-032-blackhat-defcon-debrief/id799131292?i=1000374155086&mt=2

YouTube:  https://www.youtube.com/watch?v=Df-JL-PiGus

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-031:DFIR rebuttal and handling incident response

Aug 8, 2016 59:00

Description:

A couple of weeks ago, we discussed on our show that not all incident response events required digital forensics.  We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on.

Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.

We discuss definitions of what digital forensics are, and how that term really has a broad range for classification.

Brian will be teaching SEC566 in Long Beach in September. Here is the link for more information to sign up for this course...  https://www.sans.org/community/event/sec566-long-beach-26sep2016-brian-ventura

 

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2016-031-DFIR_discussion_and_rebuttal.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-031-dfir-rebuttal-handling/id799131292?i=1000373849931&mt=2

YouTube: https://www.youtube.com/watch?v=e3Dy001GdWM

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-030: Defending Against Mimikatz and Other Memory based Password Attacks

Aug 1, 2016 35:01

Description:

In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table.

When improperly configured, the passwords are stored in memory, often in plain text.

 

This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks.

 

Links to blogs:

https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft

http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html

https://jimshaver.net/2016/02/14/defending-against-mimikatz/

 Praetorian Report on pentests: http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-030-Defense_against_Mimikatz.mp3

YouTube:  https://www.youtube.com/watch?v=QueSEroKR00

iTunes: https://itunes.apple.com/us/podcast/2016-030-defending-against/id799131292?i=1000373511591&mt=2

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...

Jul 26, 2016 01:22:40

Description:

Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough.

Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go.

This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest. 

We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance).  We ask questions like

Who should be involved setting scope? 

Should #Social #Engineering always be a part of a pentest?

Who should be notified if/when a #pentest is to occur?

Should your SOC be told when one occurs?

What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)?

And how long do you want the engagement to be?

And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well...

It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagements. If your organization is about to engage a company for a pentest, you'd be wise to take a moment and listen to this.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-029-Jarrod_Frates-What_to_do_before_a_pentest_starts.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-029-jarrod-frates-steps/id799131292?i=1000373091447&mt=2

#YouTube:  http://www.youtube.com/attribution_link?a=p2oq6jT3Iy0&u=/watch%3Fv%3DsTc_seN-hbs%26feature%3Dem-upload_owner

 

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec, and SCADA headaches

Jul 18, 2016 01:00:24

Description:

Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3)

I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understand why it was started. This is its inaugural year, and they already have some excellent schwag and sponsors. This is not just an event for ladies, but a way of #empowering #women, creating #mentorship opportunities, and assistance for people moving into the #infosec industry.

Also, since Ms. Cheryl's loves discussing #ICS and #SCADA problems and headaches, we got into the headaches, #challenges, and maybe some 'logical' solutions to fixing SCADA vulns... but does the logical approach work in a business sense?

TiaraCon official site:  http://tiaracon.org/ 

TiaraCon Dates: Thursday Aug 4 - Friday Aug 5

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-028-Cheryl_Biswas_Tiaracon_ICSSCADA_headaches.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-028-cheryl-biswas-discusses/id799131292?i=1000372642921&mt=2

Youtube: https://www.youtube.com/watch?v=vsolDjsz5M4

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-027: DFIR conference, DFIR policy controls, and a bit of news

Jul 11, 2016 45:02

Description:

Mr. Boettcher is back!  We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required.

We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts.

Platypus:  http://sveinbjorn.org/platypus

Eleanor Malware on OSX:

https://www.grahamcluley.com/2016/07/mac-malware-uses-tor-obtain-access-systems/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-027-DFIR_policy_controls.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-027-dfir-conference-dfir/id799131292?i=1000372256055&mt=2

YouTube: https://www.youtube.com/watch?v=RPN0nDGYA5c#action=share

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

2016-026-powershell exfiltration and hiring the right pentest firm

Jul 4, 2016 01:14:55

Description:

 Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil.

Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet).

Tyler tells us about using Cobalt Strike for creating persistent connections that are more easily hidden when you are on an engagement.

 

Adam's demo can be found on our YouTube channel: https://youtu.be/rj--BfCvacY

Tyler's demo of Throwback and using Cobalt Strike can be found on our YouTube Channel:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-025-Windows Registry, Runkeys, and where malware likes to hide

Jun 27, 2016 50:48

Description:

The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups).  This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself.

We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions.

And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. You can find reglister here:

http://www.securityforrealpeople.com/2015/08/introducing-new-forensics-tool-reglister.html

 

We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-025-Windows_Registry-RunKey_artifacts-finding_where_malware_hides.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2

 

SoundCloud: https://soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2016-024: Kim Green, on CISOaaS, the Redskins Laptop, and HIPAA

Jun 20, 2016 01:13:20

Description:

We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company.  She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role.

Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that their internal teams may have missed. We are going to discuss with her why they decided to make it a private bug bounty, and what was the result.

https://www.youtube.com/watch?v=GbW777t1tTA -- more about the bug bounty

We also discuss why#HIPAA seems to be so far behind in terms of being able to protect #PHI/#PII and what if anything can be done to fix it. 

http://www.darkreading.com/analytics/hipaa-not-helping-healthcares-software-security-lagging/d/d-id/1322715

We finish up discussing a recent news story about the how the National Football League (#NFL) team Washington Redskins had a trainer lose a laptop with the PII and health information on several thousand NFL players. We discuss why they did not violate HIPAA, and what if anything they did violate.

https://www.washingtonpost.com/news/dc-sports-bog/wp/2016/06/01/nfl-players-medical-records-reportedly-stolen-from-redskins-trainers-car/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-024-Kim_Green-HIPAA-CISO_as_a_service-HIPAA_maturity_redskins-laptop.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-024-kim-green-on-cisoaas/id799131292?i=1000371021883&mt=2

YouTube: https://www.youtube.com/watch?v=F9zvkeuON4I&list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K&index=1

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-023- DNS_Sinkholing

Jun 13, 2016 39:21

Description:

Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet.  You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning.  What do you do?

In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to  or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met.

Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly.  We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ.

In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2

YouTube: https://youtu.be/67huikA2QFg

 

Links we used to discuss sinkholing:

Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/

*UPDATED literally hours after I posted this show*  Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153

 

 

http://resources.infosecinstitute.com/dns-sinkhole

 

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing

 

https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

 

http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769

 

Blackhole DNS servers -- http://www.malware-domains.com/   or http://www.malwaredomains.com/

http://handlers.dshield.org/gbruneau/sinkhole.htm

Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/

 

http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455

 

http://someonewhocares.org/hosts//  -massive dns sinkholing list

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

images:

Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole

2016-022: Earl Carter dissects the Angler Exploit Kit

Jun 6, 2016 57:40

Description:

Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware.  This week we sit down with him to understand the #Angler EK.

He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even get to hear about how the creators "rent" out the EK, and how they also control the malvertising side as well. Great insights into how the EK eco-system operates...

We talk about some of the vulns used by exploit kits. Contrary to popular belief, the vulns used don't always have to be 0day. Blue teamers will learn valuable insights in protecting your networks from this EK.

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2016-022-earl_carter_dissects_angler_ek.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-022-earl-carter-dissects/id799131292?i=1000370105193&mt=2

 

Links referenced during the show:

Earl's slides from Bsides Austin: http://www.slideshare.net/EarlCarter3/bsides-anglerevolution-talk-60408313

http://blog.0x3a.com/post/118366451134/angler-exploit-kit-using-tricks-to-avoid-referrer

http://blogs.cisco.com/security/talos/angler-flash-0-day

http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681

http://blogs.cisco.com/security/talos/angler-flash-0-day

https://hiddencodes.wordpress.com/2015/05/29/angler-exploit-kit-breaks-referer-chain-using-https-to-http-redirection/

https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence

May 29, 2016 57:38

Description:

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc).

We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry.

Ben discusses with us the Layered Approach to EDR:

1. Hunting

2. Automation

3. Integration

4. Retrospection

5. Patterns of Attack/Detection

6. indicator-based detection

7. Remediation

8. Triage

9. Visibility

We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry.

Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people.

Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :(

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2

YouTube: https://youtu.be/I10R3BeGDs4

RSS: http://www.brakeingsecurity.com/rss

Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info)

https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-020-College Vs. Certifications Vs. Self-taught

May 22, 2016 54:20

Description:

Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better?

We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well.

Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language.

ASM book used in the above class: http://www.drpaulcarter.com/pcasm/

Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip

We also discuss free alternatives for learning out there, and how effective they are.

 

Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3


iTunes:  https://itunes.apple.com/us/podcast/2016-020-college-vs.-certifications/id799131292?i=1000369124337&mt=2


YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K

RSS FEED: http://www.brakeingsecurity.com/rss

 

Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-019-Creating proper business cases and justifications

May 16, 2016 54:43

Description:

Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization.

We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include:

1. Aligning business goals and operational goals

2. How to discuss ROI with management

3. Getting actionable information for business requirements from affected parties

4. Steering yourself away from confirmation bias or optimism bias, and ensuring you're thinking critically when comparing the current status quo vs. a new solution

5. Information you might want to gather from potential vendors to make a more informed decision as to whether their product is the one you want

And finally, we discuss how to handle the dread vendor demos. There may be a number of them, and they are arguably the best method of knowing the software or hardware is going to work for you.

This is a topic that affects everyone, whether you are a manager, or a user of the technology involved.

We also like to remind people that our DerbyCon CTF and raffle are still going on. There is plenty of time to get involved if you want a chance to get a ticket to Derbycon 2016!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-019-business_cases_and_justifications-final.mp3

Itunes: https://itunes.apple.com/us/podcast/2016-019-creating-proper-business/id799131292?i=1000368774135&mt=2

YouTube Link: https://youtu.be/8sWn1IYpgtY

Links referred to in the show:

http://www.ask.com/business-finance/business-justification-example-cdebe6f929949e8c

http://www.iso20022.org/documents/BJ/BJ044/ISO20022BJ_ATICA_v4_with_comments.pdf

http://klariti.com/business-case-2/business-case-justify-business-need/

https://en.wikipedia.org/wiki/Business_case

https://en.wikipedia.org/wiki/Optimism_bias

http://www.ehow.com/how_6672801_write-business-justification.html

http://www.acqnotes.com/acqnote/careerfields/establishing-software-requirements

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-018-software restriction policies and Applocker

May 9, 2016 01:00:01

Description:

Windows has all the tools you need to secure an OS, but we rarely use them.  One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install.

We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restricting access to certain functions or applications.

Also, the 2nd clue for our CTF can be found in this podcast... see if you can find the giant clue... :)

**NOTE: We had an issue with Mr. Boettcher's Windows 10 install, he's using Windows 10 Home, which does not appear to have Applocker or Software Restriction Policy by default.  So, I cut a lot of us bickering^H^H^H^H discussing how to get it to work, so the middle around 25:00 mark will feel a tad off. Apologies... I should have stopped recording.

 

Links referred to during the podcast:

https://technet.microsoft.com/en-us/library/hh831534.aspx

http://mechbgon.com/srp/  - LOL, mentions the use of ‘parental controls’ to restrict systems

http://www.instructables.com/id/Getting-past-Software-Restriction-Policies/

http://www.itingredients.com/how-to-deploy-software-restriction-policy-gpo/

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/using-software-restriction-policies-and-applocker-policies

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3

#iTunes Link: https://itunes.apple.com/us/podcast/2016-018-software-restriction/id799131292?i=1000368338483&mt=2

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-017-The Art of Networking, Salted Hashes, and the 1st annual Podcast CTF!

May 2, 2016 01:02:26

Description:

You might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning.

We also brainstorm ideas on how people in our community keep their skills sharp, and why some seem to allow them to atrophy once they get a specific certification or degree. We cite examples of things and actions that allow you to gain more knowledge, and to ensure your company will still see you as an SME. CPEs can be gained in the most simplest of methods. Just by listening to this podcast, for example, you can receive one CPE (1 hour = 1CPE) there are many other ways of getting them. and we cite several in this podcast.

We also discuss the continued use of unsalted, weakly hashed passwords in systems, and why a recent breach of a custom Minecraft implementation allowed it to occur.

Story: http://news.sky.com/story/1687550/minecraft-hack-exposes-seven-million-passwords

But I think the most exciting part of the podcast is theannouncement of the 1st annual Brakeing Down Security PodcastCTF!The details can be found in the podcast.

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-017-Networking-Podcast_CTF-salted_hashes.mp3

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#iTunes: https://itunes.apple.com/us/podcast/2016-017-art-networking-salted/id799131292?i=367885714&mt=2

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-016-Exploit Kits, the "Talent Gap", and buffer overflows

Apr 25, 2016 01:00:14

Description:

Angler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come.

We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get better...

*BONUS*... after the audio, listen to me (Bryan) failing at understanding buffer overflow exercises I'm doing as part of my #OSCP certification...

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-016.-Exploit_kits_Talent_Gaps_and_buffer_overflows.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-016-exploit-kits-talent/id799131292?i=367465364&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior

Apr 16, 2016 01:10:44

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2

Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing

You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box...

But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you?

Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system...

Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to...

Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment...

 

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

2016-014-User_Training,_Motivations,_and_Speaking_the_Language

Apr 8, 2016 41:17

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2

Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion.

What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a language barrier? I don't mean Spanish/English, but do we do a good job at speaking "user"? How can we do a better job at that if we find ourselves failing? How can speaking 'manager' or 'VP' help us get help that we need? For many, it's like the difference in communicating with someone who speaks Mandarin.

We discussed the need to educate people against thumbdrive insertion, even in the face of a study of people inserting random thumbdrives into their computers. We discuss the motivation of users who do so, whether it's altruistic, or malicious:

http://www.pc-tablet.co.in/2016/04/07/25826/study-shows-users-access-random-pendrives-computers-overlooking-risk/

We discussed an app logic flaw that were found recently in the news:

http://www.digitaltrends.com/mobile/free-pizza/

Which is exactly what we were talking about when talking to Ben Caudill a few weeks ago about app logic flaws. This flaw has been in the app for a good long time, and while the security researcher saw fit to report it, the ethical implications of keeping it secret could have cost Domino's a lot.

Mr. Boettcher gives us a report of Bsides Austin, and how it's grown in the past few years. We finish up discussing infosec conferences and how they appear to be thriving. Is it good marketing, or are companies finally understanding their importance?

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

2016-013-Michael Gough, the ISSM reference model, and the 5 P's

Mar 26, 2016 58:52

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2

We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2-part podcast on ITIL with Tim Wood, which is a service based solution to enable your IT and infosec initiatives to also align with your business needs.

From the ISSM whitepaper:

"organizations need to build and run an integrated service management system that addresses security and risk management as well as the regulatory compliance imposed on the agency while ensuring that agreed services are provided to internal and external customers and managed end-to-end.

For agencies and organizations to achieve meaningful service outcomes, technology and agency decision makers need to align their goals and strategies more closely while dealing with an increasing amount of technologies, threats, and regulatory compliance requirements."

We discuss the idea of the "5 P's", which are "Policy, Process, People, Products (or technology), and Proof", and how they are important to the implementation of the #ISSM reference model

Finally, we discuss a typical engagement using the ISSM model. Creation of the 7 Core components and additional using a maturity model to self-assess your company in an effort to show transparency to your internal processes.

Important links:

http://www8.hp.com/h20195/V2/getpdf.aspx/4AA2-2350ENW.pdf?ver=1.0

http://www.digitalgovernment.com/media/Downloads/asset_upload_file772_2477.pdf

https://en.wikipedia.org/wiki/Information_security_management_system

http://www.davebolick.com/SampleNewsletterHPFinancialAdvisor.pdf

http://media.govtech.net/HP_RC_08/Security_RC/ISSM_for_SLG.pdf

Integrating ITIL into infosec: http://traffic.libsyn.com/brakeingsecurity/2015-018-Integrating_infosec_with_ITIL.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-017_ITIL_and_infosec.mp3

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

#cobit, #cmmi, #maturity model, #ISSM, #ITIL, #Service, #management, #reference model, #ISO, #27002, #27001, CISSP, #podcast, #infosec, #compliance

2016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure

Mar 19, 2016 51:47

Description:

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3

Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2

Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site?

Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.

This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles..

We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed.

http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/

http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

2016-011-Hector Monsegur, deserialization, and bug bounties

Mar 14, 2016 01:12:26

Description:

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3

iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2

Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with.

https://en.wikipedia.org/wiki/Hector_Monsegur

This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet.

Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side?

In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day...

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/

Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you...

We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

2016-010-DNS_Reconnaissance

Mar 7, 2016 49:54

Description:

DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. 

This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. 

We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email.

We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks.

Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices. 

Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

 

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

Podcast Links we used for information:

http://www.slideshare.net/BizuworkkJemaneh/dns-42357401

300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D

https://technet.microsoft.com/en-us/library/cc770432.aspx

http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html

http://tldp.org/HOWTO/DNS-HOWTO-6.html

https://en.wikipedia.org/wiki/Domain_Name_System

https://en.wikipedia.org/wiki/DNS_spoofing

http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html

http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/161-protocols-dns-response.html

http://www.thegeekstuff.com/2012/05/ettercap-tutorial/

https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/

https://support.google.com/a/answer/48090?hl=en

http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf

https://tools.ietf.org/html/rfc882

https://tools.ietf.org/html/rfc883

https://tools.ietf.org/html/rfc1034

https://tools.ietf.org/html/rfc1035

 

2016-009-Brian Engle, Information Sharing, and R-CISC

Feb 29, 2016 01:05:57

Description:

We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center. 

"Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website

To learn more, visit https://r-cisc.org/  

We discussed with Brian a bit of the history of the #R-CISC, and why his organization was brought into being. We ask Brian "How do you get companies who make billions of dollars a year to trust another competitor enough to share that they might have been compromised?" "And how do you keep the information sharing generic enough to not out a competitor by name, but still be actionable enough to spur members to do something to protect themselves?"

Other links:

Veris framework Mr. Boettcher mentions: http://veriscommunity.net/

TAXII protocol: https://taxiiproject.github.io/

STIX https://stixproject.github.io/

https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari

https://www.paloaltonetworks.com/company/press/2015/palo-alto-networks-joins-the-retail-cyber-intelligence-sharing-center-in-newly-launched-associate-member-program.html

http://www.darkreading.com/cloud/r-cisc-the-retail-cyber-intelligence-sharing-center-signs-strategic-agreement-with-fs-isac-to-leverage-services-and-technologies-for-growth/d/d-id/1320363

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

 

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-009-brian_engle_rcisc_information_sharing.mp3

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

iTunes: https://itunes.apple.com/us/podcast/2016-009-brian-engle-information/id799131292?i=364002695&mt=2

#actionable, #brian, #engle, #cissp, #cpes, #data, #financial, #infections, #isac, #malware, #podcast, #rcisc, #retail, #security, #infosec, #threat #intelligence

 

Photo of Brian Engle courtesy of https://r-cisc.org

 

**I (Bryan) apologize for the audio. I did what I could to clean it up. Seriously don't know what happened to screw it up that badly. I can only imagine it was bandwidth issues on my Skype connection**

2016-008-Mainframe Security

Feb 22, 2016 01:47:02

Description:

This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us.

Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can.

So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS.

We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes.

Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY

Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo

Linux for mainframes: http://www-03.ibm.com/systems/linuxone/

Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n

 

Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2

 

2016-007-FingerprinTLS profiling application with Lee Brotherston

Feb 14, 2016 01:11:07

Description:

We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. 

We do a bit of history about #TLS, and the versions from 1.0 to 1.2

Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint.

Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action! 

Video demo: https://youtu.be/im6un0cB3Ns

 

 

https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png

http://blog.squarelemon.com/tls-fingerprinting/

https://github.com/LeeBrotherston/tls-fingerprinting

http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition

https://www.youtube.com/watch?v=XX0FRAy2Mec

http://2015.video.sector.ca/video/144175700

Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3

2016-006-Moxie_vs_Mechanism-Dependence_On_Tools

Feb 8, 2016 54:06

Description:

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism

Moxie: noun 

 "force of character, determination, or nerve."

 

Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise.

But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional.

Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2

Brakeing Down Security interviewed on "Building a Life and Career in Security" podcast!

Feb 4, 2016

Description:

After we interviewed Jay Schulman on our podcast, Mr. Boettcher and I did his podcast!  Listen to both of us share our bios and learn how Mr. Boettcher and I met, and how our unorthodox ways of getting into information security can show that anyone can move into that space...

https://www.jayschulman.com/episode15/

 

Jay has conducted other interviews with some great people, and he creates some great blog posts. Please check out his site at https://www.jayschulman.com

You can also hear our discuss BSIMM and learn a bit more about Jay from our podcast as well...

http://brakeingsecurity.com/2016-001-jay-schulmann-explains-bsimm-usage-in-the-sdlc

2016-005-Dropbox Chief of Trust and Security Patrick Heim!

Jan 30, 2016 46:38

Description:

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics.

We discussed a number of topics:

Cloud migrations

What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration?

We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures.

Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates.

It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time.

Some #articles we drew upon for questions to ask Mr. Heim:

http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/

http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security

http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html

http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/

http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

#iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3

Partick Heim image courtesy of darkreading.com

2016-004-Bill_Gardner

Jan 24, 2016 01:19:06

Description:

BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster...

We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!

 

Bill's Twitter: https://www.twitter.com/oncee

Bill's books he's authored or co-authored: http://www.amazon