Detailed
Compact
Art
Reverse
July 31, 2020
Brad Spengler from Grsecurity discusses advances in the Linux kernel in the last 10 years, including some of the background on how changes get added to the kernel.
July 24, 2020
Full show notes at https://www.brakeingsecurity.com Supply chain issues What should companies do when they don’t know what’s in their own tech stack? Vendor Contact Are some devices and systems more vulnerable than others? What’s the initial email look like when you tell a company “you’re vulnerable to X”? How did you tailor your initial response when you learned of the position of the person? Was it worth the effort coordinating with Treck?
July 16, 2020
Agenda: RIPPLE 20 report background How did JSOF approach Treck Supply chain security tools used to analyze the TCP/IP stack Discussion of reasons for custom TCP/IP stacks OEM reaction Why supply chain security matters NIST guidelines on supply chain security https://www.brakeingsecurity.com
July 8, 2020
WISP.org PSA from Rachel Tobac on the #shareTheMicInCyber initiative F5 BIG-IP vulnerability Redux of PAN-OS SAML vuln CVSS scoring blunders Advice on a problem in a Tweet And more!
June 29, 2020
0. Update on Palo Alto vulnerability mentioned later in the show 1. How was Mr. Boettcher's vacation? 2. Thank you to Marcus Carey for his leadership and friendship 3. Discussion of the recent Cognizant Breach of employee data 4. Maze ransomware discussion 5. Palo Alto PAN-OS vulnerability (CVE-2020-2021) 6. SAML auth discussion 7. End of show Full show notes at www.brakeingsecurity.com. Search for show "2020-025"
June 24, 2020
Ms. Berlin's oldest heads off to the Marines! Ripple 20 report discussed major vulns in #IoT #security TCP/IP stacks Bad Actors are using CAPTCHAs to evade analysis Much more!
June 17, 2020
James discusses how companies need to adopt a 'zero trust' model going forward, and how you measure the effectiveness of your training and controls to ensure that you get the most out of your company's technology.
June 10, 2020
Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.” Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/   From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev
June 1, 2020
Derek Rook and our team discusses red team methodology, how it differs from CTF and OSCP methodologies, and what red teams can do to make the whole process better for MSSPs, SOC, and blueteams members.
May 27, 2020
 Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”   Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/ From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?   Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 20, 2020
Masha Sedova - Founder, Elevate Security   Topic ideas from the PR company:   Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?    The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.    Technology like vuln scanners or something more?         Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.      Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles   X&Y  https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y   Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi   http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377   Masha’s suggested topics:    Why do security teams have difficulty in understanding their human risk today? What are the blockers?  What should security teams be measuring to get a holistic view of human risk?  What's the difference between security culture, security behavior change, and security awareness?  Is security culture a core capability in security defense? Why or why not?     Quantifying risk…   Is investing in human training a waste of time?   Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an ‘intervention’   Gotta move away from training The ‘security team’ will save them…   https://www.ncsc.gov.uk/guidance/phishing   Books:   https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X   https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1   Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611   People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1   Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 13, 2020
Masha Sedova - Founder, Elevate Security Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie?  The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.    Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior.  Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377   Why do security teams have difficulty in understanding their human risk today? What are the blockers?  What should security teams be measuring to get a holistic view of human risk?  What's the difference between security culture, security behavior change, and security awareness?  Is security culture a core capability in security defense? Why or why not?   Quantifying risk… Is investing in human training a waste of time? Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an ‘intervention’   Gotta move away from training The ‘security team’ will save them…   https://www.ncsc.gov.uk/guidance/phishing   Books: https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1 Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611 People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1 Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ https://elevatesecurity.com/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 5, 2020
Cameron Smith @Secnomancer   Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final   CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron’s Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April   Ask@thecybersmith.com Cameron@thecybersmith.com https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/   https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ   “There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional area leaders Work closely with functional areas to left and to the right Who? Operations? HR? Purchasing? Every functional area and specifically the leadership Improved communications and availability 8 and Up 'Gotta git gud' at the soft stuff Top 50 Chain Restaurant Example Situation Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window Problem Poor project management on behalf of security team led to project failure A security problem became an IT problem Contractor to subcontractor to subcontractor added time and complexity How do we as security practitioners fix it? Security managers needs to be aware of how their projects impact others Managing up Security needs to be interdisciplinary Government Examples Police Department Example Situation City Administrator got Spear Phished Problem Spear phishing Poor logging How do we as security practitioners fix it? Look for the most basic problems and try to fix them Find or create solutions that provide basic capabilities Cannot prevent the lowest hanging fruit directly, so impact what you can change What you can actually do about phishing Getting people to do something that you want them to do Defense SubContractor Example Situation Working with MSP on security issues “Do we have a SIEM” email? Problem Company executives have never done due diligence Assumed that MSP had it under control MSP just did what they normally do and within letter of their contract How do we as security practitioners fix it? Security needs to be proactive Small Company Examples Light Manufacturer Example Situation Server not working, Ransomware Attackers pivoted through third party accountant access Problem Single Point of Failure (SPOF) Vendor Compromise How do we as security practitioners solve it? IT problems become security problems on long enough timeline Need to provide actual solutions to business problems Security CANNOT be decoupled from business needs Telecommunications Provider Situation Employee reports CEO was hacked Problem Employee panicked, emailed everyone Escalated way beyond what was necessary How do we as security practitioners solve it? Employee education - Boring answer What's actually under our control here? Clear processes for security incidents Clear communications channels for employees with IT and security groups Knowledge management Local NGO Example Situation Meeting with Executive Director regarding server failure Problem Mentions that she was sent security guidelines from global parent org Got so overwhelmed reading it she just closed it and kept working on something else How do we as security practitioners solve it? We have to make this information digestible and accessible We do NOT need to make already dense subject matter even more inaccessible When cannot mandate compliance, how do you achieve compliance More flies with honey than vinegar Build relationships - Layer 8 strikes again Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
April 29, 2020
Cameron Smith @Secnomancer   Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final   CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron’s Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April   Ask@thecybersmith.com Cameron@thecybersmith.com https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/   https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ   “There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far worse than they are Grass isn't greener Most security departments aren't doing better than you are Maturity models aren't magic Establish Credibility I have been in A LOT of client environments in the last 12 years Last time I checked, I have more than 350 discrete client engagements under my belt I have worked with hundreds of internal, external, and hybrid IT and Security solutions I've met the same tired and beleaguered IT/Security personnel over and over again SSDD, very little actually changes from place to place In that time, I've learned quite a bit about what makes security work I've learned even more about what NOT to do I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail Very Large Company Examples Big Four Bank Example Situation Four Local Branches in Midwest Physical Security Assessment How got onto site as cash machine servicer was incredibly easy Problem Absolute trust of vendors/vendor compromise How do we as security practitioners fix it? Good internal relationships with functional area leaders Work closely with functional areas to left and to the right Who? Operations? HR? Purchasing? Every functional area and specifically the leadership Improved communications and availability 8 and Up 'Gotta git gud' at the soft stuff Top 50 Chain Restaurant Example Situation Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window Problem Poor project management on behalf of security team led to project failure A security problem became an IT problem Contractor to subcontractor to subcontractor added time and complexity How do we as security practitioners fix it? Security managers needs to be aware of how their projects impact others Managing up Security needs to be interdisciplinary Government Examples Police Department Example Situation City Administrator got Spear Phished Problem Spear phishing Poor logging How do we as security practitioners fix it? Look for the most basic problems and try to fix them Find or create solutions that provide basic capabilities Cannot prevent the lowest hanging fruit directly, so impact what you can change What you can actually do about phishing Getting people to do something that you want them to do Defense SubContractor Example Situation Working with MSP on security issues “Do we have a SIEM” email? Problem Company executives have never done due diligence Assumed that MSP had it under control MSP just did what they normally do and within letter of their contract How do we as security practitioners fix it? Security needs to be proactive Small Company Examples Light Manufacturer Example Situation Server not working, Ransomware Attackers pivoted through third party accountant access Problem Single Point of Failure (SPOF) Vendor Compromise How do we as security practitioners solve it? IT problems become security problems on long enough timeline Need to provide actual solutions to business problems Security CANNOT be decoupled from business needs Telecommunications Provider Situation Employee reports CEO was hacked Problem Employee panicked, emailed everyone Escalated way beyond what was necessary How do we as security practitioners solve it? Employee education - Boring answer What's actually under our control here? Clear processes for security incidents Clear communications channels for employees with IT and security groups Knowledge management Local NGO Example Situation Meeting with Executive Director regarding server failure Problem Mentions that she was sent security guidelines from global parent org Got so overwhelmed reading it she just closed it and kept working on something else How do we as security practitioners solve it? We have to make this information digestible and accessible We do NOT need to make already dense subject matter even more inaccessible When cannot mandate compliance, how do you achieve compliance More flies with honey than vinegar Build relationships - Layer 8 strikes again Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
April 21, 2020
Github actions - https://github.com/features/actions How are these written?  It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What’s the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this?   Mention twitch Channel and when (join the mailing list) Github actions “Twitch.tv/shehackspurple”   Coaching, Project Management, Scrum Management   Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple  https://www.youtube.com/shehackspurple   https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
April 14, 2020
Tanya's AppSec Course https://www.shehackspurple.dev/server-side-request-forgery-ssrf-defenses https://www.shehackspurple.dev Server-side request forgery - https://portswigger.net/web-security/ssrf What are differences between Stored XSS and SSRF?  This requires a MITM type of issue? Doesn’t stored XSS get stored on the server? What conditions must exist for SSRF to be possible? What mitigations need to be in place for mitigation of SSRF? CORS? CSP? Would a WAF or mod_security be effective? Can it be completely mitigated or are there still ways around it? Part2 -next week   Github actions - https://github.com/features/actions How are these written?  It looks like a marketplace format? How do they maintain code quality? What does it take setup the actions? It looks like IFTTT for DevOps? What kind of integrations does it allow for? Will it handle logins or API calls for you? Is it moderated in some way? What’s the acceptance criteria for these? What are you trying to accomplish by using Github Actions? What are the benefits of using these over XX product? What is gained by using this?   Mention twitch Channel and when (join the mailing list) Github actions “Twitch.tv/shehackspurple”   Coaching, Project Management, Scrum Management   Alice and Bob learn Application Security - Wylie - Fall/Winter 2020 Links: https://shehackspurple.dev https://mailchi.mp/e2ab45528831/shehackspurple https://twitter.com/shehackspurple https://dev.to/shehackspurple https://medium.com/@shehackspurple  https://www.youtube.com/shehackspurple   https://www.twitch.tv/shehackspurple https://www.linkedin.com/in/tanya-janca https://github.com/shehackspurple/ Tanya Janca   https://SheHacksPurple.dev   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
April 7, 2020
April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District   OpSecEdu - https://www.opsecedu.com/ Slack   https://www.a4l.org/default.aspx    https://clever.com/    BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)    https://www.k12cybersecurityconference.org/    https://acpenw.sched.com/  Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/    https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters  https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools    https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/    https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/    Security persons at education institutions of varying sizes.   https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/    https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack?   How complex is the school environment?     Mobile, tablets, hostile users, hostile external forces   Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared   Do you find vendors are very responsive in the education space when receiving a vulnerability report? https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it? https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base? Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled? How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?    Localadmins are not granted… (excellent!)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 29, 2020
April Mardock - CISO - Seattle Public Schools Jared Folkins - IT Engineer - Bend La Pine Schools Nathan McNulty - Information Security Architect - Beaverton School District   OpSecEdu - https://www.opsecedu.com/ Slack   https://www.a4l.org/default.aspx    https://clever.com/    BEC - https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)    https://www.k12cybersecurityconference.org/    https://acpenw.sched.com/  Bypassing security controls - https://www.goguardian.com/blog/technology/how-students-bypass-school-web-filters-and-how-to-stop-them/    https://community.spiceworks.com/topic/2077711-chromebook-google-docs-bypassing-filters  https://www.mobicip.com/blog/here%E2%80%99s-how-kids-bypass-apple%E2%80%99s-parental-control-tools    https://www.phantomts.com/2020/01/11/kids-can-bypass-communication-limit-feature-on-ios-13-3/    https://www.ocregister.com/2009/02/17/students-accused-of-changing-grades-using-teachers-password/    Security persons at education institutions of varying sizes.   https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 https://www.forbes.com/sites/leemathews/2019/09/25/yet-another-u-s-school-district-has-been-ravaged-by-malware/    https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Why are schools soft targets? Is money/budget the reason schools get the raw deal here? Why is ransomware such an appealing attack?   How complex is the school environment?    Mobile, tablets, hostile users, hostile external forces   Adding technology too quickly? Outpacing the infrastructure in schools? Just ideas for some questions. - Jared   Do you find vendors are very responsive in the education space when receiving a vulnerability report?https://www.edweek.org/ew/articles/2019/09/10/parent-who-criticized-his-sons-math-program.html When students, who you are trying to educate, when they are found doing something inappropriate, how do Districts handle it?https://ktvz.com/news/2017/11/08/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/ What challenges do Security people in education face when partnering with their user base?Unlike a corporate setting, many educators and students need to install different software throughout the year, how is that handled?How did April, Nathan, and Jared meet? Is the technology stack in your various school systems changed much in the last 10 years? Have you moved to cloud based, or do you still have an IT shack at the school systems with physical machines?    Localadmins are not granted… (excellent!)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 25, 2020
https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19   Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU @dianainitiative #DianaInitiative2019 #cdwsocial @CDWCorp   1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System   Egg, coconut, brick ( my example of security --brbr)     Start with critical assets     Layer outward, not perimeter in. Medieval castles     Create the keep, build out from that     Active defenses   Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg   Detection defenses - watchguards Mitigation defenses - moats - give time/space to respond (network segmentation) Active countermeasures - knights/archers/cannons  DeepFake technology Election year Spoke at RSA Business threat?          “Outsider trading”             “Video of Elon talking about problems - fake…”                 Stocks tank - short https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy  Could it be done strategically to destabilize things Extort business leaders     Fake videos used to extort    Still difficult to create     What’s the hurdles stopping it from being mainstream?         Huge render farms?   https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi   Threat modeling in devSecOps Agile env needs to be quick, fast, and  Build it into user stories Shostack’s method is a bit weighty     How do we implement that in such a way to make dev want to do them?   Organizing Virtual cons     https://Allthetalks.online - April 15         24 hour conference for charity Talks, followed by interactive channels, community generation Virtual Lobbycon Comedian  CFP is open 01 April 2020 Sticker swap!         Bsides Atlanta         27-29 March         https://bsidesatl.org/ - All virtual this weekend!               Infosec Oasis         https://Infosecoasis.com - 18 April   https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/   https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 19, 2020
Dave Kennedy (@hackingDave) TrustedSec Released SEToolkit, Pentester Framework (PTF) PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group) Jeff Snover, Lee Holmes - Powershell gods Arguments against release Tools are released are utilized by the ‘bad guys’ Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads” Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)     Arguments for release   Tools allow for teaching Blue team, and SIEM/logging systems to understand  Learning how something was created, being able to break down the vulnerability https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/ Show #2:DerbyCom - Tell us about it Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en    Offensive Security Tool release (PowerShell Empire 3.0) Powershell is re-released, using Python:https://twitter.com/BCSecurity1/status/1209126652300709888    Initial tweet: https://twitter.com/taosecurity/status/1209132572128747520 “We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. Affirmations and evidence: https://twitter.com/taosecurity/status/1209287582439395330  Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via @MITREattack . https://clearskysec.com/tulip/ https://twitter.com/michael_yip/status/1209151868036886528  One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?   https://twitter.com/michael_yip/status/1209247219796398083  … “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”     https://twitter.com/2sec4u/status/1209169724799623169?s=20  The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues. Comments in Support of initial argument https://twitter.com/IISResetMe/status/1209180945011621889?s=20  I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs? (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20    https://twitter.com/cnoanalysis/status/1209169633460150272?s=20  “If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space Rebuttals https://twitter.com/r3dQu1nn/status/1209207550731677697  Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.   https://twitter.com/bettersafetynet/status/1209138002473160707 It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.   https://twitter.com/dragosr/status/1209213064446279680  And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).   https://twitter.com/bettersafetynet/status/1209139099979923457 The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. https://twitter.com/bettersafetynet/status/1209139578579275776  It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/bettersafetynet/status/1209154592560353280  My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released. It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/r3dQu1nn/status/1209346356151631873 Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.   https://twitter.com/ippsec/status/1209354476072689664?s=20  To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck. Defender Classification of PowerShell Empire 3.0 https://www.bc-security.org/post/the-empire-3-0-strikes-back   Is there a way to protect against it?   Where does this sit in the ATT&CK Matrix?  Features:    Enhanced Windows Evasion vs. Defender DPAPI support for “PSCredential” and “SecureString” AMSI bypasses JA3/S signature Randomization New Mimikatz version intergration   Curveball test (CryptoAPI test scripts) Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464   DERBYCON community updates Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 12, 2020
Dave Kennedy (@hackingDave) TrustedSec Released SEToolkit, Pentester Framework (PTF) PoC release for “Shitrix” bug (was disclosed after Google zero initiative India group) Jeff Snover, Lee Holmes - Powershell gods Arguments against release Tools are released are utilized by the ‘bad guys’ Tooling makes it more difficult to fingerprint who are who they say they are “Fuzzy Weasel Vs. Psycho Toads” Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids)     Arguments for release   Tools allow for teaching Blue team, and SIEM/logging systems to understand  Learning how something was created, being able to break down the vulnerability https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/ Show #2:DerbyCom - Tell us about it Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en    Offensive Security Tool release (PowerShell Empire 3.0) Powershell is re-released, using Python:https://twitter.com/BCSecurity1/status/1209126652300709888    Initial tweet: https://twitter.com/taosecurity/status/1209132572128747520 “We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. Affirmations and evidence: https://twitter.com/taosecurity/status/1209287582439395330  Nope. One example: Iranian APT “CopyKittens” uses Powershell Empire. Incidentally, I found this example via @MITREattack . https://clearskysec.com/tulip/ https://twitter.com/michael_yip/status/1209151868036886528  One can innovate without sharing with the adversary no? It’s literally how the defense industry work or am I missing something?   https://twitter.com/michael_yip/status/1209247219796398083  … “Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It’s the way they're being shared that’s problematic”     https://twitter.com/2sec4u/status/1209169724799623169?s=20  The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues. Comments in Support of initial argument https://twitter.com/IISResetMe/status/1209180945011621889?s=20  I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs? (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20    https://twitter.com/cnoanalysis/status/1209169633460150272?s=20  “If we don’t create the offensive tools then the bad guys will!” That is a terrible argument for OST release. “We might as well do something that harms because someone else will do that eventually anyway...” there are so many logical fallacies I don’t have enough space Rebuttals https://twitter.com/r3dQu1nn/status/1209207550731677697  Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security.   https://twitter.com/bettersafetynet/status/1209138002473160707 It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing.   https://twitter.com/dragosr/status/1209213064446279680  And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone’s metric of responsibility (which is a debatable, very hypothetical line of what’s acceptable or not).   https://twitter.com/bettersafetynet/status/1209139099979923457 The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. https://twitter.com/bettersafetynet/status/1209139578579275776  It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/bettersafetynet/status/1209154592560353280  My stance is likely to tick off both sides here. I think there are times that limited release is good. But over and over, we've seen where vendors do not change until something is publicly released. It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions.   https://twitter.com/r3dQu1nn/status/1209346356151631873 Security is a service that can be improved with products. Having no security or limiting exposure to offensive tool sets increases the chances of a breach. Ethical hackers sole purpose is to help make Blue better. Which is why purple teams are a great resource for any company.   https://twitter.com/ippsec/status/1209354476072689664?s=20  To the people upset by public red team tools. If you cant detect open source tools than what chance do you have at detecting private one off tools. It’s much easier to automate a battle against 100 duck sized horses than it is to face off against a single horse sized duck. Defender Classification of PowerShell Empire 3.0 https://www.bc-security.org/post/the-empire-3-0-strikes-back   Is there a way to protect against it?   Where does this sit in the ATT&CK Matrix?  Features:    Enhanced Windows Evasion vs. Defender DPAPI support for “PSCredential” and “SecureString” AMSI bypasses JA3/S signature Randomization New Mimikatz version intergration   Curveball test (CryptoAPI test scripts) Dave’s new Esport initiative (opens in February): https://twitter.com/HackingDave/status/1220150360779710464   DERBYCON community updates Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
March 4, 2020
Nemesis: https://github.com/UnityTech/nemesis https://www.techrepublic.com/article/security-concerns-hampering-adoption-of-containers-and-kubernetes/  Nemesis - a auditing tool to check against a set of benchmarks (CIS GCP only) https://en.wikipedia.org/wiki/Center_for_Internet_Security What does CIS do well?   What do the CIS benchmarks do poorly?   K8s workload identity - GKE specific   github.com/TaylorMutch @mutchsecure   Amazon STS tokens https://www.eventbrite.com/e/bsides-seattle-2020-tickets-86351434465  https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 26, 2020
Brakesec Podcast is now on Pandora!  Find us here: https://pandora.app.link/p9AvwdTpT3 Book club Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”   Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725   NolaCon Training: https://nolacon.com/training/2020/security-detect-and-defense-ttx Roberto Rodriguez    Bio @Cyb3rWard0g on Twitter Threat Intel vs. Threat Hunting = what’s the difference?   What datasets are you using?    Did you start with any particular dataset, or created your own?   Technique development - what skills are needed?     C2 setup     Detection mechanisms     Honeypots   How can people get involved?   Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets   https://Threathunterplaybook.com    https://github.com/hunters-forge/ThreatHunter-Playbook    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html   https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4   https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7    https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow   Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.    YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml   Notebook Example: https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html    Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html    Lateral Movement - WMI - IMAGE Below SIGMA?   What is a Notebook? Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis). https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 Have a goal for expanding to other parts of ATT&CK?   Threat Hunter Playbook - Goals Expedite the development of techniques an hypothesis for hunting campaigns. Help Threat Hunters understand patterns of behavior observed during post-exploitation. Reduce the number of false positives while hunting by providing more context around suspicious events. Share real-time analytics validation examples through cloud computing environments for free. Distribute Threat Hunting concepts and processes around the world for free. Map pre-recorded datasets to adversarial techniques. Accelerate infosec learning through open source resources. Sub-techniques:   https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a   Slack Channel:   https://launchpass.com/threathunting   Twitter; https://twitter.com/mattifestation https://twitter.com/tifkin_ https://twitter.com/choldgraf https://twitter.com/Cyb3rPandaH   on Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey  Prolific Author, Defender, Enterprise Architect at ReliaQuest   https://twitter.com/egyp7    https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950   “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”   Security model - everyone’s is diff     How do you work with your threat model?     A proper threat model   Attack Simulation -      How is this different from doing a typical Incident Response tabletop? Threat modeling systems?     How is this different than a pentest?     Is this automated red teaming? How effective can automated testing be?     Is this like some kind of constant scanning system?     How does this work with threat intel feeds?      Can it simulate ransomware, or any attacks?   Hedgehog principles     A lot of things crappily, and nothing good   Mr. Boettcher: “Why suck at everything…”   Atomic Red Team - https://github.com/redcanaryco/atomic-red-team  ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/    Tribe of Hackers  https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book   The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book   Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation   https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit?   https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
February 19, 2020
Full notes and graphics are on www.brakeingsecurity.com Episode 2020-006 Book club “And maybe blurb for the cast could go something like this. Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”   Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725   NolaCon Training: https://nolacon.com/training/2020/security-detect-and-defense-ttx Roberto Rodriguez    Bio @Cyb3rWard0g on Twitter Threat Intel vs. Threat Hunting = what’s the difference?   What datasets are you using?    Did you start with any particular dataset, or created your own?   Technique development - what skills are needed?     C2 setup     Detection mechanisms     Honeypots   How can people get involved?   Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets   https://Threathunterplaybook.com    https://github.com/hunters-forge/ThreatHunter-Playbook    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html   https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4   https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7    https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow   Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.    YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml   Notebook Example: https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html    Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html    Lateral Movement - WMI - IMAGE Below SIGMA?   What is a Notebook? Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis). https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 Have a goal for expanding to other parts of ATT&CK?   Threat Hunter Playbook - Goals Expedite the development of techniques an hypothesis for hunting campaigns. Help Threat Hunters understand patterns of behavior observed during post-exploitation. Reduce the number of false positives while hunting by providing more context around suspicious events. Share real-time analytics validation examples through cloud computing environments for free. Distribute Threat Hunting concepts and processes around the world for free. Map pre-recorded datasets to adversarial techniques. Accelerate infosec learning through open source resources. Sub-techniques:   https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a   Slack Channel:   https://launchpass.com/threathunting   Twitter;   https://twitter.com/mattifestation https://twitter.com/tifkin_ https://twitter.com/choldgraf https://twitter.com/Cyb3rPandaH  
February 10, 2020
Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey  Prolific Author, Defender, Enterprise Architect at ReliaQuest   https://twitter.com/egyp7    https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950   “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”   Security model - everyone’s is diff     How do you work with your threat model?     A proper threat model   Attack Simulation -      How is this different from doing a typical Incident Response tabletop? Threat modeling systems?     How is this different than a pentest?     Is this automated red teaming? How effective can automated testing be?     Is this like some kind of constant scanning system?     How does this work with threat intel feeds?      Can it simulate ransomware, or any attacks?   Hedgehog principles     A lot of things crappily, and nothing good   Mr. Boettcher: “Why suck at everything…”   Atomic Red Team - https://github.com/redcanaryco/atomic-red-team  ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/    Tribe of Hackers  https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book   The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book   Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation   https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit?   https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 5, 2020
  Marcus Carey https://twitter.com/marcusjcarey  Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7  https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950   “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”   Security model - everyone’s is diff     How do you work with your threat model?     A proper threat model   Attack Simulation -      How is this different from doing a typical Incident Response tabletop? Threat modeling systems?     How is this different than a pentest?     Is this automated red teaming? How effective can automated testing be?     Is this like some kind of constant scanning system?     How does this work with threat intel feeds?      Can it simulate ransomware, or any attacks?   Hedgehog principles     A lot of things crappily, and nothing good   Mr. Boettcher: “Why suck at everything…”   Atomic Red Team - https://github.com/redcanaryco/atomic-red-team  ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/    Tribe of Hackers  https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book   The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book   Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation   https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit?   https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
January 30, 2020
What is Honeycomb.io? From the site:  “Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”   SSH 2FA gist https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820   Honeycomb.io for digging into access logs & retracing what pentesters do.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
January 23, 2020
Ms. Berlin's appearance on #misec podcast - https://www.youtube.com/watch?v=Cj2IF0zn_BE with @kentgruber and @quantissIA Blog post:  https://www.honeycomb.io/blog/incident-report-running-dry-on-memory-without-noticing/   What is Honeycomb.io? From the site:  “Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”   What are SLOs and how do you establish them? Are they anything like SLA (Service level agreements)?   Can you give us an idea of timeline? Length of time from issue to IR to resolution?  Are the dashboards mentioned in the blogs post your operations dashboard? [nope! hashtag no-dashboards]   Leading and lagging indicators ( IT and infosec call them detection and mitigation indicators)     https://kpilibrary.com/topics/lagging-and-leading-indicators   How important is telemetry (or meta-telemetry, since it’s telemetry on telemetry, if I’m reading it right --brbr) in making sure you can understand issues?   Do you have levels of escalation? How do you define those?   When you declared an emergency, how did brainstorming help with addressing the issues? Do that help your org see the way to a proper fix?     Did you follow any specific methodology? Did you have a warroom or web conference?       Communications: https://twitter.com/lizthegrey/status/1192036833812717568   Can being over transparent be detrimental?    Communication methods in an IR:     Slack     Phone Tree     Ticket system     Emails         What does escalation look like for Ms. Berlin? Mr. Boettcher?  (stories or examples?)   Confirmation bias (or “it’s never in our house”) fallacy     “I’ve seen and been a part of that, very prevalent in IT” --brbr     Especially when the bias is based on previous outages/issues   From the blog: “We quickly found ourselves locked in a state of confirmation bias…” Root Cause Analysis:     Once you diagnosed the issue, how quickly was a fix pushed out?     What kind of documentation or monitoring was generated/added to ensure this won’t happen again?   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
January 13, 2020
Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel    Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx Follow twitter.com/infosecroleplay   Part 1: New year, new things   Discussion:   What happened over the holidays? What did you get for christmas?   PMP test is scheduled for 10 March Proposal:  Anonymous Hacker segment     Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info   Will allow people worried that they’ll be ridiculed to share their knowledge We can record your 20-30 segment whenever (will need audio/video for it) You can take a tutorial from another site (or your own) and review it for us 1-2 segments per month  We can discuss content prior to (we won’t put you on the spot) We do have a preliminary News:   Google removed 1.7K+ Joker Malware infected apps from its Play Store                      Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html   Excerpt: Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware. Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years. The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads. The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions. In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs. “Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.”    apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google. The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill. WAP billing: https://en.wikipedia.org/wiki/WAP_billing Example: “pokemon go allows in-app purchases Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781   Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/   Excerpt: On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.   What type of organizations are affected by CVE-2019-19781?  (industries with typically poor or outdated security practices… --brbr) 4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:   Military, federal, state, and city government agencies Public universities and schools Hospitals and healthcare providers Electric utilities and cooperatives Major financial and banking institutions Numerous Fortune 500 companies   How is CVE-2019-19781 exploited and what is the risk? This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise. Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks. SNAKE #Ransomware Targets Entire Corporate Systems?   Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html  Excerpt:   The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.   The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.   After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
December 23, 2019
End of year, end of decade     Are things better than 10 years ago? 5 years ago?     If there was one thing to change things for the better, what would that be?   Good, Bad, Ugly  Did naming vulns make things better?     Which industries are doing a good job of securing themselves? Finance?     What do you wished never happened (security/compliance wise)?     Ransomware infections with no bounties     Still have people believing “Nessus” is a pentest   https://nrf.com/ https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49  https://monitorama.com/  https://www.apics.org/credentials-education/events   The Future     PREDICTIONS!!!     Bryan: The rise of the vetting programs  (Companies will want to vet content creators in their eco-systems)     Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety.  Triggering a US GDPR type response. Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10).  And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1 JB: a major change in social media/generational shift in how we use it, legal or focus on new types of  mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex”  --- what do you think about this statement?  ..it’s role in InfoSec? Talent?   JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)   JB - Link to hunting/stopping-human-trafficing org i mentioned : Shoutout  Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf   Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )           Other topics     Talk about where you were 10 years ago, and what you did to get where you are?     Best Hacking tool?     Best Enterprise Tool?   Recent news https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/ https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative  https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/  https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices  News Stories from 2010 (see if they still make sense, or outdated) https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/ https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease
December 18, 2019
The day after part 1 Keybase halted the spacedrop the day after the first podcast is complete...   Security failures in implementation     “We need to push this to market, we’ll patch it later!”   Risk management discussion for project managers (PMP)   CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line     **Reference Noid’s Bsides Seattle talk and podcast earlier this year.** Other companies that have made security mistakes in the name of business   Practical Pentest Labs storing passwords in the clear https://twitter.com/mortalhys/status/1202867037120475136 https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136  https://twitter.com/piaviation/status/1202994484172218368 T-Mobile Austria partial password issues: https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear     No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.     Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)         Insider threats could takeover accounts   Follow-up from last week’s show with Bea Hughes:   I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".   And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)   As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020.    **If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **   “Empowered teams”  Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec    
December 10, 2019
Patreon donor goodness: Scott S. and Ion S. @_noid_ @davedittrich Their response:  “it’s not a bug, it’s a feature”     “Don’t write a blog post that will point out the issue”     “You pointing out our issues makes things more difficult for us”     “It’s a free service, why are you hurting us?”     https://keybase.io/docs/bug_reporting Nov 22nd   Noid (@_noid_) Keybase discussion blog post https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html   Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/    Keybase’s decision to fix it came out after The Register asked them about the issue…   Dec 4th https://keybase.io/blog/dealing-with-spam           Dec 5th. https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/ Problems with the implementation:           Requiring admins for Keybase to decide what’s wrong or if they need to be deleted         Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)         Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)         They’ve already opened the spam door, and they’ll not be able to shut it. Once they took the VC and aligned themselves with Stellar, the attack surface changes     From Account takeover (integrity attacks) to deception (social engineering)   What is keybase?     Social network?     E2E chat Encrypted file share/storage?     CryptoCurrency Company?      Secure git repo protector?   Which ones do they do well?   How could they have solved the spam issue?     Made the cryptocoin a separate application?         Even their /r/keybase is filling up with spammers asking about their Lumens   How could they fix it?     You can’t contact someone unless that person allows you to.     Allow someone to contact you, but do not allow adding to teams without permission   https://news.ycombinator.com/item?id=21719702 (ongoing HN thread) Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto   https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform   https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf  Stephen Carter's definition of “integrity.” Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.  — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/   Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?   noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google: Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing. 1.2 Avoid harm. 1.6 Respect privacy. 2.1 Strive to achieve high quality in both the processes and products of professional work. 2.7 Foster public awareness and understanding of computing, related technologies, and their consequences. 3.1 Ensure that the public good is the central concern during all professional computing work. 3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.   The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).   In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.   This is in fact precisely what noid brought up in his initial communication with Keybase:   I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).
December 4, 2019
Realistic Threats  Nation states aren’t after you https://twitter.com/beajammingh/status/1191884466752385025 https://twitter.com/beajammingh/status/1198671660150226946 https://twitter.com/beajammingh/status/1198671952824565762   https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling    What are credible threats? Malicious insiders -  Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/     Education issue?     Is there such a thing as ‘non-malicious’ or is this just bunk?   Real threats     https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/   CIO magazine threats -- buzzword threats (we should totally containerize all the things) Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN) Lack of well-priced training?     Dev Training?     Security Training?   Better management communication will reduce threats     Building trust so they don’t freak when ‘$insert_named_vuln’ shows up     Gotta frame it to business needs     “Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.     Know your industry’s threats (phishing, money transfer fraud, malware Patreon donor:  Michael K. $10 patron! Layer8conf - https://www.workshopcon.com/events https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 27, 2019
Diana Initiative @circuitswan @dianainitiative https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)   info@dianainitiative.org   Topics     Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don’t want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants   Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop  Better job descriptions   Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0  HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka “birds of a feather concept” WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/  GitLab security scans (that's me!)    We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019   Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit     2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer    SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events   https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 21, 2019
Diana Initiative   @circuitswan   https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)   info@dianainitiative.org   Topics     Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don’t want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants   Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop  Better job descriptions   Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0  HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka “birds of a feather concept” WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/  GitLab security scans (that's me!)    We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019   Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit     2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer    SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events   https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 12, 2019
Tagnw.org Amazon Smile - brakesec.com/smile   News:    https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/ https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list “nuzzle” https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/         https://en.wikipedia.org/wiki/Data_Protection_API https://latesthackingnews.com/2019/11/10/multiple-security-issues-detected-in-cisco-small-business-routers-update-now/   https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/    https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268    Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 4, 2019
Grrcon update   2019-039-  bluekeep Weaponized… and more   Bluekeep weaponized https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/    https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining   NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/   Null sessions and how to avoid them:https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/ https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions   Linux has a marketing problem: https://hackaday.com/2019/10/31/linuxs-marketing-problem/   20 accounts could pwn majority of NPM   https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/    Chrome 0day   https://thehackernews.com/2019/11/chrome-zero-day-update.html   India Nuclear plant is hacked https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/   High Tea Security Podcast:  https://www.podcasts.com/high-tea-security-190182dc8   https://TAGNW.org - Bryan Panel and talking about networking   Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203  Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667      Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
October 30, 2019
OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE https://www.owasp.org/index.php/Women_In_AppSec OWASP Women in AppSec Twitter: 2013_Nayak (reach and ask to be added) https://www.tagnw.org/events/ Risk in Infosec   Risk - a situation which involves extreme danger and extensive amount of unrecovered loss     What about risks that are positive in nature?  PMP calls them ‘opportunities’ Risk Analysis - systemic examination of the components and characteristics of risk   Analysis Steps -          Understanding and Assessment             Understand there is a risk             What if a company does not have security standards?                             Identification             Identify and categorize risk -                  Informational risk                 Network risk                 Hardware risk                 Software risk                 Environment risk?   https://en.wikipedia.org/wiki/Routine_activity_theory               Scope of risk analysis?             Threat modeling to find risks?                 https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling              SWOT (strength/weakness/opportunities/threats) analysis will discover risks?             Risk analysis methodologies?                 https://www.project-risk-manager.com/blog/qualitative-risk-techniques/                 https://securityscorecard.com/blog/it-security-risk-assessment-methodology https://en.wikipedia.org/wiki/Probabilistic_risk_assessment   https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration            Estimation             Chance that risk will occur (once a decade, once a week)             Design controls to remediate           Implementation             Risk assessment is a combined approach             Combined approach for a risk analysis                 You mentioned a lot of people, what’s the scope?                 How do you do the risk assessment? Framework?                     Evaluation             Evaluation approach                 Like an agile approach             Provides an informed conclusion             Report must be clear (no jargon)         Decision Making               Examples to Reduce Risk Training and education     what kind of testing? Annual Security training?   Publishing policies Agreement with organization     BAA with 3rd parties Timely testing -     
October 22, 2019
  Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s   Encarta - https://en.wikipedia.org/wiki/Encarta   Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409   Congrats on the black badge :)   I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices   https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/    Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/   Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark   You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.   Powershell slime trail
October 17, 2019
Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s   Encarta - https://en.wikipedia.org/wiki/Encarta   Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409   Congrats on the black badge :)   I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices   https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/    Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/   Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark   You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.   Powershell slime trail
October 9, 2019
Secure Python course:  https://brakesec.com/brakesecpythonclass  PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing    GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON    Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2   WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315   Vulns in the Wild   Abusing GraphQL    OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html   Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql   Protecting GraphQL   https://github.com/maticzav/graphql-shield   Magento 2 (runs GraphQL), hard to update…   https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter   GraphQL implementations inside (ecosystem packages?)   Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters  (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast   For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
October 2, 2019
Derbycon Discussion (bring Matt in)   Python course:  https://brakesec.com/brakesecpythonclass  PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing    GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON    Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2   WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315   Vulns in the Wild   Abusing GraphQL    OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL   https://github.com/maticzav/graphql-shield   Magento 2 (runs GraphQL), hard to update…   https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter   GraphQL implementations inside (ecosystem packages?)   Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters  (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast   For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
September 22, 2019
Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa https://medium.com/@InfoSecSherpa https://nuzzel.com/InfoSecSherpa      Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511     Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA    Plugs: Nuzzel newsletter: https://nuzzel.com/infosecsherpa OSINT-y Goodness blog: https://medium.com/@infosecsherpa    Tomato pie:  https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey   Infosec is a service industry job (gasp!)   Customer service is an attitude, not department   Reference Interview:https://en.wikipedia.org/wiki/Reference_interview Approachability     Does your org make it easy to contact you?     What is your tone of writing?    What does your outgoing communication look like?     Reign in your attitude, language, etc…   “I am using an online translator” (great idea!) What is your department’s reputation?     Create an assessment of your department…   “I didn’t know there was humans in security?” --         Interest     Be interested in solving the problem.     Make interaction a ‘safe space’         No judging, mocking     LOL, “EE Cummings”         https://poets.org/poem/amores-i Listening     Pay attention to what the end user doesn’t say.     Don’t interrupt the end user         Interviewing     Repeat back what the user said or asked     Tone: Ask clarification questions, not accusatory questions     Searching     Did security fail the user? Answering     Teachable moments         Building trust/relationship equity         “While you’re on the phone…”     “Thank you for your time” Follow-Up     Think of ways to create a culture of security     Create canned emails     Random acts of kindness         cyberCupcakes!!!! Or potentially small value gift cards(?)     Kindness as currency         Christmas cookies              Spreading goodwill         building relationship equity             Reciprocity          Lunch and learns   People can’t be educated into vaccinations, but behaviorial nudges help     “Telling people facts won’t change behavior”         Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
September 16, 2019
  Topics:Infosec Campout report   Jay Beale (co-lead for audit) *Bust-a-Kube*   Aaron Small (product mgr at GKE/Google)   Atreides Partners Trail of Bits   What was the Audit?  How did it come about?    Who were the players?     Kubernetes Working Group         Aaron, Craig, Jay, Joel     Outside vendors:         Atredis: Josh, Nathan Keltner         Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik     Kubernetes Project Leads/Devs         Interviewed devs -- this was much of the info that went into the threat model         Rapid Risk Assessments - let’s put the GitHub repository in the show notes     What did it produce?     Vuln Report     Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf     White Papers     https://github.com/kubernetes/community/tree/master/wg-security-audit/findings       Discuss the results:         Threat model findings             Controls silently fail, leading to a false sense of security                 Pod Security Policies, Egress Network Rules             Audit model isn’t strong enough for non-repudiation                 By default, API server doesn’t log user movements through system             TLS Encryption weaknesses                 Most components accept cleartext HTTP                 Boot strapping to add Kubelets is particularly weak                        Multiple components do not check certificates and/or use self-signed certs                 HTTPS isn’t enforced                 Certificates are long-lived, with no revocation capability                 Etcd doesn’t authenticate connections by default             Controllers all Bundled together                 Confused Deputy: b/c lower priv controllers bundled in same binary as higher             Secrets not encrypted at rest by default             Etcd doesn’t have signatures on its write-ahead log             DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes               Port 10255 has an unauthenticated HTTP server for status and health checking           Vulns / Findings (not complete list, but interesting)             Hostpath pod security policy bypass via persistent volumes             TOCTOU when moving PID to manager’s group             Improperly patched directory traversal in kubectl cp             Bearer tokens revealed in logs             Lots of MitM risk:             SSH not checking fingerprints: InsecureIgnoreHostKey             gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs              Some HTTPS connections are unauthenticated             Output encoding on JSON construction                 This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.             Non-constant time check on passwords Lack of re-use / library-ification of code       Who will use these findings and how? Devs, google, bad guys?      Any new audit tools created from this?    Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU   Aaron Small:  https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18  https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster    CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw    Findings:       Scope for testing:         Source code review (what languages did they have to review?)             Golang, shell, ...   Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ  RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims   Methodology:   Setup a bunch of environments?     Primarily set up a single environment IIRC     Combination of code audit and active ?fuzzing?         What does one fuzz on a K8s environment? Tested with latest alpha or production versions?     Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations?     Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)   Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
September 7, 2019
This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.   We also got asked about how the show came about, and how we found each other.   **Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**
August 31, 2019
Topics:Infosec Campout report Derbycon Pizza Party (with podcast show!)  https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705 Mental health village at Derbycon   Jay Beale (co-lead for audit) *Bust-a-Kube*   Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits   What was the Audit?  How did it come about?    Who were the players?     Kubernetes Working Group         Aaron, Craig, Jay, Joel     Outside vendors:         Atredis: Josh, Nathan Keltner         Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik     Kubernetes Project Leads/Devs         Interviewed devs -- this was much of the info that went into the threat model         Rapid Risk Assessments - let’s put the GitHub repository in the show notes     What did it produce?     Vuln Report     Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf     White Papers     https://github.com/kubernetes/community/tree/master/wg-security-audit/findings       Discuss the results:         Threat model findings             Controls silently fail, leading to a false sense of security                 Pod Security Policies, Egress Network Rules             Audit model isn’t strong enough for non-repudiation                 By default, API server doesn’t log user movements through system             TLS Encryption weaknesses                 Most components accept cleartext HTTP                 Boot strapping to add Kubelets is particularly weak                        Multiple components do not check certificates and/or use self-signed certs                 HTTPS isn’t enforced                 Certificates are long-lived, with no revocation capability                 Etcd doesn’t authenticate connections by default             Controllers all Bundled together                 Confused Deputy: b/c lower priv controllers bundled in same binary as higher             Secrets not encrypted at rest by default             Etcd doesn’t have signatures on its write-ahead log             DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes               Port 10255 has an unauthenticated HTTP server for status and health checking         Vulns / Findings (not complete list, but interesting)             Hostpath pod security policy bypass via persistent volumes             TOCTOU when moving PID to manager’s group             Improperly patched directory traversal in kubectl cp             Bearer tokens revealed in logs             Lots of MitM risk:             SSH not checking fingerprints: InsecureIgnoreHostKey             gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs              Some HTTPS connections are unauthenticated             Output encoding on JSON construction                 This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.             Non-constant time check on passwords Lack of re-use / library-ification of code       Who will use these findings and how? Devs, google, bad guys?      Any new audit tools created from this?    Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU   Aaron Small:  https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18  https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster    CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw  Findings:       Scope for testing:         Source code review (what languages did they have to review?)             Golang, shell, ...   Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ  RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims   Methodology: Setup a bunch of environments?     Primarily set up a single environment IIRC     Combination of code audit and active ?fuzzing?         What does one fuzz on a K8s environment? Tested with latest alpha or production versions?     Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations?     Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
August 16, 2019
  Intro - Ms. DirInfosec “Anna” Call Centers suffer from wanting to give good customer service and need to move the call along.     Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people’s altruism      “Pregnant woman needing help through the security door”     “Person on crutches”    “Delivery person with arms full”     “Can’t remember information, others filling in missing bits”     Call Center Reps are _paid_ to be helpful. “Customer is never wrong”   Creating a sense of urgency to spur action   Real-life scenario: "bob calls asking about status of an order" Questions:  What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :) Pre-training audio (#1 and #2)   What was their reaction about the calls received?   Did the training take the first time? What difficulties did you have after the first training? ‘Getting better Audio’ (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes   https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud   @consultingCSO on twitter   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
August 9, 2019
https://www.infosecurity-magazine.com/news/95-test-problems/   https://www.databreaches.net/a-misconfigured-aws-bucket-exposed-personal-and-counseling-logs-of-almost-300000-indian-employees/   https://www.scmagazine.com/home/security-news/data-breach/sephora-reports-data-breach-but-few-details/    https://www.infosecurity-magazine.com/news/93-of-organizations-cite-phishing/   https://tresorit.com/blog/the-top-6-takeaways-from-the-2019-cost-of-a-data-breach-report/ Good links: https://github.com/RedTeamOperations/PivotSuite  https://www.reddit.com/r/security/comments/cks2jd/12gb_of_powershell_malware/
August 1, 2019
Intro - Ms. DirInfosec “Anna” Call Centers suffer from wanting to give good customer service and need to move the call along.     Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people’s altruism      “Pregnant woman needing help through the security door”     “Person on crutches”    “Delivery person with arms full”     “Can’t remember information, others filling in missing bits”     Call Center Reps are _paid_ to be helpful. “Customer is never wrong”   Creating a sense of urgency to spur action Real-life scenario: "bob calls asking about status of an order" Questions:  What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :) Pre-training audio (#1 and #2)   What was their reaction about the calls received?   Did the training take the first time? What difficulties did you have after the first training? ‘Getting better Audio’ (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes   https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud   @consultingCSO on twitter   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
July 24, 2019
FIleless malware campaign - https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/ https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats   https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/ https://www.extremetech.com/computing/294852-new-zip-bomb-stuffs-4-5pb-of-data-into-46mb-file    https://articles.forensicfocus.com/2019/07/15/finding-and-interpreting-windows-firewall-rules/ https://www.theregister.co.uk/2019/02/11/google_gmail_developer/      Privacy issues:     Companies integrating with email systems     Pulling all information from the inboxes     Collecting that information     Storing for long periods of time (‘training the AI’)     Check for SOC2 and press them on their data storage and privacy policies     Have language in your 3rd party agreements to understand sharing and collection   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec     Cool Tools: https://github.com/AxtMueller/Windows-Kernel-Explorer https://github.com/TheSecondSun/Revssl
July 14, 2019
MITRE Pre-Attack techniques https://attack.mitre.org/techniques/pre/ https://www.bbc.com/news/business-48905907 Zoom - https://www.wired.com/story/zoom-flaw-web-server-fix/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
July 9, 2019
    Starting a new business (hanging the shingle)   What’s a way to become an independent consultant? Especially if you don’t have a reputation?   Ben's reading list: “Mindset: the New Psychology of success” “Essentialism” “Extreme ownership” “Team of teams”     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
July 2, 2019
Identity analytics   “Identity analytics is the next evolution of the IGA (Identity Governance & Administration) market. Identity professionals can use this emerging set of solutions combining big data and advanced analytics to increase identity-related risk awareness and enhance IAM processes such as access certification, access request and role management.” --gartner Identity related risk awareness Access certification is the process of validating access rights within systems. ... With access certification, organizations and regulations aim to formally validate users within systems and ensure their access rights are appropriate.   Access request - a system must validate that a user has need-to-know Role management - users must be validated in a particular role or roles (admin, superuser, backup controller, launch manager, code committer) What kind of threats are you protecting against? What do you solve that proper administration of users can do? How does technology like this improve IAM processes?  If it gathers heuristics, what happens when a user changes? (loses an arm, finger, or sneezes during password login, or just ages?)   Where is the best fit for these kinds of systems?  Where should you put these systems if you’re in a blended environment? And how does this work with systems like Active Directory? Privacy issues… what if any do you have to deal with in this case?  That was my next question Entitlements? What’s the difference between AuthN? Identity creep -Ben gave a talk on it  https://www.brighttalk.com/webcast/17685/362274 Does this monitor, or will it also prevent?  If it doesn’t, can it send alerts to you IPS to isolate? “Blast radius” https://whatis.techtarget.com/definition/behavioral-biometrics   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
June 24, 2019
Tanya Janca (@shehackspurple)   DevOps Tools for free/cheap.     They are all on github right, so they are all free?     Python, Docker, k8s, Jenkins     Licensing can be a problem     Free-mium software, or trialware is useful? OWASP DevSlop     Module     Nicole Becker         Pixie - insecure instagram “Betty Coin” SSLlabs - Qualys   Mentoring Monday:     What is “Mentoring Monday”?     What does it take to be a good mentor?     Should a mentee have a goal in mind?         Something other than “I want to be just like you”?     Do you assist in creating the relationship?         What if they don’t meld?         Are there any restrictions?     Any place in someone’s career?     How do you apply?     Advocating - Leading Cyber Ladies: https://twitter.com/LadiesCyber WoSec International - https://twitter.com/WoSECtweets     19 Chapters worldwide         Africa, No. America, Europe     Goal? (hacker workshops)     Submitting talks at cons     Outreaching (how would people get involved)     Mentorship involved in this?   Global AppSec   Videos on youtube:     OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A     https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A Blog Site: https://dev.to/shehackspurple Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
June 18, 2019
Announcements: InfoSec Campout Conference (Eventbrite, social contract, etc): https://www.infoseccampout.com All Day Devops (https://www.alldaydevops.com) free talks online... Next conference starts 06 November 2019 ------ Tanya Janca (@shehackspurple) @wosectweets - Women of Security DevOps Tools for free/cheap.     They are all on github right, so they are all free?     Python, Docker, k8s, Jenkins     Licensing can be a problem     Free-mium software, or trialware is useful? OWASP DevSlop     Module     Nicole Becker         Pixie - insecure instagram “Betty Coin” SSLlabs - Qualys   Mentoring Monday:     What is “Mentoring Monday”?     What does it take to be a good mentor?     Should a mentee have a goal in mind?         Something other than “I want to be just like you”?     Do you assist in creating the relationship?         What if they don’t meld?         Are there any restrictions?     Any place in someone’s career?     How do you apply?     Advocating and being a good ally Leading Cyber Ladies: https://twitter.com/LadiesCyber WoSec International - https://twitter.com/WoSECtweets     19 Chapters worldwide         Africa, No. America, Europe     Goal? (hacker workshops)     Submitting talks at cons     Outreaching (how would people get involved)     Mentorship involved in this?   Global AppSec   Videos on youtube:     OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A     https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A Blog Site: https://dev.to/shehackspurple   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
June 9, 2019
ANNOUNCEMENTS: INFOSEC CAMPOUT TICKETS ARE STILL ON SALE. Go to https://www.infoseccampout.com for Eventbrite link and more information.     Part 2 of our Discussion with Chris Sanders (@chrissanders88) Topics discussed: Companies dropping existing frameworks for ATT&CK Matrix, why? Rural Technology Fund - What it is, how does it work, Who can help make it more awesome.   https://chrissanders.org/2019/05/infosec-mental-models/   I’ve argued for some time that information security is in a growing state of cognitive crisis…   Demand outweighs supply Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training. That’s an HR and hiring manager issue, right? --brbr  No. --bboettcher   Information cannot be validated or trusted     There are few authoritative sources of knowledge about critical components and procedures.   Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.     The industry is unable to organize or widely combat the biggest issues they face.     Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr   https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/   Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3   https://en.wikipedia.org/wiki/Cognitive_revolution https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/   How do we solve it?   We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think. https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned)   Mental Model?     We use them all the time? Gotta simplify the complex...     Distribution and the Bell Curve     Operant Conditioning https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html     The Scientific Method   Applied Models       13 Organ Systems     4 Vital Signs     10 Point Pain scale Defense in Depth OSI model Investigation Process   https://en.wikipedia.org/wiki/Inductive_reasoning   Model Desperation     Companies dumping existing models and embracing something else   The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.   What makes a good model? Simple Useful Imperfect? (wuh?)-brbr   Creating models     Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)         What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)   Discuss the Rural Tech Fund https://twitter.com/RuralTechFund     https://ruraltechfund.org/ Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018 Practical Packet Analysis - https://nostarch.com/packetanalysis3     Suggesting books: https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776 More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/   Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo’s Egg - September   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
June 4, 2019
https://chrissanders.org/2019/05/infosec-mental-models/   I’ve argued for some time that information security is in a growing state of cognitive crisis…   Demand outweighs supply Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training. That’s an HR and hiring manager issue, right? --brbr  No. --bboettcher   Information cannot be validated or trusted     There are few authoritative sources of knowledge about critical components and procedures.   Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner.     The industry is unable to organize or widely combat the biggest issues they face.     Groups of individuals, everyone thinking they have the ‘right answer’, just like linux flavors --brbr   https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/   Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3   https://en.wikipedia.org/wiki/Cognitive_revolution https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/   How do we solve it?   We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think. https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned) Mental Model?     We use them all the time? Gotta simplify the complex...     Distribution and the Bell Curve     Operant Conditioning https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html     The Scientific Method   Applied Models       13 Organ Systems     4 Vital Signs     10 Point Pain scale Defense in Depth OSI model Investigation Process   https://en.wikipedia.org/wiki/Inductive_reasoning   Model Desperation     Companies dumping existing models and embracing something else   The problem is that we’re model hungry and we’ll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don’t need fourteen circular saws.   What makes a good model? Simple Useful Imperfect? (wuh?)-brbr   Creating models     Begins by asking a question… (what is the weather going to look like tomorrow? --brbr)         What defines the sandwich? (kind of like “https://en.wikipedia.org/wiki/Theory_of_forms” --brbr)   Discuss the Rural Tech Fund https://twitter.com/RuralTechFund     https://ruraltechfund.org/ Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018 Practical Packet Analysis - https://nostarch.com/packetanalysis3   Suggesting books: https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776 More references on Chris’ site https://chrissanders.org/2019/05/infosec-mental-models/   Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo’s Egg - September   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 29, 2019
Bryan got phished (almost) - story time!   https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564/   Through OpenDNS https://learn-umbrella.cisco.com/product-videos/newly-seen-domains-in-cisco-umbrella Available January 2017, Umbrella filters newly seen or created domains. By using new domains to host malware and other threats, attackers can outsmart security systems that rely on reputation scores or possibly outdated block lists. Umbrella now stops these domains before they even load.   Also “unknown” category? pros/cons   Good filter time for domains?   Amanda: windows logging issues well…. FUCKING EVERYTHING CREATES TASKS IN SCHEDULER   https://www.microsoft.com/en-us/windowsforbusiness/windows-atp   Breach news:   https://www.dutchnews.nl/news/2019/05/hackers-steal-key-info-about-home-hunters-from-housing-agency/ FTA: The hackers now have their name, address, contact information and copies of their passport or ID card, which includes their personal identification number, or BSN. This is sufficient to allow the hackers to open bank accounts or take out loans by using other people’s identity.   https://www.bleepingcomputer.com/news/security/over-757k-fraudulently-obtained-ipv4-addresses-revoked-by-arin/ Mostly colos, data centers, ‘aaS’ providers Many in the Mid-West   Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo’s Egg - September   https://www.infoseccampout.com EventBrite Link:https://www.eventbrite.com/e/infosec-campout-tickets-61915087694 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 20, 2019
https://static1.squarespace.com/static/556340ece4b0869396f21099/t/5cc9ff79c830253749527277/1556742010186/Red+Team+Practice+Lead.pdf https://www.reddit.com/r/netsec/comments/bonwil/prevent_a_worm_by_updating_remote_desktop/   https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system https://www.bleepingcomputer.com/news/security/unsecured-survey-database-exposes-info-of-8-million-people/ https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html https://www.elastic.co/blog/found-elasticsearch-security https://dzone.com/articles/securing-your-elasticsearch-cluster-properly Auth is possible, using reverse proxy… this is basic auth :( https://github.com/Asquera/elasticsearch-http-basic   Here’s one that uses basic auth and LDAP: https://mapr.com/blog/how-secure-elasticsearch-and-kibana/ 2fa setup: https://www.elastic.co/guide/en/cloud/current/ec-account-security.html   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
May 14, 2019
Things I learned this week:   https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.helpnetsecurity.com/2019/04/29/docker-hub-breach/   https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/ https://attack.mitre.org/techniques/T1003/ https://github.com/giMini/PowerMemory   https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service   https://attack.mitre.org/techniques/T1208/
May 5, 2019
K8s security with Omer Levi Hevroni (@omerlh)   service tickets - Super-Dev   Omer’s requirements for storing secrets:   Gitops enabled Kubernetes Native Secure     “One-way encryption”   Omer’s slides and youtube video: https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s   We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni   Kubernetes Secrets     Bad, because manifest files hold the user/password, and are encoded in Base64         Could be uploaded to git = super bad https://kubernetes.io/docs/concepts/configuration/secret/ https://docs.travis-ci.com/user/encryption-keys/   Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/ https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-fb5cec0417b2     “FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions.” Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://github.com/owasp-cloud-security/owasp-cloud-security https://www.omerlh.info/2019/01/19/threat-modeling-as-code/ https://telaviv.appsecglobal.org/   https://github.com/Soluto/kamus   https://kamus.soluto.io   Infosec Campout = www.infoseccampout.com
April 29, 2019
Agenda:   Announce the conference CFP: up soon CFW: up soon Campers: Friday night/Saturday night     Like “toorcamp”, but if it sucks, you can drive home… :D   Limiting tickets, looking for sponsors To support the conference and future initiatives: “Infosec Education Foundation”     501c3 non-profit (we are working on the charity part)   www.infoseccampout.com Password spraying https://github.com/dafthack/DomainPasswordSpray   Stories:   https://blog.stealthbits.com/using-stealthdefend-to-defend-against-password-spraying/   http://blog.quadrasystems.net/post/password-spray-attacks-and-four-sure-steps-to-disrupt-them   https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing   https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/simplifying-password-spraying/   Detecting one to many…..and at what point/threshold during an attack would it be a PITA for the redteam to slow down to   Annoying NXLog CE limitation   Log-MD can help detect?  Yep   CTF Club is happening again     Pinkie Pie is running it.     Saturdays at 2 -3 pm    
April 22, 2019
Announcements: https://www.workshopcon.com/     SpecterOps (red Team operations) and Tim Tomes (PWAPT)   Bsides Nashville   https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html   “We take security seriously and other trite statements“   Wordpress infrastructure (supply chain failure)     WordPress plugin called Woocommerce was at fault.     Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/     “According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”   “https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/”   You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?   Timeline:“[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”     What is the line they should not cross in this case?   You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?   [2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.   Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?   Lessons Learned? Anything you’d do differently next time?     Update IR plan?     Did they reach out for additional testing?     Did the people who got admin get removed?     Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*   https://www.wordfence.com/   https://en.wikipedia.org/wiki/Gremlins   Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/   https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/ https://www.guardicore.com/2018/11/security-incident-response-plan/   https://www.zdnet.com/article/security-risks-of-multi-tenancy/   Upcoming SI events IANS forum (Wash DC) ShowmeCon Webcasts ISC2 security Congress (Wash DC)   Patreon Slack Twitter handles iTunes Google   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
April 15, 2019
Announcements: WorkshopCon Training with SpecterOps and Tim Tomes www.workshopcon.com redteam operations with SpecterOps PWAPT with Tim Tomes   Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019   Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time. https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/   My last car sync’ed the contact list. Video is a different story, but safety for the vehicle and owner, they’ll probably continue to store it. Telemetry data is for changing road conditions, navigation, etc Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected     Level of difficulty, no fuse, requires hardware upgrade     Encryption at rest, ensuring HTTPS on all incoming/outgoing.   https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/     Annoying “do you want notifications from this site?”     Like an annoying RSS feed… ‘Hey, we added a new banner ad!’ https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches     Why add the switches to allow vulnerabilities?     Slippery slope  --disable-dirtycow?   https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/   https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack Threat intelligence and software detections… Got an email… *Story Time from Mr. Boettcher* Twitter: why do companies not allow copy/paste in password fields? Tesla
April 7, 2019
Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “   #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx   https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”   What are the biggest differences between V3 and V4? Why was a change needed?  https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?)   3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr   Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
April 1, 2019
Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/   Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.   https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “   ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don’t post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd   ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”   What are the biggest differences between V3 and V4? Why was a change needed?   https://xkcd.com/936/ - famous XKCD password comic   David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 24, 2019
  Log-MD story     SeaSec East meetup     Gabe (county Infosec guy) https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/ New Slack Moderator (@cherokeeJB) Shoutout to “Jerry G”   Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please   Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet   Noid - @_noid_ noid23@gmail.com   Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3 Slides (PDF) https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf   Security view was a bit myopic? “What do we win by playing?” Cultivating relationships (buy lunch, donuts, etc) Writing reports Communicating findings that resonate with developers and management     Often pentest reports are seen by various facets of folks     Many levels of competency (incompetent -> super dev/sec) Communicating risk? Making bugs make sense to everyone… The three types of power: https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 (yas!)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec Transcription (courtesy of otter.ai, and modified for readability by Bryan Brake) Bryan Brake 0:13 Hello everybody this is Bryan from Brakeing Down Security this week you're gonna hear part two of our interview with Noid, we did a lot of interesting discussions with him and it went so well that we needed the second week so for those of you here just catching this now Part One was last week so you can just go back and download that one. We're going to start leading in with the "one of us" story because one of the one of the slides he talked about was how you know he you know learned how to be one with his dev team and one of the last topics we had was kind of personal to me I do a lot of pentest writing for reports and stuff at my organization "Leviathan" and and you know, we talked about you know What makes a good report how to write reports for all kinds of people, whether it be a manager that you're giving it to, from an engagement for a customer, or, you know, the technical people who might be fixing the bugs that an engagement person might find, or a pen tester might find in this case. So, yeah, we're we're going to go ahead and lead in with that. Before we go though, SpectreOps is looking for people to go to their classes. They're learning adversary tactics and red team Operations Training course in Tysons Corner, Virginia. It's currently $4,000 to us and it's from April 23, April 26 of this year 2019. That doesn't include also airfare and hotel, so you're gonna have to find your way to Tysons Corner the Hyatt Regency there's a link in the show notes of course to the to the class if you'd like to go You'll learn things like designing and deploying sophisticated resilient covert attack infrastructure, gaining initial access footholds on systems using client side attacks, and real world scenarios cutting edge lateral movement methods to move through the enterprise and a bunch of other cool things... so yeah if you're interested in and hooking that up you can you there's still you still got more than a month to sign up for it it looks like there might still be tickets so knock yourselves out they're also looking for blue team people. "Mike P" on our Slack channel, which will tell you about the end of the show here on how to join if you'd like, he said http://www.workshopcon.com/events they're looking for blue team trainers... you can hang out with folks like you know, SpecterOps and Tim Tomes (LanMaster53) as well there when you you know we can you sign up for the blue team stuff and yeah http://www.workshopcon.com/events and then you can you know learn to be a blue team trainer or actually give blue team training if you so choose. So that said it's pretty awesome. Alright, so without further ado, we're going to get started with part two of our interview with Noid here, hope you have a great week. And here we go. Okay. So I think we've gotten down to like the "one of us" story. So we're in our hero finally starts to get it and begins to bridge the gap. Some of the things some of the points are the lessons learned in this story. And you can tell us about story was that language makes all the difference in the world. This is what got me on to the part about the reporting, which we'll talk about a little while, but maybe you could fill us in on this discovery, this the story that got you to these points. Brian "Noid" Harden 3:37 Okay, so the team I'm working on I get asked the the thing in question is it was a pretty massive product and it had never had any threat modeling done, Bryan Brake 3:50 okay. Brian "Noid" Harden 3:51 So had never had any threat modeling done and this this particular product was made up of tons of little sub products. So what I did is I sat there first in a kind of a complete panic going, this is overwhelming. I don't have nearly enough time or resources to be able to do this. But you know how to eat the elephant, right? The small pieces and get at it. So I had one dev lead, who I know, had worked previously on a security product. And he was a nice guy. So I sat down with them and basically said, "Hey, could you walk me through visually diagramming how your service works, building that data flow diagram, and then we're going to talk about it from a security perspective". And he was sort of like, oh, that'd be fun. Yeah, let's do that. And so we sat there and he diagrammed and the whole time he's diagramming, he'd stop and erase things and go, Wait, no, no, we were going to do it that way. But we didn't. And then oh, and we stopped doing it this way, because we added this other thing and we had to be able to break communication out number channels and then he stopped at one point and was like, get a picture of this was like I think this is probably the most accurate diagram of our service we've ever had. And then when we started doing the threat modeling side of it, like, you know, talking about trust boundaries and you know, it's like all right, so what makes sure that you know data from point A to point B and it's not filled with that kind of thing? And I'm saying okay well, could you could you you know, do this over HTTPS rather than just regular HTTP Bryan Brake 5:29 right Brian "Noid" Harden 5:31 you know you get non repudiation you know, and it's like, not talking about even the security value of it, but talking more about the you know, you the integrity be there and then at one point, he stops and he looks at me and he says, Man, I never had a threat modeling would generate so much feature work. And in my mind, I was like, talking about feature work like, these are bugs you need to fix. Now, all of a sudden, it was like, Oh, crap, I've been approaching this entirely the wrong way my entire career. Devs look at things that have looked at depth look at things from bug fixing, and feature development. And as a security person, what i, every time I'd been bringing up stuff they needed to do in my mind, it was implied it was feature development. But they saw this bug fixing, because in the "dev world" security fixes or bug fixes. He saw the value here and went, Oh, this is going to generate a ton of feature work. And it's like, oh, so I gotta stop calling the security work. I've got to start calling this feature work. And sure enough, not only if you start calling it feature work. And of course now once you're talking about feature work, you can start talking about the drivers. Why are we building a feature because you know, you don't build features nobody wants. Unless you're certain software companies. But yeah, but you build.. you build features that come out of customer requests, you know, you get features that hey, you know, I look at things like say Microsoft Office, how that's evolved over the years. And that's because people who use Office come back and say, you know, this is really cool. But I'd really like it if when I'm giving my PowerPoint presentation, I had a timer on the screen. So I know I'm on mark, you know, and Okay, that's a feature requests. And so that's how these things evolve. And so once I started talking about security work from the perspective of feature development you know, we have existing features that need to be worked on to give them new functionality in order to be able to pick up new customers and we have new features that we need to build that will also help because the other thing too I also noticed is that well... well I care about things like confidentiality and integrity. Devs care about things like availability and performance, right, these two these two things can kind of be almost used interchangeably, depending on the circumstance, so when, when devs are talking about stability, I'm thinking about integrity. When I'm when I'm talking about availability, they're, they're thinking about performance. And so all of a sudden, I'm now giving them ideas for like new proof counters, basically, like new metrics to check the health of the thing that we're building. And the way I looked at it was almost... Yeah, this is what this is the business driver for the, you know, customer X wants it customer Y needs it, you know, and here's the benefit, you know, the product gets out of it. Here's the benefit that developers get out of it. And what a security get out of it? Hey, don't worry about it. Purely, purely any value I derived from this work is purely coincidental. Brian Boettcher 8:57 *Chuckles* Brian "Noid" Harden 9:00 And that, in turn, helps start driving the conversation a lot better. Because the other value I got out of it, too is by having somebody on the development side of the house who had a name and had some, you know, reputation behind him, he was able to go to his respective peers and say, Man, I did this thing with Noid and it was really valuable. And we got a lot of cool stuff out of it. So he's gonna hit you up about it. And I totally recommend doing Bryan Brake 9:27 right Brian "Noid" Harden 9:28 and at which point because because some of the folks I worked with were either indifferent towards me, they were just busy. I did have some folks that I work with, though, that were just flat out adversarial towards me. They frankly they didn't want me doing what I was doing. They didn't really want me parking and poking around like the dark corners of the product. You know, because it was going to make work, but having somebody on their side say, No, I actually got value out of this. Okay, well, I'll give it a try. Holy crap, I got value out of this, too. So that was that was where I suddenly realized that my languagein my mind, I'm not saying anything differently. But yet, it turns out that when it comes to the words coming out of my mouth and how they were being received, it radically changed how I was expressing myself to people. And it totally changed the response I got. Brian Boettcher 10:26 So maybe we need a new "CIA" triad that has the other words on it, you know, the, the translated words for development and product teams, Brian "Noid" Harden 10:35 possibly! Bryan Brake 10:36 performance... integrity is stability. Brian "Noid" Harden 10:43 Yeah, stability. availability... Bryan Brake 10:48 What's confidentiality then? what does the other bit that they talk about or worry about? Brian "Noid" Harden 10:52 I don't know if only we had a dev lead on this call. Brian Boettcher 10:55 *chuckles* Bryan Brake 10:56 Yeah. Do you know one? *laughs*. So, so the lessons learned, you said, language makes all the difference. You know the way you speak is like, you know, if you're, if you only know English, like most Americans and go over to France, speaking louder in English to somebody who only speaks French is not going to help here to help you so "look for the helpers" So let's say you don't, let's say we're not lucky enough to have somebody like the person you found in your organization is is it it's going to take a little bit longer maybe to get them onto your side to you know, poke at him like that or, you know, maybe grease the wheels with some donuts or you know, maybe take them to lunch or something. Would that be helpful at all? Brian "Noid" Harden 11:35 Well, first off Yes, you'd be amazed at how much showing up with donuts Bryan Brake 11:48 Oh, I know Brian "Noid" Harden 11:49 Oh yeah. No, actually actually it's funny too because I actually just a couple of weeks ago and other team at my company came over and gave my team donuts They gave my team the IT team and the tech team donuts because of all the work we've been putting in form... as far as I'm concerned. Yeah, I'll march directly into hell for those people right now, because they gave me donuts... Bryan Brake 11:56 niiiice. they better be Top Pot donuts or something legit not like... Brian "Noid" Harden 12:13 Oh, yeah, they were. They were Top Pot donuts. But yeah, so part of its that something else, too is doing some of the work yourself. So, in addition to all this work I'm doing I'm also managing the development of security features. And I had gone over the product spec for one of these security features. And I built a data flow diagram. And then during one of my little weekly Scrum meetings where I sit down with my devs. I showed it to them. and I remember one of them to and he immediately stopped and was like, "What is this?" He's like, "what is this doesn't make sense", Bryan Brake 12:53 This is forbidden knowledge This is your thing. Brian "Noid" Harden 12:56 Yeah, you wrote this. Okay, you wrote this, this is just a visual representation of the thing that you wrote. And once I explained it him, sort of the steps one through eleventy, you know, and showed him what had happened. He was sort of like a "Oh, that's interesting". Still somewhat dismissive of it, but it was still kind of a file. So in addition to, you know, buttering people up with donuts, and lunch and things like that, but also sometimes you gotta just buckle down and do it yourself, and then show the value. And I mean, I'll be blunt. That's how I've gone by through most of my career is when I can't get traction. I'll go do it. And then pop up and go. Hey, guys, check this thing out. Oh, wow. That's really neat. How do you do that? Where did you do that? It's like oh, you can do it too. Right now I can show you how I can work with you on it. I'm certainly not going to tell you to RTFM and walk out of the room. So part of it is it also shows a little bit of commitment on your part, sort of one of the things I've picked up that security, not even in the equation here. But just having worked in a lot of software development organizations with the devs and the PMs is the devs is frequently see the PM is not doing anything of value except for when you are. So when you are willing to put that kind of effort into deliver something like that, like, Hey, I thought modeled our service,it sort of shows this, "oh, I take it back. All those things I said about you know, you're not worthless after all." So there's definitely some value there too, because a lot of times too people are willing to say because it's easy to stand back and issue edicts, it's easy to stand back and just, you know, get up on your soapbox and tell everybody else what to do. But when you're when you show you're willing to eat your own dog food. That really gets people's attention because it's like, "Okay, this dude clearly cares about this a lot" And now that he's done it, I see what he's talking about. Yeah. You know, like we should do that there's value here. Bryan Brake 15:11 So very cool. Yeah. So when you on the last slide here, when you wrapped it all up, you said engage early and often... Does it have to be so when we're talking about communication, open communication, trying to, you know, some of its, you know, cultivating relationships. So, you kind of need to, you know, if you're introverted, you kind of need to step out of your shell a little bit and go and talk to people, get out of your cubes for once a while. Turn on the lights, that kind of thing. How often did you talk with these teams to help build this relationship after a while, because obviously there had to be some team building there? Brian "Noid" Harden 15:48 Yeah, so in my case, since I was in the team, we thought weekly, okay, weekly, and sometimes daily because they were literally down the hall from me, right, but in terms of where I've had to work in other organizations Where I've been in back in a centralized organization and having to work with remote teams or work with teams that I'm telling them to do things but I'm not in their org... like a weekly basis okay like we're going to meet up this weekbecause like for example like when I was a back when I was at Microsoft I worked in the MSRC before I left yeah and I was handling me and another guy we're handling all the (Internet Explorer)IE cases. Okay. That was a lot of cases because there's a lot of versions i right. So we would go meet with those cats once a week. And we would sit down with them and say, Okay, here's here's the queue. Here's what's new from last time. You know, here's sort of what we think is the priority for fixing things you know, what do you think about it, but it's it's that you always want them to know who you are, and you want them to know that you're just as busy as they are, and that you end that you're also respectful of their time, right? You know, so we'd make the meeting short... personal pet peeve of mine are people that set meetings deliberately long with the expectation of all just go ahead and give everybody 30 minutes. I'll give everybody 30 minutes back, right? Like, well thanks jerk. Like how about you could have just made a 30 minute meeting in the first place? You know it just tells that that that tells me you're not that doesn't tell me you're a magnanimous person that tells me you can't manage your time, you know. So I try to be really concise. Like, I'm going to set up a meeting with these devs. I'm going to include them agenda in the meeting invite. I'm going to set it for exactly how long I think it's like we're going to 30 minute meeting, you know, 30 minute meeting to go over the bugs that are in the queue. There's four new ones from last week one of them's really nasty, you know, that probably is probably going to be a non negotiable.. You know, but the other three are up for negotiation and you show up you sit down with them you know some pleasantries and then you just, you get to work and then you get them back out doing their thing and you get back to your thing. And that really flows well... It really flows well because, you know, none of us like meetings. And the closer you are to touching computers, the more meetings disrupt your flow the more they just disrupt your life and the thing that you're effectively getting usually paid a lot of money for.And so by kind of doing it that way, you keep that cadence up to keep that that sort of friendship and that that rapport up but the other thing too is a another point I wanted to make, but I'm getting tired... but yeah, but but along those lines to Yeah, yo get that rapport there. You're respectful of their time and then you... I can't remember what I was going to say next. Bryan Brake 19:20 So the last bit was, let's see, don't talk about securities, talk about feature development. We talked about that threat modeling your developers, you and Dr. Cowan, my, my car pool buddy, you and Crispin need to you know get get together and talk about the the threat modeling he's doing... he doesn't do trust boundaries so much, one of the talk he gave at SeaSec East was about how we do threat modeling in our organization but a lot of companies are starting to see value in that before we do engagements because we can prioritize what's the more important thing to test versus just testing all the things in the environment Brian "Noid" Harden 19:42 Threat modeling and software development is huge too, like that was one of the one of the things I think a lot of my developers I've done this with over the years have taken away from it is one you have to make it fun... You can't make a complete slog. But one of the nice things about threat modeling, is when you're visually looking at the thing you're going to build, that's when you make the realization that like, Oh, hey, my post office has no door... You know, and it's like the best time to figure that out. Then you always like, I always tell people that. Yeah, the best time to fix a bug is an alpha before you write anything... And the next best time to fix it is before it goes into production. And the worst possible time to fix a bug is after I've been in prod for 10 years, and it's a it's a load bearing bug at this point. It has dependencies on it Bryan Brake 20:30 you know what, it's funny you mentioned that I've been seeing some like Linux kernel bugs they said there was one in there for like 15 years old at affected all of like 2.6.x to up to the latest version. It was a use after free bug, you know that I don't know if they found the bug 15 years ago and just never fixed it but yeah, bugs like that sit in there because people don't don't check for that kind of stuff... Brian "Noid" Harden 20:51 that happens sometimes those the well I mean, God remember that. Remember the whole SYN flood thing in the 90s? Yeah, I mean it was it was it was in the RFC... One of those like, like, Oh, we found the bug. It's like what? You read the RFC. And just finally understood it. You know, so it's, it's that stuff. And there was an SSH bug that popped up recently. Yep. It was the same thing. It wasn't a terribly nasty critical bug. But it was, in a piece of code that had been in SSH for ever. Bryan Brake 21:26 Yeah. I seem to remember that one, too. Yeah. I'll have to find a link to that one. So I know you're getting tired. I have one other topic I'd like to discuss because I do a lot of report writing. Well, I I probably should do a lot of report writing but at Leviathan we you know we're the PM grease the wheels we you know, work with a relationship with the the status meetings, we do the executive summary and such and I could be better writing reports some of our testers are way better at it than I am... You know, taking the taking the whole idea of the language and where where things go with this, when we, when we put findings out, we've won, we call them bugs where we call them findings, not necessarily bugs. But what I'm trying to figure out is how we can better communicate our reporting, when we're doing things like readouts, to you know, kind of resonate with both developers and management because the idea is the executive summary is supposed to be for the "managers" or senior folk and then we have like, you know, components that drill down and talk about specifics and be more technical, but, you know, often we find ourselves and I find myself because I come from a more technical background writing more technical to the executives and my question was, Is there ways of communicating risk to both the developers and the managers in the, you know, using using somewhat the same language? Or should we call the bugnot bugs or not findings. We call them, you know, hey, here's a feature you guys should implement, which would be, you know, HTTP or, you know, you must have seen a few pen test reports in your time. And I mean, what is what is your opinion of pen test reports? Brian "Noid" Harden 23:13 So, my opinion, the most pen test reports, is that their garbage... Well, they're usually written to, they're usually written to one extreme or the other. So unfortunately, I have yet to find any really good language that appeases everybody. Brian Boettcher 23:30 So what's the one extreme or the other? Brian "Noid" Harden 23:32 What are the two extremes they're either hyper technical, the sort of stuff that like any of the three of us would probably look at and go, Okay, I get it, right. I understand the value here or there so high level that if I'm a business person, I might be sitting there going, Hey, okay, you know,you've you've reached out you've touched my heart. I understand that this this is a critical like this is a big issue we need to get fixed. But there's not enough meat there that if I took that report and handed it off to my dev lead and said, go fix this. The dev lead is going to sit there and go... Brian Boettcher 24:09 Are you kidding me? Brian "Noid" Harden 24:10 Yeah. Like, I don't know what to fix, according to this report says bad things can happen on the network. Are you telling me to go prevent bad things from happening on the network? So that's the thing. I find that Yeah, they either overwhelm you with details or there's not enough substance to them. Okay, so every once in a while, you get a really good one though, you get a you get a you get a really good one. If I could look at just a shout out to CoalFire actually, like their reports. Unknown 24:39 I mean, okay, So, What is a happy medium type report for you? One that would satisfy the manager folks but also get with, you know, be technical enough. What kind of things would you like to see in reports that you get from them and feel free to you know, talk about the Coalfire thing I guess Brian "Noid" Harden 25:02 *Chuckles* Bryan Brake 25:06 *Chuckles* We're always trying to improve our reports that Leviathan we've gone through and done things like test evaluations and you know things like that and no it's fine you know they're they're cool with me doing my podcast on the side so but if you had when you get reports... the good ones... What do they look like well I mean what what kind of things that you're looking for and and and in a pen a proper pentest report? Brian "Noid" Harden 25:30 Well for me being a technical person one of the things... the biggest thing I'm looking for in a report repro steps, right? If you haven't given me clear repo steps, then you have given me a useless report and that's the thing I've seen reports were basically it's... you know, hey man, we all we popped your domain controller you know, we did this we did that. Look at all freaking awesome we are... And you're like, Okay, I didn't hire you guys to be a circus sideshow. I hired you guys to show me where my risk is, and so I can focus my I know where to focus my efforts. And so those types of so those types of like, "look at how badass I am" reports don't do anything for me... what I do like there were reports that say hey you know we found a cross site scripting vulnerability on this particular product in this particular area. And here is not only screenshots of the cross site scripting vulnerability happening, but here's the repro steps because what's going to happen is, for example, you know, I see something like that and I go, Well, we got to fix that. I'm going to go to my developers. And the first thing my developers are going to ask me is, can you repro it? Can I read through it because one of the things they're going to do is after they fix it, they're going to validate the fix if they don't know how it was exploited in the first place. They're not going to know how to validate the fix. So being able to provide that information... down is is huge for me. Um, but then again, I'm also not, you know the business guy, I'm not the big money guy, I'm I want my report to be technical right so would the executives of my company get the same value out of the report? I probably not... you know when you're talking to the much higher level non technical people what you need to be doing is you need to be making sure you're talking in terms of risk. Sure, you know, you're talking in terms of risk and you're talking in terms of a not technical risk... You know, at the end of the day, the CEO of the company doesn't give a damn that SMBv1 is still on the network, right? They might not even know what that is, right? odds are I'm gonna I'm gonna go out and say they probably don't know what that is. Um, and even in that doesn't mean explain to them what it is because they're not going to care so first. We're going to go from not knowing what it is to not caring what it is. But if you express things in terms of risk of that, you know, the current network architecture, as it stands is very fragile and could be easily brought down, you know, through almost potentially accidental behavior, let alone. malicious behavior. You know, resulting in outages and SLA violations right now, you got their attention, because what they hear there is also if I don't fix this, it might cost me money. Brian Boettcher 28:36 profit loss. Brian "Noid" Harden 28:37 Yeah, and that's the thing. It's the, you know, depending on where they're at, in the org structure, you know, I've been in I've been in plenty of organizations before where downtime... downtime is bad... downtime is just, I mean, downtime is never good. But I mean, I've been in organizations where it's like, okay, so I just got promoted to like, super uber director guy. 48 hours into the gig. You know, we had like, a two hour outage,... I'm done. Bryan Brake 29:08 Busted that SLA, big money... Brian "Noid" Harden 29:10 even though even though I had nothing to do with it, I'm the accountable one. So, yeah, you have, you know, you need to be able to express things in terms that they translates to, you know, finding out like, like one of the things I back when I used to be a consultant, one of the things I always ask the executive types I'd meet on jobs is what keeps you up at night. You know, what keeps you up at night? Like what you know, don't don't worry about what I'm concerned about, what are you concerned about? Because they might be the same thing. I'm just going to talk to you about it using again, using the words that you care for and understand because I see a lot of technical people try to describe risk to non technical people and they do it by being highly technical and when it's not being understood. They fall back to being even more they take the approach of being in France... not speaking French. So I'm going to speak slower and louder, right? And, and at the end of the day, they're just going to keep shaking their heads going, Man, this guy really wants to express something to make. Bryan Brake 30:18 Yeah, something must be really important... Brian "Noid" Harden 30:20 ...to agitated by it. I don't know what it is... Bryan Brake 30:23 Great, now it's blue monkey poo. I don't know what's going on. Brian "Noid" Harden 30:26 Yeah, so that's, that's it. So yeah. When you're when you're talking to leadership, expressing things in terms of the contract violations, SLA violations, financial financial impact, right? You know, like, like, one of the things I liked when PCI came out and they had like these ridiculous up to $10,000 per bit of PII that gets disclosed and then you explain to a room full of high level people that and if blank were to happen 40,000 bits of PII .would be exposed a you knnow and I'm not so good at math but my calculator here tells me at $10,000 a pop and you watch people in the room real quiet... Bryan Brake 31:10 oh yeah no that now you know the thing is you just haven't seen a Leviathan one yet so you know if you want to you know reach out to us we'll do a pentest for you we when we don't mind coming out and hanging out doing pen tests for you so Brian "Noid" Harden 31:24 Frank's a good friend, solid solid human being Bryan Brake 31:26 no I mean will take your money and will give you a good will give you good drubbing. You will not get up and down left and right. You'll make it hurt. So anyway, actually, yeah, we we actually might need to talk about that a little bit later. I would not hate on that. I get money when people come in its new business. So yeah, I wouldn't hate on that at all. Brian Boettcher 31:47 I like in in your last phrase or last sentence in your presentation. If you can, avoid even using the word security. I think that's a good summary of what we talked about. Bryan Brake 32:00 Yeah, that got me too. I was like, Wow. Okay. So it's like, it's like the buzzword you're not supposed to say or, you know, like, you get a shock.. Brian "Noid" Harden 32:08 Treat it like a game. Yeah. Yeah, you got it like a game. But you you'd be amazed it works Bryan Brake 32:16 hundred percent of the time. It works every time? Brian "Noid" Harden 32:18 Yeah, hundred percent of the works every time. But, ya know, it it it definitely works because there are people too because there's conditioning, right. The history between security people and software developers is deep and it goes back Bryan Brake 32:33 it's contentious Brian "Noid" Harden 32:34 it's contentious at times. And, you know, obviously, you know, you try to try to try to be a good human being, trying to better the world around you. You know, try to,when you whenever you go somewhere, try to leave it in a better condition than you found it. But also understand that the person who may have been there for you may have just straight up just f the place up Brian Boettcher 32:58 scorched earth Brian "Noid" Harden 32:59 Yep, yeah. so and so. Yeah. And sometimes, because, I mean, I've got, I've rolled into organizations before where it's like, Why are these people so mad at me? I just got here... And it's like, oh, because the guy you replaced was just got off. And then and it sucks because it's not fair that you have to rebuild those damaged relationships because you didn't damage them. but life ain't fair? Bryan Brake 33:22 Yep. Well, you know, what, the, the, the whole, you know, DevOps and those things, that was the, you know, the Elysian Fields for developers like, Oh, I can go do anything and enjoy everything, and then it's like, you know, we're, the "no" department where the, we're the where the ones are going to put manacles on them. So, you know, security folks have have got to learn to be flexible, compliance folks can't wield their hammer anymore, like they, they should, if they want to, you know, play with the developers in the devops and the management folks, we talked about this with Liz rice couple weeks ago about getting, you know, security into the devops area and it's like one we got it we gotta learn to be flexible we've got to help them understand that now yeah the bug feature stuff if I'd heard this when we were talking to her I'm almost certain she would agree with us on the fact that you know we can't treat security like security we have treated as feature enhancement in this case Brian "Noid" Harden 34:16 it is a feature, you know it is a feature and increase the stability of the product that can get increases the customer base of the product it's right it has all the same things to it that any other feature would, but yeah but as far as the security being the note apartment thing to something else is like I still run into security people that they look at themselves as the "No" department that kind of pride themselves on Yeah, and when you find those people just call them out. I mean, just just tell them like, Look, man, that doesn't work. It's never work. Stop it now. Because when you're viewed as the "no" department, no one will ever want to work with you. Why would you want to? Bryan Brake 34:57 Yep... you're a non-starter Brian "Noid" Harden 34:59 Yeah, what's go because that was a bit of career advice I got at one point was that basically be solutions focused. You know, nobody wants to basically you're not going to go anywhere if you're the person who's calling out the problem and you might be calling out the problem more articulately than anybody else in the room, you might have a better understanding of the scope of them the depth of the problem, but there is a whole class of manager out there that will just be like, Man, that Noid guy, nothing but problems. Whereas if you instead say, you know, you kind of focus on the sort of the not really the problem, but rather you focus on the solution... "be solutions oriented" to sound like a business guy for a second. And it's like, yeah, you'd be that solutions oriented person, and especially if you can do it with a sort of positive spin, like I had a boss at one point I would stop in his office pissed off every once in a while, and I just be like this is screwed up and that screwed up and blah, blah blah. And he stopped and go "leave my office now and come back in and restate everything you just said. But in a positive way." I don't even know how it will then go sit in the hallway for a few minutes she would come back and I'd be like, okay,we have an opportunity for us. And I tell you I hated them for it. But name if it didn't work. Bryan Brake 36:32 Oh god. Yeah, that would make complete sense. Yeah, coming in with a positive instead of negative. Brian "Noid" Harden 36:40 So that's the thing. It's like yeah, even when your negativity is spot on and accurate. There's a lot of people that are like.. "ugh the person is always negative" And then sure enough, yeah, you start focusing on like, oh, you're the positive solutions oriented guy. Even while you're telling them that it's all basically like we're all going to Hell, but I'm doing it in a positive solutions oriented manner, and you'd be amazed how much traction I get you. Bryan Brake 37:06 Mr. Boettcher, do you have any other thoughts or questions? I want to let Mr.Noid go, cuz he's getting a little ty ty, he's a bit sleepy and he needs to go to bed... Brian Boettcher 37:15 There's a lot of great tidbits in here. I'm gonna have to listen to it again, and get all of them. And, and again, there's a lot of manager tools references here and, and manager tools, if you're not a manager, that's okay. It's not for managers, all that stuff they talk about is is really valuable to all employees. Brian "Noid" Harden 37:39 What's it called, the manager tools podcast? Bryan Brake 37:42 Yep.It's been going on for 12 years. Brian Boettcher 37:45 Since 2006 Bryan Brake 37:46 Yeah, something like that. It's it's very big. We put a link to the three powers three types of power and one to rule them all in the in the show notes as well. So yeah, go listen to that. I listened to that it's it's one of my regular non-info sec podcast that I listened to, so I listen to it every Monday morning, and when I'm on the treadmill at the gym, so yeah, really, really excellent stuff. If you're, you're out there and, you know, yeah, I mean, it'll help you kind of understand, but if you're out there and you're not a manager yet, it might help you understand where your managers coming from, too. All right. Mr. Noid how would people get a hold of you if they wanted to maybe have you for more podcasts appearances or, you know, speaking engagements or whatever? Are you going to be speaking anywhere soon? Brian "Noid" Harden 38:39 Am I I don't know. No, I don't think I am right. Sorry. Are you going anywhere? So question? I am there you go. I am speaking soon. Yeah, I'm, I'm speaking at the NCC group. Open Forum. Oh, that's right. That's next weekend. I don't think it's actually been announced yet. Okay. It's I mean, it's cool for me to talk about it. But yes, it's... Bryan Brake 39:02 the 12 (of March) yeah it is the 12th in Fremont, so if you're outside of the Seattle area you're going to be SOL.. yeah they don't record that Brian "Noid" Harden 39:15 but but I'm going to be giving basically the abbreviated version of my besides talk. they had they had an empty slot they needed to fill up... and they basically said could you do it I said sure and then they said it's 30 minutes long and I'm like well my talks an hour, but how will will make it work... they're I think they're a Tableau up in Fremont... Bryan Brake 39:37 yeah I'm on that list and yeah I know Miss Crowell over there who's one of the senior managers at NCC she's great lady... she's actually not running she used to run it and and gave somebody else but she still helps out a when she can but yeah, really, really great quarterly open forum that NCC group puts out. Plus they put out a nice spread for dinner certainly good Brian "Noid" Harden 40:00 I haven't been the one in a while, but they usually a lot of fun. I wouldn't last one of those I went to was a TLS 1.3 Bryan Brake 40:09 I was at that one too. Brian "Noid" Harden 40:10 That worked out great. Because literally the following weekend, I spoke at DC 206 nice about TLS 1.2 right? and ended up getting Joe to come along and speak about TLS 1.3 and a much more authoritative manner than I could have. It's bad ass. Bryan Brake 40:24 Yeah, Joe. Joe was on the steering committee for that. Brian "Noid" Harden 40:28 Yep. Yeah, I think but yeah, that was also nice. He kept me honest. While I was given my talk. I periodically just look at them any kind of nod. I'm not going into the weeds yet. But yeah, as far as getting a hold of me goes the best way to do it is I'm on Twitter @_noid_ or you can email me at noid23@gmail.com Bryan Brake 40:52 Yeah so yeah if you're in the Seattle area and the downtown Seattle area or Fremont area that's really nice place I think parking I think was at a premium The last time we were there Brian "Noid" Harden 40:52 It's Fremont, parking is always at a premium Bryan Brake 40:52 they're dodging bikes or whatever like motorized bicycles or whatever so you know Brian Boettcher 40:52 scooters now Bryan Brake 40:52 yeah I mean Fremont area they're really weird about their bicycle laws and stuff up there so Brian "Noid" Harden 41:07 ...and zoned parking so watch for your park too Bryan Brake 41:32 I'm going to get Miss Berlin because you know she's got a lot going on she's you know heading up the mental health hackers group.. you can find her was it hacker... god I hate this, um... she's @infosystir on Twitter. hackers mental health is her nonprofit. She's running that and you can find that @hackershealth on Twitter, she will come to your convention or conference and do a village. And and, you know it's a nice chill area you can go to, if you're interested in doing that Brian "Noid" Harden 42:12 is truly doing the Lord's work too. Bryan Brake 42:14 Yes she is. And we're very proud of her for all that she's doing. So yeah, her and Megan Roddy who's also one of our slack slack moderators... So speaking of our slack we have a very active slack community we just like I said we have "JB" who was promoted to moderator because it's been far too long and he's been doing the the European and Asia book club and he should have been a moderator for a while so did that today gave him access to our secret moderator channel and such and but yeah we have a social contract you can join us by emailing bds.podcast@gmail.com or hitting our Twitter which is the the podcast Twitter @brakesec and you can follow me on Twitter.@bryanbrake. Mr. Boettcher, you got a lot going on to sir how would people find you if we wanted to talk about the log MD stuff? Brian Boettcher 43:10 yeah you just go to log-MD.com... Don't forget the dash right otherwise you'll you'll get some well nevermind... Bryan Brake 43:20 Is it like WhiteHouse.com *laughs* that's an old joke kids! Brian Boettcher 43:26 I'd like to say though if you if you do go by your developers donuts or whoever don't eat any between the pickup and drop off right because then you'll show up with four donuts and they'll be like oh thanks great there's 10 of us and you bring us for Donuts Bryan Brake 43:41 {imitating Forrest Gump]"I had some sorry" Don't do that yeah yea buy 13 donuts and then eat one for yourself and then say you got it doesn't you go yeah so you're making an appearance you're going to be Bsides Austin at the end of the month along with Ms. Berlin's going to be that one as well. I think? Brian Boettcher 44:00 I am... Megan's going to be there I'm not sure. Very cool as her home base so we'll see. Nice. Yeah and the classes are cheap. I don't know if they're sold out yet but it's like $100 bucks. Bryan Brake 44:13 Okay, awesome. Cool. Before we go, we have a store. If you want to go buy a T shirt for the Brakeing Down Security logo, you know, you can definitely go do that or get one with Miss Berlin's face on it. Which is very weird but it's still very cool I'm going to probably by pink one here in the next few weeks and thank you to our patrons people who help support the podcast but donating some money helps pay for hosting pays for the time that we're doing this also we're looking into adding some possible transcription services we've gotten a couple emails from people who are saying they want to get transcriptions of us saying "uh, um, ah" lot so I actually actually it was a gentleman by the name of Willie I think was said head hearing difficulties so he wanted to know if we had a transcription of the podcast and I feel really bad because I'm like I don't know how to reply to him and say I you know we're just a little mom and pop shop here so we're looking at transcription services maybe something like Mechanical Turk or there was one called otter.ai that we're we're looking at to maybe kind of make it better for people to hear these things Brian "Noid" Harden 45:26 I'm actually actually suffer from degenerative hearing loss. I'm slowly going deaf myself Bryan Brake 45:31 I've got tinnitus is from the Navy Brian "Noid" Harden 45:32 same here. It's permanent and ongoing. And just yeah, it's like I feel for him. Yep. And hopefully transcriptions will be a thing at some point. Yeah, god's I hope so. Yeah, I mean, other than the US and about 800 times during podcast I apologize for that. But yeah, so we're, we're trying to look into that if if we can make it work we will we will do our utmost to make the podcast as available as possible to everybody. So in end up to be we have to hire somebody, he'll do it for us. So that that may be another thing, which means will need more pot Patreon money, you know that kind of thing. So if you're interested in getting full transcripts we may make that possible if we can get another maybe 20 to 30 people a 20-30 bucks a month. So but we do appreciate that the tips the you know we call them tips because you're helping to support the podcast and helping us get this out. And yeah, so for Miss Berlin who's not here sadly. And she's going to be kicking yourself because this was a really awesome podcast and Mr. Boettcher. This is Brakeing Down Security from a world headquarters here in Seattle. Have a great week. Be nice to another. Please take care of yourselves because you're the only you have and we'll talk again soon. Brian Boettcher 46:45 Bye bye Brian "Noid" Harden 46:46 Bye Internet people. Transcribed by https://otter.ai
March 18, 2019
Shout-out to Thomas…     Tried to meetup while at SEA comic-con Patreon Log-MD Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?) 4 podcasts? SpecterOps Training / workshopCon  - https://www.workshopcon.com/events Zach Ruble- @sendrublez C2 infra using Public WebApps TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it... C2 Basics     Local HTTPd server (bashfile)     Python scrapes web server 3 components -Servers -Communication channels -Malware and client - 3 Requirements of a C2 -victim receives commands -Vic executes -Send results back Web server serving a static file Malware on machine scraping site with python requests and executing it as commands. Crontab @reboot   State change = change the text field https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/ https://uwbacm.com/   Long haul/short haul server Long haul - regain persistence Short haul - sends commands to victims   Slack as C2 - Blends in to the Env     Send and receive messages     Using Real Time Messaging API https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24 https://glitch.com/ Https://github.com/bkup/SlackShell   Reddit as a C2     “Reddit Rising”   Glitch.com     Serverless platform   Using Google search results as     Would Google Algos see odd behavior of hundreds of hosts searching for the same thing? Log file analysis?     How can we protect against this? C2 News (If we go short) : https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining Automating OSINT https://twitter.com/jms_dot_py http://www.automatingosint.com/blog/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 12, 2019
Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)     SeaSec East meetup     "Gabe"   https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/   New Slack Moderator (@cherokeeJB) Shoutout to “Jerry G”   Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please   Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet   Noid - @_noid_ noid23@gmail.com   Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3 Slides (PDF) https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf   Security view was a bit myopic? “What do we win by playing?” Cultivating relationships (buy lunch, donuts, etc) Writing reports Communicating findings that resonate with developers and management     Often pentest reports are seen by various facets of folks     Many levels of competency (incompetent -> super dev/sec)   Communicating risk? Making bugs make sense to everyone…   The three types of power: https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1    Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
March 4, 2019
BrakeingDownIR show #10 GrumpySec appearance? https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887 https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618 https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ “Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.’ Retpoline = “Return Trampoline”     “That’s because when using return operations, any associated speculative execution will 'bounce' endlessly.”     https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html Cool site (Andrei) *long time podcast supporter* UndertheWire.tech - powershell wargame --- PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6 https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/ https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/ Caveats:Network connection you’re on must be set to “private”, not public WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr)   https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/ http://time.com/5349896/23andme-glaxo-smith-kline/ http://thunderclap.io/ https://int3.cc/products/facedancer21 -  USB Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 25, 2019
Bsides Seattle recap (Bryan) New phishing technique to bypass email filters- https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/ https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships Use after free in Linux kernel: https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/ https://www.webopedia.com/TERM/U/use-after-free.html https://cwe.mitre.org/data/definitions/416.html https://www.acodersjourney.com/top-20-c-pointer-mistakes/ https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html https://nvd.nist.gov/vuln/detail/CVE-2019-8912     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 18, 2019
https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/     https://www.owasp.org/index.php/DOM_Based_XSS CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)   Google Cloud Platform - tip tricks, stuff ms. berlin learned   Layer 8 conference - Rhode Island’’ I was wrong…..cycles don’t sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 11, 2019
SpecterOps Class:  https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902     https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html   Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448   https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/ https://liliputing.com/2019/02/mozillas-project-fission-brings-site-isolation-to-firefox-spectre-and-meltdown-protection.html https://capsule8.com/blog/exploiting-systemd-journald-part-1/   Segue from systemd/journald into: “Super daemon for all daemons”     Replaced things like sysvinit, rc.d, and even inetd Lennart Poettering and Kay Sievers Systemd (PID1)     Configured using only text files         .service         .device         .swap         .timer (.service file of the same time must exist)             ‘Transient timers can be created’             https://wiki.archlinux.org/index.php/Systemd/Timers /etc/systemd/system/foo.timer [Unit]Description=Run foo weekly and on boot[Timer] OnBootSec=15minOnUnitActiveSec=1w [Install] WantedBy=timers.target Logs are in binary format Cgroups - control groups     Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes     Bound by the same criteria     Used a lot of places (hadoop, k8s, docker, LXC) http://without-systemd.org/wiki/index.php/Arguments_against_systemd https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/ https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/ http://0pointer.de/blog/projects/systemd.html https://en.wikipedia.org/wiki/Systemd   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
February 4, 2019
Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html   ShmooCon discussion   Bsides Leeds discussion   @largeCardinal @bsidesLeeds https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244   https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple   https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police   https://www.cnbc.com/2019/01/28/apple-facetime-bug-lets-you-listen-even-if-someone-doesnt-answer.html   https://www.news5cleveland.com/news/local-news/oh-cuyahoga/trio-of-current-and-former-officials-indicted-in-cuyahoga-county-corruption-probe   https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
January 28, 2019
  BIO: Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O’Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London. Liz Rice (@lizrice on Twitter) https://www.lizrice.com/ https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341 https://www.forbes.com/sites/adrianbridgwater/2018/07/23/shift-happens-why-your-software-needs-to-shift-left/#41aac6047f8c https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/ https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/ https://changelog.com/gotime/56 - podcast with Liz https://kubernetes-security.info - co-author of O’Reilly Kubernetes security book https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017 https://docs.docker.com/config/containers/container-networking/ - docker portmapping https://techbeacon.com/9-practical-steps-secure-your-container-deployment   If security needs to “Shift Left”, what can devs do to accommodate the change?     Everyone will have to make adjustments, not just security… right?   Reverse uptime… Forgotten data?   Test Driven Development Why do we need security as far left?     “We don’t patch, we just push a fix, ”     “We’ll fix it in production…”     Or we pump more resources to overcome perf issues     Is there time for code reviews?     “We don’t need change management…”   https://testssl.sh - @drwetter   Automation: How does security that solve security issues?     Do Microservices solve everything?     What don’t they solve?         What does security need to embrace to make the shift less painful?         What does development need to embrace to make the shift less painful?             Cause security wants to get in there… There are already DevSecOps processes a-plenty and many . Why aren’t companies adopting them?     Maturity?     Lack of resources?     Negligent devs - how can you ignore the news of breaches?   Setting Goals     “Start Small” - what’s an example of a small goal?   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
January 22, 2019
intro CFP for Bsides Barcelona is open! https://bsides.barcelona Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of “do’s and don’ts” Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn’t make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf   https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices   https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
January 14, 2019
Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of “do’s and don’ts” Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn’t make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf   https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices   https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf
December 27, 2018
Join the combined forces of: Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/) Bill Gardner from the "RebootIt! podcast" https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2   Ms. Berlin and Bryan Brake for the end of the year podcast! BrakeSec Podcast = www.brakeingsecurity.com RSS: https://www.brakeingsecurity.com/rss
December 18, 2018
Mike Samuels https://twitter.com/mvsamuel https://github.com/mikesamuel/attack-review-testbed https://nodejs-security-wg.slack.com/ Hardening NodeJS   Speaking engagement talks: A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009 Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781 What is a package: (holy hell, why is this so complicated?)     A package is any of: a) a folder containing a program described by a package.json file b) a gzipped tarball containing (a) c) a url that resolves to (b) d) a @ that is published on the registry with © e) a @ that points to (d) f) a that has a latest tag satisfying (e) g) a git url that, when cloned, results in (a). https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4   https://blog.risingstack.com/node-js-security-checklist/   https://www.npmjs.com/package/trusted-types https://github.com/WICG/trusted-types/issues/31
December 11, 2018
Adam Baldwin (@adam_baldwin) Director of Security, npm   https://foundation.nodejs.org/ https://spring.io/understanding/javascript-package-managers   Role in the NodeJS project     Advisory? Active role? Maintain security modules?     Are there any requirements to being a dev?     Are there different roles in the NodeJS environment?     Is there any review of system sensitive packages? (or has that ship sailed…)   Discussion of timeline from NodeJS security team     When were you notified? (or were you notified at all?)     What steps were taken to fix the issue?     Lessons learned?   Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)   Event-stream (initial bug report):   https://github.com/dominictarr/event-stream/issues/116   Only affected bitcoin Wallets from ‘Copay’                     https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/ “Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote : We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (   https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 “The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”   https://thehackernews.com/2018/11/nodejs-event-stream-module.html “The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”   https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/   Hacker News (with comments): https://news.ycombinator.com/item?id=18534392   Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018   2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm   According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)   Dependency hell in NodeJS: https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/     “Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”   History of NodeJS security issues:   ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/ Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/   How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?) What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?   What the responsibility is of consumers of open source?   What can be done to ensure vetting for ‘important’ packages? Can someone manage turnover? (or is that ship sailed?)   Security scanners: https://geekflare.com/nodejs-security-scanner/ https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0   Threat assessment or ‘what could go wrong in the future’?     Bad code     “Trust issues”     Repo corruption     Hijacking packages     Keep up to date on NodeJS security issues: https://nodejs.org/en/security/ https://groups.google.com/forum/#!forum/nodejs-sec   ^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem? npmjs.com/advisories or @npmjs on twitter https://rubysec.com/ -Ruby security group   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
December 3, 2018
Where in the world is Ms. Amanda Berlin?     Keynoting hackerconWV   Election Security   Cuyahoga County:   Intro: Jeremy Mio (@cyborg00101 Name? Why are you here?   Discussing Ohio does election operations.     Walk through the process Pre-Elections Elections Night Post Elections   All about the C.I.A. Votes must be confidential Votes must not be compromised (integrity) Voting should be available and without outage   Did a tabletop exercise with all counties in Ohio (impressive!)     Gamified, using role-reversal     Points based system     Different technology has different point values   Physical security/chain of custody Retention   EI-ISAC - election infra ISAC https://www.cisecurity.org/services/albert/ - Albert system https://www.cisecurity.org/best-practices-part-1/ - election security best practices   How does the Ohio election process stack up against other states?   Media Perception in Elections Hacking and threats 11 year olds ‘hacking election’     Yes, good for a new article title     Goes to show how easy it is to actually hack systems         Train someone on SQLI, pwn the things   Elections Security Operations and Preparation Technology types     Ballot     Booths     Mail-in ballots   Securing election infra     What can be done to make it more secure?   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 26, 2018
@IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware   She’s working on speaking schedule for 2019   How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss - Alice Goldfuss   Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater   Tesla mis-configured Kubes env:   From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/   Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla   Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)   Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/   https://github.com/aquasecurity/kube-hunter - Threat Model    What R U protecting?     Who R U protecting from?     What R your Adversary’s capabilities?     What R your capabilities?   Defenders think in Lists Attackers think in Graphs   What are some of the visible ports used in K8S?     44134/tcp - Helmtiller, weave, calico     10250/tcp - kubelet (kublet exploit)         No authN, completely open     10255/tcp - kublet port (read-only)     4194/tcp - cAdvisor     2379/tcp - etcd         Etcd holds all the configs         Config storage   Engineering workflow:     Ephemeral -     CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/   Final points:     Advice securing K8S is standard security advice     Use Defense in Depth, and least Privilege     Be aware of your attack surface     Keep your threat model in mind   David Cybuck (questions from Slack channel)   My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).   How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?   Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?
November 19, 2018
Jarrod Frates Inguardians @jarrodfrates “Skittering Through Networks” Ms. Berlin in Germany - How’d it go?     TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html   Takeaways Blue Team: - Least Privilege Model - Least Access Model     “limited remote access to only a small number of IT personnel” “This user didn't need Citrix, so her Citrix linked to NOTHING” “They limited access EVEN TO LOCAL ADMINS!” - Multi-Factor Authentication - Simple Anomaly Rule Fires     “Finance doesn’t use Powershell” - Defense in Depth     “moving from passwords to pass phrases…” “Improper disposal of information assets”   Red Team: - Keep Trying - Never Assume - Bring In Help - Luck Favors the Prepared - Adapt and Overcome Before the Test Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in ‘test/dev’, NOT PROD Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.   During the Test Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?)   After the Test Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don’t blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing   Ms. Berlin’s Legit business - Mental Health Hackers   CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019   CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31   Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March     heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 12, 2018
Ian Coldwater- @IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware She’s working on speaking schedule for 2019 How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss - Alice Goldfuss   Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater   Tesla mis-configured Kubes env:   From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/   Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla   Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)   Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/   https://github.com/aquasecurity/kube-hunter -   Threat Model    What R U protecting?     Who R U protecting from?     What R your Adversary’s capabilities?     What R your capabilities?   Defenders think in Lists Attackers think in Graphs   What are some of the visible ports used in K8S?     44134/tcp - Helmtiller, weave, calico     10250/tcp - kubelet (kublet exploit)         No authN, completely open     10255/tcp - kublet port (read-only)     4194/tcp - cAdvisor     2379/tcp - etcd         Etcd holds all the configs         Config storage   Engineering workflow:     Ephemeral -     CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/   Final points:     Advice securing K8S is standard security advice     Use Defense in Depth, and least Privilege     Be aware of your attack surface     Keep your threat model in mind   David Cybuck (questions from Slack channel)   My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).   How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?   Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?   heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
November 5, 2018
@InfoSecSherpa   I have two talks coming up: Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)       *Shameless Plug* My Nuzzel newslettershttps://nuzzel.com/InfoSecSherpa https://nuzzel.com/InfoSecSherpa/cybersecurity-africa News stories - Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law)   https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
October 22, 2018
Health & Tech? https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/   https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)   (def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow   https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/   https://www.adheretech.com/ Privacy implications? Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/ Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/ https://www.papercall.io/dachfest18 Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
October 15, 2018
Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there. This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website... Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection... Tomasz Tuzel: http://www.irongeek.com/i.php?page=videos/derbycon8/track-4-18-who-watches-the-watcher-detecting-hypervisor-introspection-from-unprivileged-guests-tomasz-tuzel Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
October 1, 2018
Pizza Party Link - https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046   News stories-   Software/library bloat   http://tonsky.me/blog/disenchantment/   https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f   https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/     https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html   https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/   https://attack.mitre.org/wiki/Technique/T1170  - HTA file malware examples   https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/   https://www.bbc.com/news/technology-45686890 - (facebook account hack)   https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc  IOC’s from various malware   UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/ Block These Extensions:   File Extension    File Type .adp Access Project (Microsoft) .app Executable Application .asp Active Server Page .bas BASIC Source Code .bat Batch Processing .cer Internet Security Certificate File .chm Compiled HTML Help .cmd DOS CP/M Command File, Command File for Windows NT .cnt Help file index .com Command .cpl Windows Control Panel Extension(Microsoft) .crt Certificate File .csh csh Script .der DER Encoded X509 Certificate File .exe Executable File .fxp FoxPro Compiled Source (Microsoft) .gadget Windows Vista gadget .hlp Windows Help File .hpj Project file used to create Windows Help File .hta Hypertext Application .inf Information or Setup File .ins IIS Internet Communications Settings (Microsoft) .isp IIS Internet Service Provider Settings (Microsoft) .its Internet Document Set, Internet Translation .js JavaScript Source Code .jse JScript Encoded Script File .ksh UNIX Shell Script .lnk Windows Shortcut File .mad Access Module Shortcut (Microsoft) .maf Access (Microsoft) .mag Access Diagram Shortcut (Microsoft) .mam Access Macro Shortcut (Microsoft) .maq Access Query Shortcut (Microsoft) .mar Access Report Shortcut (Microsoft) .mas Access Stored Procedures (Microsoft) .mat Access Table Shortcut (Microsoft) .mau Media Attachment Unit .mav Access View Shortcut (Microsoft) .maw Access Data Access Page (Microsoft) .mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) .mdb Access Application (Microsoft), MDB Access Database (Microsoft) .mde Access MDE Database File (Microsoft) .mdt Access Add-in Data (Microsoft) .mdw Access Workgroup Information (Microsoft) .mdz Access Wizard Template (Microsoft) .msc Microsoft Management Console Snap-in Control File (Microsoft) .msh Microsoft Shell .msh1 Microsoft Shell .msh2 Microsoft Shell .mshxml Microsoft Shell .msh1xml Microsoft Shell .msh2xml Microsoft Shell .msi Windows Installer File (Microsoft) .msp Windows Installer Update .mst Windows SDK Setup Transform Script .ops Office Profile Settings File .osd Application virtualized with Microsoft SoftGrid Sequencer .pcd Visual Test (Microsoft) .pif Windows Program Information File (Microsoft) .plg Developer Studio Build Log .prf Windows System File .prg Program File .pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) .reg Registration Information/Key for W95/98, Registry Data File .scf Windows Explorer Command .scr Windows Screen Saver .sct Windows Script Component, Foxpro Screen (Microsoft) .shb Windows Shortcut into a Document .shs Shell Scrap Object File .ps1 Windows PowerShell .ps1xml Windows PowerShell .ps2 Windows PowerShell .ps2xml Windows PowerShell .psc1 Windows PowerShell .psc2 Windows PowerShell .tmp Temporary File/Folder .url Internet Location .vb VBScript File or Any VisualBasic Source .vbe VBScript Encoded Script File .vbp Visual Basic project file .vbs VBScript Script File, Visual Basic for Applications Script .vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft) .vsw Visio Workspace File (Microsoft) .ws Windows Script File .wsc Windows Script Component .wsf Windows Script File .wsh Windows Script Host Settings File .xnk Exchange Public Folder Shortcut .ade ADC Audio File .cla Java class File .class Java class File .grp Microsoft Widows Program Group .jar Compressed archive file package for Java classes and data .mcf MMS Composer File .ocx ActiveX Control file .pl Perl script language source code .xbap Silverlight Application Package  ------------------------------   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
September 25, 2018
Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
September 15, 2018
Part 2 of our interview with Chris Hadnagy Discuss more about his book, best ways to setup your pre-text in an engagement how you might read someone on a poker table a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch” and we talk about “innocent lives foundation”, something near and dear to Chris' heart. We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it physical engagements?”   Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9 SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/ Chris’ Podcast: https://www.social-engineer.org/podcast/   SECTF at Derby (contestants are chosen)       Remembering - attention to detail     Remembering details     Can be the difference between success and failure   Social Engineering - the different aspects: Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science       Questions:     What precipitated the need to write another book?     You bring up several successful operations, and several failures…         How do you regroup from a failure, especially if the point of entry is someone that ‘got you’... “The level of the assistance you request must be equal to the level of rapport you have built” -     Seems like understanding this is an acquired skill, not set in stone…   Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy? Work place? On the commute? Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?         Get Ryan on the show…                             Lots of items (8 principles of influence)      Typical daily SE activities     Holding a door open, then the person reciprocates   Framing     We don’t ‘kill our dogs’, we ‘put them to sleep’.   Questions from our Slack:   Ben: Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?   What does an interview at Chris’ company look like?   https://www.innocentlivesfoundation.org/     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
September 8, 2018
Christopher Hadnagy Interview: Origin story connoisseur  of moonshine Social Engineering: The Science of Human Hacking 2nd Edition Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9 SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/ Chris’ Podcast: https://www.social-engineer.org/podcast/   SECTF at Derby (contestants are chosen)       Remembering - attention to detail     Remembering details     Can be the difference between success and failure Social Engineering - the different aspects: Info Gathering Time constraints Accommodating non-verbals Body language must match mood Using a slower rate of speech Suspending ego RSVP Rapport Psychology “Getting information without asking for it” Elicitation ‘The Dark Art’ -negative outcome for the target Manipulation “Getting someone to do what you want them to do” Understanding the science of compliance Influence Profiling Communications Modeling Facial Expressions Body Language Don’t overextend your reach Knowledge that comes from a point of truth, or is easily faked Pretexting Emotional Hijacking Misdirection Art Science       Questions:     What precipitated the need to write another book?     You bring up several successful operations, and several failures…         How do you regroup from a failure, especially if the point of entry is someone that ‘got you’... “The level of the assistance you request must be equal to the level of rapport you have built” -     Seems like understanding this is an acquired skill, not set in stone…   Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy? Work place? On the commute? Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?         Get Ryan on the show…                             Lots of items (8 principles of influence)      Typical daily SE activities     Holding a door open, then the person reciprocates   Framing     We don’t ‘kill our dogs’, we ‘put them to sleep’. Questions from our Slack:   Ben: Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?   What does an interview at Chris’ company look like?   https://www.innocentlivesfoundation.org/     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
September 1, 2018
We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!   Thanks to our Patrons! Gonna be at Derbycon, come see us!   Congrats to our Derbycon Ticket CTF winners! Winner:  @gigstaggart 2nd Place: @ohai_ninja 3rd Place: @SoDakHib   Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t   Ms.Berlin’s Challenge:   potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7 Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN   Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8   Update on Mental Health GoFundMe: http://www.derbycon.com/wellness Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.   Missing event issues: https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement   https://github.com/palantir/windows-event-forwarding   https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows   https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/   https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4   https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/   https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/   http://bpatty.rocks/blue_team/weffles.html   https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/   Some issues with missing events… Everyone is affected by this!   WEF & PowerBI is good for small installations.   Any GPOs involved? Can it be done on a server by server basis? Can an attacker simply disable the service once initial access is achieved?   Pros and Cons of feeding the WEF output to a MapReduce system?   Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?   Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff... https://www.malwarearchaeology.com/logging/ Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
August 26, 2018
CTF information:     Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)     Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site. View the page, submit the flags, leave everything else alone...   Derbycon Auction - starts September 8th at 9am Pacific Time     Slack only -         Opening bid is $175         Increments of $25 only     100% goes to Chris Sanders’ “Rural Technology Fund”         https://ruraltechfund.org/donate/   Amanda’s mental health workshop - AWESOME!  http://www.derbycon.com/wellness/ https://www.gofundme.com/derbycon-mental-health-amp-wellbeing   Mandy Logan - hacking her way out of a coma!  https://www.gofundme.com/hacking-recovery-brainstem-stroke   https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html https://art-of-lockpicking.com/single-pin-picking-skills/   Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr) Tools: Tension Wrench Picks Parts of lock: Cylinder Driver Pins Key Pins Springs Sites: https://toool.us/ https://art-of-lockpicking.com/how-to-pick-a-lock-guide/  - This is a good guide if you can get past the ADs   Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich   Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/ https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/   https://twitter.com/InfoSystir/status/1032343381328973827     #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
August 17, 2018
Post-Hacker Summercamp   IppSec Walkthroughs Brakesec Derbycon ticket CTF -   Drama - (hotel room search gate)   AirconditionerGate   Personal privacy   Ask for ID   Call the front desk   Use the deadbolt - can be bypassed   Plug the peephole with TP         Hotel rooms aren’t secure (neither are the safes)             Probably the most hostile environment infosec people go into to try and be secure/private   https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/ This is the company behind a sort-of threat intel site (vulnDB) The original marketing site I figured it was marketing… it smacked of a ‘buy our product’ site\, but we don’t have to mention vulnDB   https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/     Based on study by Juniper Research   https://www.teepublic.com/user/bdspodcast   #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
August 9, 2018
HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS   Amanda giving a talk at Diana Initiative Derbycon Talk - mental health Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2   http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/   https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/   https://blogs.technet.microsoft.com/secadv/2018/01/22/parsing-dns-server-log-to-track-active-clients/   https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelo   #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
August 1, 2018
Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com   https://en.wikipedia.org/wiki/Mojave_phone_booth https://www.tripsavvy.com/the-mojave-phone-booth-1474047   https://www.dailydot.com/debug/mojave-phone-booth-back-number/   https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth   https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/   https://twitter.com/mojavefonebooth   https://www.google.com/maps/place/Mojave+Phone+Booth/@35.2873088,-115.6911087,3155m/data=!3m1!1e3!4m5!3m4!1s0x80c587e7172e7259:0xbc30709b3558dd90!8m2!3d35.2856782!4d-115.6844312   https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/ http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/ https://twitter.com/_noid_?lang=en   https://www.monoprice.com/product?p_id=8136&gclid=CjwKCAjwy_XaBRAWEiwApfjKHuwvafwlgj6K3bNw6Qoy06i0KlXrTcPu8RLUSnhdEur5Y8PlVNaB1hoClJoQAvD_BwE   http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book     #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
July 27, 2018
Stories and topics we covered: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/   https://osquery.io/   https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates   https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  
July 19, 2018
Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery. Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including: @icssec @bethayoung @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it. https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018 @icssec @bethayoung @bryanbrake @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr
July 11, 2018
Ben Caudill @rhinosecurity Spencer Gietzen @spengietz   Rhino Security - https://rhinosecuritylabs.com/blog/   AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/   What is the difference between this and something like Scout or Lynis?   Is it a forensic or IR tool?   How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?   S3 bucket perms?   Security Group policy fails   Some of the hardening policies for Security groups? RDS?   Where are you speaking… BSLV? DefCon? https://aws.amazon.com/whitepapers/aws-security-best-practices/   https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf   https://aws.amazon.com/whitepapers/   https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/   https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/ Slack Patreon Bsides Springfield   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
July 2, 2018
Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs     @cydefe CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development   https://www.heroku.com/ www.exploit-db.com   BrakeSec DerbyCon     @dragosinc dragos.com   DNS Enumeration: https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md   DNS Tools: https://dnsdumpster.com/ https://tools.kali.org/information-gathering/theharvester   DNS Tutorial https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS)   https://pentestlab.blog/tag/dns-enumeration/       DNS Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines.   DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection.   NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, “Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed.” From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies.   How difficult has that become with the advent of GDPR and whois record anonymization?     Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Loading earlier episodes...
    15
    15
      0:00:00 / 0:00:00