Info

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in Apple Podcasts
Brakeing Down Security Podcast
2017
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: Page 1
Nov 15, 2017

Direct Link: https://brakesec.com/2017-038

 

Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.

So I asked him on, and we went over the highlights of his talk. Some of the topics included:

Discussing with management your manpower issues

Who to include in your team

Communication between teams

 

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

 

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 

 

 

----SHOW NOTES:

 

Amanda’s appearance on PSW

 

Building an AppSec Team - Michael de Libero (@noskillz)

 

https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\

 

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

 

https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett

 

Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing

 

Random Notes from Mike:

  • Hiring
  • WebApps vs More traditional apps
    • Release cycles differ
    • Tech stacks can often differ
    • Orgs are different
    • Etc…
  • Testing-focus vs. “security health”
  • Role of management
    • Managing a “remote” team
  • Handling incoming requests from other teams

 

How do you sell a company on having an appsec team if they don’t have one?

 

If you have an existing ‘security team’, how easily is it to augment that into an appsec team?

Can you do job rotation with some devs?

Do devs care enough to want to do code audits

“That’s not in my job description”

 

Skills needed in an appsec team

Does it depend on the tech used, or the tech you might use?

 

Internal security vs. consultants

 

Intro to RE course with Tyler Hudak

 

Bsides Wellington speaker Amanda Berlin

Nov 8, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3

We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this.

We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement.

Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand.

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us.

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

SHOW NOTES:

 

Oreilly con report

Malware report from Mr. Boettcher

DDE (Dynamic Data Exchange), all the rage

https://en.wikipedia.org/wiki/Windows_2.0

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf

http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216

https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/

 

Why asset management?

Know what’s in your environment

CIS Top 20...no wait, it’s the TOP THREE of the 20.

It all builds on this…

Know what’s in your environment

http://www.open-audit.org/

https://metacpan.org/pod/App::Netdisco <- NetDisco (great for network equipment)

 

Where do you store that data? Or is it just enough to know where to get it?

Systems you can pull asset data from:

Patching systems

Chef

WSUS

FIM systems

Tripwire

DLP systems

Vuln Scanners

AV/EDR management

router/switch tables

DNS

Asset management systems are a gold mine for an attacker

Names

IPs

email addresses

 

Coverage gaps in these systems will cause you to lose asset visibility

 

http://www.businessinsider.com/programmer-automates-his-job-2015-11

Oct 29, 2017

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

 

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

SHOW NOTES:

 

Ideas and suggestions here:

 

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

 

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

 

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

 

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

 

https://en.wikipedia.org/wiki/Johari_window

 

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

 

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

 

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

 

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

 

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

 

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

 

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

 

Is the book still applicable?

New book

 

What traps do people fall into?  Attacker-centered, asset-centered approaches


Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

Oct 22, 2017

After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered.

I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter

Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices  https://preossec.com/

 

Joe Basirico discusses the proper environment to get the best out of your bug bounty program. 

points from his abstract:

Bug Bounty Programs - Why you want to invite security researchers to hack your products

Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness.

How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix.

 

Source conference YouTube Channel:  https://www.youtube.com/channel/UCAPQk1fH2A4pzYjwTCt5-dw/videos (2017 is not available yet, but all talk from 2008-2015 is available)

agenda of the talks that occurred at Source Seattle 2017 

https://www.sourceconference.com/seattle-2017-agenda

https://www.sourceconference.com/copy-of-seattle-2016-agenda-details

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Oct 16, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3

 

We are back this week after a bit of time off, and we getting right back into it...

What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done.

We also talk a bit about 3rd party vendor reviews, and what would happen if your 3rd party doesn't have a proper plan in place.

Finally, we discuss the upcoming #reverseEngineering course starting on 30 October 2017 with Tyler Hudak, as well some upcoming appearances for Ms. Berlin at SecureWV, GrrCon, and Bsides Wellington, #newZealand

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---SHOW NOTES---

You have enacted your BC/DR plan

Step 1. Panic

Step 2. Panic more, or let your management panic

Step 3. Follow the plan… you do have a plan, right?

 

Enacting a BC/DR plan

RPO/RTO - https://www.druva.com/blog/understanding-rpo-and-rto/

 

Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”

 

https://en.wikipedia.org/wiki/Recovery_point_objective

 

Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.

 

https://en.wikipedia.org/wiki/Recovery_time_objective

 

https://uptime.is/99.99

 

Excerpt from "Defensive Security Handbook" -

Buy from Amazon (sponsored link):  http://amzn.to/2zcmWBY

Recovery Point Objective

 

The recovery point objective (RPO) is the point in time that you wish to recover to. That is, determining if you need to be able to recover data right up until seconds before the disaster strikes, or whether the night before is acceptable, or the week before, for example. This does not take into account of how long it takes to make this recovery, only the point in time from which you will be resuming once recovery has been made. There is a tendency to jump straight to seconds before the incident; however, the shorter the RPO, the more the costs and complexity will invariably move upwards.

Recovery Time Objective

 

The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO.

 

To illustrate with an example, if you operate a server that hosts your brochureware website, the primary goal is probably going to be rapidly returning the server to operational use. If the content is a day old it is probably not as much of a problem as if the system held financial transactions whereby the availability of recent transactions is important. In this case an outage of an hour may be tolerable, with data no older than one day once recovered.

 

In this case the RPO would be one day, and the RTO would be one hour.

 

There is often a temptation for someone from a technology department to set these times; however, it should be driven by the business owners of systems. This is for multiple reasons:

 

  • It is often hard to justify the cost of DR solutions. Allowing the business to set requirements, and potentially reset requirements if costs are too high, not only enables informed decisions regarding targets, but also reduces the chances of unrealistic expectations on recovery times.

 

  • IT people may understand the technologies involved, but do not always have the correct perspective to make a determination as to what the business’ priorities are in such a situation.

 

  • The involvement of the business in the DR and BCP plans eases the process of discussing budget and expectations for these solutions.

 

RPO should be determined when working through a Business impact analysis (BIA)

https://www.ready.gov/business-impact-analysis

 

https://www.fema.gov/media-library/assets/documents/89526

 

There is always a gap between the actuals (RTA/RPA) and objectives

After an incident or disaster, a ‘Lessons Learned’ should identify shortcomings and adjust accordingly.

This may also affect contracts, or customers may require re-negotiation of their RTO/RPO requirements

 

If something happens 4 hours after a backup, and you have an hour until the next backup, you have to reconcile the lost information, or take it as a loss

Loss = profits lost, fines for SLAs

 

You may not be doing the same after the disaster. New processes, procedures

 

https://www.bleepingcomputer.com/news/security/fedex-says-some-damage-from-notpetya-ransomware-may-be-permanent/

Ms. Berlin’s appearances

Grrcon - http://grrcon.com/

 

Hack3rcon/SecureWV -  http://securewv.com/

 

Oreilly Conference - https://conferences.oreilly.com/security/sec-ny/public/schedule/detail/61290

Experts Table?

 

Bsides Wellington (sold-out)

----

CLASS INFORMATION

Introduction to Reverse Engineering with Tyler Hudak

Starts on 30 October - 20 November

4 Mondays

Sign up on our Patreon (charged twice, half when you sign up, half again when 1 November happens

Oct 7, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3

Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend.

 

We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the last 7 years.

We talk to Ms. Wynter (@sec_she_lady) about her experiences at her first Derbycon.

Mr. Matt Miller (@milhous30) talked about some of his #reverse #engineering challenges that were in the #Derbycon #CTF

Lots of great talks happened there this year, check them all out over on @irongeek's site (http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist)

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Oct 2, 2017

*Apologies for the continuity this was recorded before we went to Derbycon 2017.*

 

Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate.

Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reputable companies.

We also discuss job descriptions, getting management buy in for a good candidate, and more. 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-034-Preston_Pierce_recruiting_job_descriptions.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 Show Notes:

 

https://news.slashdot.org/story/17/09/01/1729237/us-employers-struggle-to-match-workers-with-open-jobs

 

Blueteamers

 

Looking at job descriptions,

Fix if outdated or unnecessary

 

Managers

 

Be realistic about expectations

 

Recruiters

 

Better research of people

Discuss realistic demands from customers

 

You

Update your LinkedIn removing overly generalized terms (healthcare, for example)

When should you reach out to a recruiter? Right away? After you’ve already completed some leg work?

Companies do a poor job of marketing for their current openings.

Sep 27, 2017

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3

 

SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner)

We actually did talk about the skills gap, resume workshop held at Derbycon, and so much else. 

 

If you haven't been to Derbycon, you should definitely make plans now to attend...

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Sep 17, 2017

Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?)

So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen...

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--SHOW NOTES--

 

Security shifts from being a gatekeeper to enabling teams to be secure by default

Require a culture shift

Should that be implemented before the shift to CI/CD, or are we talking ‘indiana jones and the rock in the temple’?


How?

Secure coding?

Hardening boxes/Systems?

 

If it’s just dev -> prod, where does security have the chance to find issues (i.e. test and QA belong there)?

 

We used to have the ability for a lot of security injection points, but no longer

 

Lowers the number of people we have to harangue to be secure…?

 

Security success = baked in to DevOps

 

Shift from a ‘top down’ to ‘bottom up’

Eliminate FPs, and forward on real issues to devs

Concentrate on one or two types of vulnerabilities

Triage vulns from most important to least important

 

Go for ‘quick wins’, or things that don’t take a lot of time for devs to fix.

Grepping for ‘system(), or execve()’

Primitives (hashing, encryption, file system operations)

How do you stop a build going to production if it’s going out like that?

Do we allow insecurity to go to Production?

Or would it be too late to ‘stop the presses’?

“We’ll fix it in post…”


Instead of the ‘guardrail not speedbump’ you are the driving instructor...

 

But where does security get in to be able to talk to devs about data flow, documentation of processes?

5 Y’s - Why are you doing that?

 

Setup things like alerting on git repos, especially for sensitive code

Changing a sensitive bit of code or file may notify people

Will make people think before making changes

Put controls in terms of how they enable velocity

 

You like you some bug bounties, why?

 

Continuous feedback

 

Learn to find/detect attackers as early in the attack chain

 

Refine your vuln triage/response

 

Use bug reports as IR/DFIR...

 

https://www.youtube.com/watch?v=ORtYTDSmi4U

 

https://www.slideshare.net/zanelackey/how-to-adapt-the-sdlc-to-the-era-of-devsecops

 

http://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization

 

 

 

In SAST, a modern way to decide what to test is start with a small critical vuln, like OS command injection.  Find those and get people to fix it.  BUT don’t developers or project teams get unhappy [sic] if you keep "moving the goal post" as you add in the next SAST test and the next SAST test.  How do you do that and not piss people off?

 

[15:16]

How do you make development teams self sufficient when it comes to writing a secure application?  Security is a road block during a 3 month release schedule….getting "security approval" in a 3 day release cycle is impossible.

 

[15:17]

But then…what is the job for the security team?  If DevOps with security is done right, do you still need a security team, if so what do they do????  Do they write more code???

I don't think your Dev'ops'ing security out of a job...but where does security see itself in 5 years?

Last one if there is time and interest.  If Zane Lackey was a _maintainer_ of an open source project, what dev ops sec lessons would he apply to that dev model…to the OpenSource model?

(We've got internal projects managed with the open source model...so im interested in this one)

Even with out any of those questions the topics he covered in his black hat talk are FULL of content to talk about.  Heck, even bug bounties are a topic of conversation.

The idea of a feedback loop to dev...where an application under attack in a pen test can do fixes live....how that is possible is loads of content.

 

Sep 12, 2017

Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc.

This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath.

And in case you've been under a rock, #equifax was breached.  143 million credit records are in the ether. We discuss the facts as of 9 September 2017, and what this means to the average user.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-032-incident_response-equifax-done2.mp3

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

---SHOW NOTES---

Incident response

 

Must go beyond ‘threats’.

What is in your environment

Struts aren’t a threat, or are they?

Equifax didn’t think so at the time…

Insider threat

External entities

Libraries

plugins/themes used (Wordpress)

 

Risk analysis

Qualitative

Quantitative

 

What makes a good incident response exercise (

 

 

 

Following the creation and implementation of security controls around use cases, can be the testing of tabletop exercises and drills as a proof of concept. A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.
While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.
Tabletop exercises are composed of several key groups or members.


  • During a tabletop exercise there should be a moderator or facilitator that will deliver the scenario to be played out. This moderator can answer “what if ” questions about the imaginary emergency as well as lead discussion, pull in additional resources, and control the pace of the exercise. Inform the participants that it is perfectly acceptable to not have answers to questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes to mitigate them prior to an actual incident.
    • A member of the exercise should also evaluate the overall performance of the exercise as well as create an after-action report. This evaluator should take meticulous notes as well as follow along any runbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of situations. In this case having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.
    • Participants make up the majority of this exercise. Included should be groups such as Finance, HR, Legal, Security (both physical and information), Management, Marketing, and any other key group that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise.


What to include in the tabletop:
• A handout to participants with the scenario and room for notes.
• Current runbook of how security situations are handled.
• Any policy and procedure manuals.
• List of tools and external services.


Post-exercise actions and questions:
• What went well?
• What could have gone better?
• Are any services or processes missing that would have improved resolution time or accuracy?
• Are any steps unneeded or irrelevant?
• Identify and document issues for corrective action.
• Change the plan appropriately for next time.


Tabletop Template
The Federal Emergency Management Agency (FEMA) has a collection of different scenarios, presentations, and tabletops that can be used as templates.

 

Derbycon channel on Slack

Intro to RE class

 

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

 

https://hackernoon.com/a-series-of-unfortunate-events-or-how-equifax-fire-eye-threw-oil-on-the-fire-c19285f866ed

Sep 4, 2017

This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Aug 29, 2017

This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg.

We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3 

 

Ms. Berlin is going to be at Bsides Wellington!  Get your Tickets NOW!

https://twitter.com/bsideswlg

https://www.bsides.nz/

 

 

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

--show notes--

 

NCC group talks in Seattle

NIST guidelines - no security questions, no SMS based 2fa

 

Vuln OSINT

 

Sites have information like Spokeo…

Breadcrumbs

 

Take Java for example (CVE-2017-10102): info is sparse

Other sites have more

https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle’s site (impressive crappery)

Some are better: RHEL is fairly decent

https://access.redhat.com/errata/RHSA-2017:2424

Ubuntu has some different tidbits

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10102.html

Arch has info

https://security.archlinux.org/CVE-2017-10102

Point is, just because you use a specific OS, don’t limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you.

 

https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102)

 

Derbycon CTF walkthrough

 

Looking for an instructor for an ‘intro to RE’ course.

Dr. Pulaski = Diana Maldaur

Dr. Crusher = Gates McFadden

 

Aug 20, 2017

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection.

What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update?

After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure.

Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--SHOW NOTES--

 

Gough says ‘something is bad about CIS’

 

CIS benchmarks need revamping -- BrBr

/var, /var/log in separate partitions?

Password to access grub?

Disable root login to serial pty?

Many cloud instances and VMs don’t have serial ports (not in a traditional sense)

 

What’s the use case for using them? What problem will they solve?

Misconfiguration?

Proper logging?

NTP sources?

 

So many, dilution possible

SCAP

OVAL

STIG (complex as well)

CIS

 

Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done.

What is a good baseline?

Write your own?

 

How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway)

On windows, they are needlessly complicated and cause more problems

Roles have to be created “backup admin”

Can cause unintended issues

 

https://twitter.com/HackerHurricane/status/898629567056797696

 

https://twitter.com/HackerHurricane/status/892838553528479745

 

Category            Sub Category                                      7/2008  8.1     2012    Win-7   Win-8.1 WLCS    ThisPC  Notes

 

Detailed Tracking   Process Termination                       NA      NA      NA      NA      NA      S/F     S

Object Access       File Share                                           NA      NA      NA      NA      NA      S/F     S/F    

Object Access       File System                                         NA      NA      NA      F       NA         S       S/F    

Object Access       Filtering Platform Connection           NA      NA      NA      NA      NA      S       S      

Object Access       Filtering Platform Packet Drop          NA      NA      NA      NA      NA      NA      NA

 

Log Sizes:

-------------

Security - 1 GB

Application – 256MB

System – 256MB

PowerShell/Operational – 512MB – 1 GB v5

Windows PowerShell – 256MB

TaskScheduler – 256MB

 

Log Process Command Line                                             (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

PowerShell Logging v5                                                    (5)     (5)     (5)     (5)     (5)     Yes     Yes

-------------------------------------------------------------------------------------------------------------------------

TaskScheduler Log                                                          (5)     (5)     (5)     (5)     (5)     (1)     Yes

-----------------------------------------------------------------------------------------------------------------

 

(5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

Aug 12, 2017

 This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that.

We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network.

We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---SHOW NOTES---

Twitter discussion -

https://twitter.com/Computerworld/status/894611609355603968

 

http://www.computerworld.com/article/3214146/microsoft-windows/it-s-time-to-check-your-windows-machines-and-temporarily-turn-off-automatic-update.html

 

[sic] “tons of problems with Automatic Update patches so far this year”

[sic] “if you’re savvy enough to be reading this, you should consider turning Auto Update off, too”

 

Advocating disabling auto-updates in an OS is reckless.

Home networks for majority of users is completely flat

One Vlan (e.g. 192.168.1.0/24)

‘Savvy’ = technical

Which many of our users are not

 

Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer

 

Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible

 

Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled.

The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr

Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

 

http://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html

http://www.csoonline.com/article/3214487/security/pentest-firm-calls-carbon-black-worlds-largest-pay-for-play-data-exfiltration-botnet.html#tk.twt_cso

--this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure)

Agreed… that shiz is damaging -- brbr

 

 

 

NoStarch TCP guide - https://www.nostarch.com/tcpip.htm

IPV4 -https://en.wikipedia.org/wiki/IPv4

 

[graphic of IPv4 header from wikipedia article]

 

IHL - size of the header (minimum of 5)

DSCP - has to do with traffic shaping and QoS

ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate

Must be supported by both ends, and completely optional to enforce

Total Length - total size of the packet

Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it’s used for ‘used for uniquely identifying the group of fragments of a single IP datagram”

 

https://github.com/tcstool/Fireaway

 

http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

 

Aug 3, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3

Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics.

We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required?

We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow. 

Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

 

 

show notes

 

what is the required amount of data required to properly train the algorithms

 

how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)

 

Xoke Soru: "why are you trying to make skynet and kill us all?  Do you hate humanity?"

 

Who will ML replace? Who in security?

 

Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.

 

Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"

 

https://en.wikipedia.org/wiki/Artificial_neural_network

 

https://en.wikipedia.org/wiki/Machine_learning

 

https://en.wikipedia.org/wiki/Portal:Machine_learning

 

https://www.slideshare.net/allyslideshare/something-wicked-78511887

 

https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses

 

https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751

 

O’Reilly Conference 31 October

 

Mick douglas class

Derbycon CTF

Book club

 

Patreon

slack

Jul 22, 2017

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3

 

GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared.

This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK.

If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info.

ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started.  The info is also in the show notes, including the form you need to post your flag information.

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---Show Notes:----

 

 

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

 

 

Would it be better if companies stored less data, or de-anon it to the point where a breach

 

Massive fines for breaches. Usually some percentage of profits…

 

(up to 4% of annual global turnover or €20 Million (whichever is greater))

 

Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).”

 

Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain

 

Right to be forgotten (not realistic):

“A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data “

 

GDPR full text:

http://ec.europa.eu/newsroom/document.cfm?doc_id=45631

 

Good intro:

https://www.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html

 

Controversial topics:

http://www.eugdpr.org/controversial-topics.html

 

Key Changes:

http://www.eugdpr.org/key-changes.html

 

Difficulty of doing GDPR in the cloud

https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662

US businesses largely ignoring GDPR

http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec

 

Fears of breach cover-up (due to massive fines ‘up to 4% of profits’)

http://tech.newstatesman.com/news/gdpr-cover-ups-security

 

From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2)

 

https://www.auditscripts.com/

 

CTF for derby ticket

Level 1-

The internet is a big place :) I’ve hidden 3 flags out on it and it’s your job to see how many you can find. I’ll give you a few hints to start.

 

  1. Company Name = Big Bob’s Chemistry Lab
  2. There’s something illegal going on, find out what!!
  3. Submit flags here https://goo.gl/forms/iUEVHNuSYr34OZA22  
Jul 16, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3

The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them.

So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do...

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--Show Notes--

Chris Sanders: Cult of Passion

http://chrissanders.org/2017/06/the-cult-of-passion/

 

Exercise

Start playing ingress or Pokemon Go, just to get out and gamify activity

 

Reduce alcohol consumption

Defcon : Friends of Bill W.

Agent X : 3/5K events at Defcon

 

Critics comments

You won’t please everyone, so don’t try

 

Spend time away from infosec

Family, friends

Hobbies

 

If you are in a job with ‘secrets’, find someone to talk to

Another person with the same ‘secrets’ or similar job

 

https://www.scientificamerican.com/article/gut-second-brain/

 

@DAkacki (what is your podcast @rallysec)

Da667’s book

[I love murder]@tottenkoph

@jimmyvo

@andMYhacks (works with Jimmy)

@infosecmentors

 

Jul 10, 2017

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3

 

Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. 

Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it? 

We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage?

Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show.

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat and Defcon

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

 

-------

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

---

Show Notes:

 

AppArmor

 

SELinux

 

Privilege Escalation - InGuardians Murderboard

 

Port Knocking (Single Pack Authorization)

 

OSSEC

 

ModSecurity

 

Linux Containers

 

Jess frizelle -bane

 

Dan walsh - selinux

 

Selinux troubleshoot daemon

 

https://en.wikipedia.org/wiki/System_call

 

In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.”

 

OpenBSD pledge(2): https://man.openbsd.org/pledge.2

 

https://www.raspberrypi.org/products/raspberry-pi-2-model-b/

 

Suhosin

 

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

@inguardians

@jaybeale

www.inguardians.com


----

 

What are you doing at Black Hat and Def Con?

 

  • Training class at Black Hat - 2 days
  • Def Con Workshop - ModSecurity and AppArmor - 4 hours
  • Packet Hacking Village Workshop - Container security
  • Vapor Trail at Def Con Labs (Larry and Galen)
  • Dancing my butt off?
Jul 3, 2017

Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3

This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later?

 

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

--SHOW NOTES--

10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx

Really great stuff

On This Page

Law #1: Nobody believes anything bad can happen to them, until it does

Law #2: Security only works if the secure way also happens to be the easy way

Law #3: If you don't keep up with security fixes, your network won't be yours for long

Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with

Law #5: Eternal vigilance is the price of security

Law #6: There really is someone out there trying to guess your passwords

Law #7: The most secure network is a well-administered one

Law #8: The difficulty of defending a network is directly proportional to its complexity

Law #9: Security isn't about risk avoidance; it's about risk management

Law #10: Technology is not a panacea

https://www.linkedin.com/in/scott-culp-cissp-8b69572a/

 

 

http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html

 

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

 

auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx

 

https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings

 

 

https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager

 

 

https://www.databreaches.net/irony-when-blackhats-are-our-only-source-of-disclosure-for-some-healthcare-hacks/

 

https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/

 

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

 

 

Jun 30, 2017

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast.

 

Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic

They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

Jun 22, 2017

This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly.

One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments.

So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community.

Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers.

Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music)

 

Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel.

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Jun 14, 2017

Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.

 

We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?

 

We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---------- 

Show notes:

 

going beyond DNS bruteforcing and passively discovering assets from public datasets???

Very interested in hearing about this

Straight OSINT, or what?

Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:

 

Training gained from internal phishing campaigns

Does it breed internal mis-trust?

Recent campaign findings

Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?

 

Outlaw Tech on Science Channel

What’s it about? (let’s talk about the show)

 

http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting

 

https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit

-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/

 

http://securewv.com/cfp.html

 

 

 

OneLogin/Docusign breaches

OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/

Docusign:  https://www.inc.com/sonya-mann/docusign-hacked-emails.html

http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm

Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/

 

China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect

 

Facial recognition for plane boarding:  http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html

 

 

Keybase.io’s Chrome plugin  -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en

Jun 6, 2017

 

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.

 

-------

Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class

Patreon: https://www.patreon.com/bds_podcast

 

If you want the videos and don’t care about the class, they will be released a week after class is over for free.

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

 

https://twitter.com/jessysaurusrex/status/859123589123121152

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.

 

  1. Passwords
  2. Multifactor authentication
  3. Device encryption
    1. Ad blocking
    2. Browser hardening via extension/plugin
  4. Safe browsing (this breaks into a few different topics)
    1. Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc.
    2. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser
  5. Social engineering (this breaks into a few different topics)
  6. Segmentation/compartmentalizing data + communications
  7. Secure storage(local vs cloud data)
  8. Media storage safety (thumbdrives! Charge-only cables for mobile devices!)
    1. Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late
  9. Regularly reviewing permissions granted to apps through oAuth
  10. Backups

 

http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/

The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.”  summed up our entire industry in this paragraph --brbr

  

https://securingthehuman.sans.org/resources/security-awareness-report-2017

^^^^ saw this on Twitter yesterday -brbr

 

Key takeaways:

 

The study recommends the following for addressing communications:

 

  • Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.
  • Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
  • Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
  • Take communications training; they can be easily developed with the right focus.
  • Align with human resources to ensure an awareness program is tied into company culture.
  • Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. 

 

You writing a book?

 

I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)

 

You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.

 

Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.

 

Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?

 

Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?

 

If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?

  

And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use

Device encyption

2FA/MFA

 

What training do infosec people need? How important are the soft skills to help with communicating?

May 30, 2017

We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out.

Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet?

We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities.  Details are in the show notes and in our Slack Channel.

 

Ms. Sunny Wear is doing a web app security class

Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC) 

Sign up for the class at the $20 dollar Patreon level (if you plan on attending)

Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along)

Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information)

https://www.patreon.com/bds_podcast

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3

RSS: www.brakeingsecurity.com/rss

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 SHOW NOTES:

 

SANS experience

Pity Quincenera - I (bryan) sucked

Need more experience

Speed kills (I (bryan) got flustered and I shutdown) you took speed?

No Kali - was surprised, until I thought of why :D

Was not helpful to my team (jacek, ryan, Michael C., David)

John Strand was phenomenal

Frank Kim was great

The audio was not, unfortunately :(

 

 

Samba/SMB (port 445) vulns

Use case for having it exposed?

**** OPEN TO SUGGESTIONS *****

What does that say about the company?

No security team, or the security team is ineffectual about telling people about the risks?

What

MS17-010 is the new MS08-067

http://thehackernews.com/2017/05/samba-rce-exploit.html

Over 400,000 open to the web

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

 

Training announcement:

 

Ms. Sunny Wear doing a web app security class

Starts June 14th

Sign up for the class at the $20 dollar Patreon level

Sign up for immediate video access at the $10 Patreon level 

https://www.patreon.com/bds_podcast

 

 

Who’s Slide is it Anyways? @ImprovHacker

https://docs.google.com/forms/d/e/1FAIpQLSeLS0barWRdKVjPPyZ82lvC0UQMaDTJXRwF11qItlbZOrrf6A/viewform?c=0&w=1

 

#infosec #podcast #webAppSec #application #security

May 9, 2017

 Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?

Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.

Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.

Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

show notes:

 

The lines are blurring:

 

DevOps

NetOps

SDN

SDP

docker/containerization

2FA authentication

 

https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)

https://www.beyondcorp.com/

 

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

 

Where is this Google article???

http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html

https://cloud.google.com/beyondcorp/

https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/

 

Who benefits from this? Network engineers, apparently… :)

Devs?

IT?

Sounds like a security nightmare… who would get the blame for it failing

 

How do we keep users from screwing up the security model? Putting certs on their personal boxes?

 

Prior BrakeSec shows:  Software Defined Perimeter with Jason Garbis

http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

 

http://shop.oreilly.com/product/0636920052265.do

 

Doug Barth Twitter: @dougbarth

 

Evan Gilman Twitter:  @evan2645

 

Runs counter, right? We are used to not trusting the client…

 

A Mature company can only implement

Device inventory

Config management

Data flow

Asset management

 

Micro-services?  

Brownfield networks

Sidecar model -

Certain OSes not possible

1 2 3 4 5 6 7 Next » 9