Brakeing Down Security podcast

Categories

general

Archives

2014
July
June
May
April
March
February
January

July 2014
S M T W T F S
     
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31

Syndication

Mr. Boettcher and I discussed SQLMAP, a tool that can automate the process of pentesting databases and even registries on Windows.  We discuss some functions of the program and why developers should get training on these.

Mr. Boettcher and I talk about how Infosec professionals should help to educate QA and Developers to be able to look at their processes and incorporate security testing, using tools like sqlmap in the Software lifecycle.

 

SQLMAP links

SQLMAP Wiki and more detailed documentation - https://github.com/sqlmapproject/sqlmap/wiki

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap

http://hackertarget.com/sqlmap-tutorial/

https://www.owasp.org/index.php/Automated_Audit_using_SQLMap

http://www.binarytides.com/sqlmap-hacking-tutorial/

http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection.html

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Direct download: sqlmap_final.mp3
Category:general -- posted at: 4:42 AM

It only gets better in Part 2 of our Interview with Georgia Weidman, Author, Security Researcher and Creator of the Smartphone Pentesting Framework.

 

She talks about how people underestimate the mobile platform for pentesting purposes, and we even find out that in addition to Teaching a class on exploit development at BlackHat this year, she's going to be helping a great organization overseas.

We also got her talking about some do's and don'ts of pentesting! ;)

Please enjoy!

 

Georgia's book on No Starch: http://www.nostarch.com/pentesting

on Amazon.com: http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641 (non-sponsored link)

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Direct download: Georgia_audio_p2.mp3
Category:general -- posted at: 4:02 AM

So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work.

I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches.

The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.

 

 

Nmap icon courtesy of livehacking.com

Direct download: Nmap-p1.mp4
Category:general -- posted at: 5:01 AM

We have a real treat the next two weeks.  Author and Mobile Security Researcher Georgia Weidman, who we also found out will be providing exploit development training at Black Hat this year.

She is the author of an awesome book "Penetration Testing: A Hands-On Introduction to Hacking" (http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1405304124&sr=8-1&keywords=georgia+weidman)

She sat down with us over Skype and gave a nice talk about where she came from,  and why she wrote the book, and even what she's about to do in the future (that's next week) ;) You'll have to listen next week to find out the awesome trip she's about to take.

http://www.bulbsecurity.com/

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Direct download: Georgia_audio_p1.mp3
Category:general -- posted at: 2:35 AM

This is the continuation of our podcast from last week with Phil Beyer.

We started out talking about risk registers, and we end the podcast with a little Q&A about positions in companies (Chief Risk Officer, Chief Data Protection Officer), and whether these positions are useful.

 

 Risk registers - http://en.wikipedia.org/wiki/Risk_register

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Direct download: Phil_infosec_essentials_p2.mp3
Category:general -- posted at: 4:41 AM

Hello valued Listener! I want to do another video, and I thought that you might want to decide which one piece of software I highlight. So here are three options:

1. Nikto
2. Nmap
3. OpenVAS

You can send me your choice to my twitter (@bryanbrake) or to my gmail account (bds.podcast@gmail.com).

I will be taking input until 0000 UTC on Sunday July 6th (1800 Saturday 5 July US/Eastern). You can only vote once.

Category:general -- posted at: 5:42 PM

Establishing an Information Security program can make or break an organization. So what do you need to get that started? 

We have friend of the show Phil Beyer come in and discuss with us the five steps of the creation of an Information Security Program.  Join us for Part 1, and next week, we'll finish up with a little Q&A, as well as what a 'risk register' is.

 

 

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Direct download: infosec_program_essentials_p1.mp3
Category:general -- posted at: 2:29 AM

We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.  Find out what makes the Top 5 so special.

 

 

 

http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation

http://oauth.net/2/ - Great information on OAUTH 2.0.

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Direct download: OWASP_5-1_final.mp3
Category:general -- posted at: 4:10 AM

As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these.

So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard.

Next week is the big ones, the Top 5... all your favorites, in one place!

 

OWASP Top 10 (2013) PDF:  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

 

Direct download: owasp_6-10.mp3
Category:general -- posted at: 5:21 PM

This is part 2 of our podcast interview with Guillaume Ross, Infosec professional who is well versed with the intricacies of various cloud architectures, whether they are IaaS, PaaS, or SaaS.  This part of the podcast discussed how contracts are established, and we ask if smaller cloud providers have a chance against behemoths like Google, Amazon, and Microsoft.

 

Links brought up during the interview:

 

Rich Mogull's $500 Epic fail - https://securosis.com/blog/my-500-cloud-security-screwup

Rich Mogull's write up on how the aftermath and investigation - https://securosis.com/tag/cloud+security

 

Amazon VPC: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Azure Endpoints (how-to): http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/?rnd=1

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/
Direct download: cloud2-final.mp3
Category:general -- posted at: 4:29 AM