Info

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in iTunes
Brakeing Down Security Podcast
2017
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: Page 3
Mar 14, 2016

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3

iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2

Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with.

https://en.wikipedia.org/wiki/Hector_Monsegur

This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet.

Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side?

In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day...

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/

Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you...

We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

Mar 7, 2016

DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. 

This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. 

We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email.

We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks.

Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices. 

Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

 

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

Podcast Links we used for information:

http://www.slideshare.net/BizuworkkJemaneh/dns-42357401

300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D

https://technet.microsoft.com/en-us/library/cc770432.aspx

http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html

http://tldp.org/HOWTO/DNS-HOWTO-6.html

https://en.wikipedia.org/wiki/Domain_Name_System

https://en.wikipedia.org/wiki/DNS_spoofing

http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html

http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/161-protocols-dns-response.html

http://www.thegeekstuff.com/2012/05/ettercap-tutorial/

https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/

https://support.google.com/a/answer/48090?hl=en

http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf

https://tools.ietf.org/html/rfc882

https://tools.ietf.org/html/rfc883

https://tools.ietf.org/html/rfc1034

https://tools.ietf.org/html/rfc1035

 

Feb 29, 2016

We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center. 

"Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website

To learn more, visit https://r-cisc.org/  

We discussed with Brian a bit of the history of the #R-CISC, and why his organization was brought into being. We ask Brian "How do you get companies who make billions of dollars a year to trust another competitor enough to share that they might have been compromised?" "And how do you keep the information sharing generic enough to not out a competitor by name, but still be actionable enough to spur members to do something to protect themselves?"

Other links:

Veris framework Mr. Boettcher mentions: http://veriscommunity.net/

TAXII protocol: https://taxiiproject.github.io/

STIX https://stixproject.github.io/

https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari

https://www.paloaltonetworks.com/company/press/2015/palo-alto-networks-joins-the-retail-cyber-intelligence-sharing-center-in-newly-launched-associate-member-program.html

http://www.darkreading.com/cloud/r-cisc-the-retail-cyber-intelligence-sharing-center-signs-strategic-agreement-with-fs-isac-to-leverage-services-and-technologies-for-growth/d/d-id/1320363

 

 

Comments, Questions, Feedback: bds.podcast@gmail.com

 

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-009-brian_engle_rcisc_information_sharing.mp3

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

iTunes: https://itunes.apple.com/us/podcast/2016-009-brian-engle-information/id799131292?i=364002695&mt=2

#actionable, #brian, #engle, #cissp, #cpes, #data, #financial, #infections, #isac, #malware, #podcast, #rcisc, #retail, #security, #infosec, #threat #intelligence

 

Photo of Brian Engle courtesy of https://r-cisc.org

 

**I (Bryan) apologize for the audio. I did what I could to clean it up. Seriously don't know what happened to screw it up that badly. I can only imagine it was bandwidth issues on my Skype connection**

Feb 22, 2016

This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us.

Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can.

So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS.

We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes.

Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY

Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo

Linux for mainframes: http://www-03.ibm.com/systems/linuxone/

Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n

 

Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2

 

Feb 14, 2016

We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. 

We do a bit of history about #TLS, and the versions from 1.0 to 1.2

Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint.

Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action! 

Video demo: https://youtu.be/im6un0cB3Ns

 

 

https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png

http://blog.squarelemon.com/tls-fingerprinting/

https://github.com/LeeBrotherston/tls-fingerprinting

http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition

https://www.youtube.com/watch?v=XX0FRAy2Mec

http://2015.video.sector.ca/video/144175700

Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3

Feb 8, 2016

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism

Moxie: noun 

 "force of character, determination, or nerve."

 

Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise.

But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional.

Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2

Feb 3, 2016

After we interviewed Jay Schulman on our podcast, Mr. Boettcher and I did his podcast!  Listen to both of us share our bios and learn how Mr. Boettcher and I met, and how our unorthodox ways of getting into information security can show that anyone can move into that space...

https://www.jayschulman.com/episode15/

 

Jay has conducted other interviews with some great people, and he creates some great blog posts. Please check out his site at https://www.jayschulman.com

You can also hear our discuss BSIMM and learn a bit more about Jay from our podcast as well...

http://brakeingsecurity.com/2016-001-jay-schulmann-explains-bsimm-usage-in-the-sdlc

Jan 30, 2016

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics.

We discussed a number of topics:

Cloud migrations

What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration?

We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures.

Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates.

It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time.

Some #articles we drew upon for questions to ask Mr. Heim:

http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/

http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security

http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html

http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/

http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Tumblr: http://brakeingdownsecurity.tumblr.com/

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

**NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast

#iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3

Partick Heim image courtesy of darkreading.com

Jan 24, 2016

BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster...

We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!

 

Bill's Twitter: https://www.twitter.com/oncee

Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&sr=1-2

(non-sponsored link)

Bill's "Reboot It" Podcast: http://www.rebootitpodcast.com/

 

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

**NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

 

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-004-Bill_Gardner.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-004-bill-gardner/id799131292?i=361222239&mt=2

Jan 18, 2016

#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971.

This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them.  And what options do you have if you don't want to use anti-virus?

We also argue about whether it's just a huge industry selling snake oil that is bolstered by #compliance #frameworks, like #PCI?

#mcafee,#symantec,#panda,#avg,#kaspersky,#logging,#siem 

*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec #Podcast #Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-003-AntiVirus_what_is_it_good_for.mp3

Itunes:https://goo.gl/Jk3CxU

 

Jan 11, 2016

This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap.

Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo?

We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/

 

Book:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751

Show Notes:

https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing

*NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

Comments, Questions, Feedback: bds.podcast@gmail.com

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3

iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2

 

Jan 3, 2016

#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks.  For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program.

 

Jay Schulman's #website: https://www.jayschulman.com/

Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1

Jay's Twitter: https://twitter.com/jschulman

 

 

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Bryan's Twitter: http://www.twitter.com/bryanbrake

Brian's Twitter: http://www.twitter.com/boettcherpwned

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3

Dec 27, 2015

Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET).  You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets.

But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we interviewed a couple of weeks ago) and others to improve #ISC2 processes, and to make #CISSP and other certs more competitive in the #infosec/IT community.

And yes... we find out about what is going on with DerbyCon and get some updates with what will happen in the next DerbyCon.

 

iTunes Link: https://itunes.apple.com/us/podcast/2015-054-dave-kennedy/id799131292?i=359677576&mt=2

TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

Dec 22, 2015

This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to.

Sit back with some eggnog, and let your ears savor the sounds of the season.  Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured fun.

WARNING: There is adult language, and themes, so if you have little ones around, you might want to skip this one until after bedtime.

Happy Holidays from Brakeing Down Security Podcast.

Dec 17, 2015

I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015.  Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them.

I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive.

This is a great interview if you're looking to get your #CISSP or any other ISC2 cert, or you currently have an #ISC2 #certification and want to get knowledge of the workings of ISC2 and the board.

 

Mr. #Remes' Twitter: @wimremes

ISC2 official site: http://www.isc2.org

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-052-wim_remes-isc2.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-052-wim-remes-isc2-board/id799131292?i=359103338&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

Dec 10, 2015

#MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information.

This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix. 

Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence companies call it TTP (#Tactics, #Techniques, and #Procedures), we also discuss the Cyber #KillChain, and where it came from.

#ATT&CK Matrix: https://attack.mitre.org/wiki/Main_Page

Tactics, Techniques, and Procedures (shows patterns of behavior) https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf -- Cyber Kill Chain paper that inspired the ATT&CK Matrix

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-051-mitres-att-ck-matrix/id799131292?i=358670845&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

Dec 4, 2015

That's the question many think is an automatic 'yes'.  Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft

This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of #security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example)

#encryption #infosec

Show Notes:  https://docs.google.com/document/d/1PioC2hnQHhm5Xd1SCT4ewvZmZiLcE5pGQuif4Tuk_zE/edit?usp=sharing

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-049-Security_by_Obscurity.mp3

Mr. Boettcher's Twitter: http://www.twitter.com/boettcherpwned

Bryan's Twitter: http://www.twitter.com/bryanbrake

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

Nov 27, 2015

Cheryl Biswas gave a great talk last month at Bsides Toronto.  I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist?

This also leads to the issue of business data being put on personal devices, which as anyone knows can cause a whole host of additional issues. Malware installed on personal devices can make for sharing business secrets a cinch.

So, while Mr. Boettcher was working, I managed to wrangle a quick interview with Cheryl out of her offices in Toronto, Ontario.

Cheryl gave us some great audio, and when you're done, you can watch her Bsides Toronto talk.  

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-048-Cheryl_Biswas_Shadow_IT.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2015-048-rise-shadow...-it!/id799131292?i=357889684&mt=2

Cheryl's Twitter: https://www.twitter.com/3ncr1pt3d

Cheryl's BsidesTO talk: https://www.youtube.com/watch?v=q0pNWpWFKBc

 

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

Nov 21, 2015

Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours...

We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically...

BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-047-using-bsimm-framework/id799131292?i=357545342&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Join our Patreon!: https://www.patreon.com/bds_podcast

Comments, Questions, Feedback: bds.podcast@gmail.com

 

 

 

Nov 10, 2015

During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.

 

During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this.  It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle

 

#project #management #security #architect

Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3

iTunes Link: https://itunes.apple.com/us/podcast/2015-046-getting-security/id799131292?i=356958476&mt=2

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf

Bill's Blog: http://www.sempf.net

Bill's Twitter: http://www.twitter.com/sempf

BrakeSec Podcast Twitter: http://www.twitter.com/brakesec

Nov 4, 2015

When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand.

It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team. 

Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders.

Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3

Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2

Bill's #DerbyCon Talk "#Developers: Care and Feeding":

http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me11-developers-care-and-feeding-bill-sempf

Bill's Blog: https://sempf.net/

Bill's Twitter: http://www.twitter.com/sempf

Check us out using the #TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#RSS: http://www.brakeingsecurity.com/rss

 

Oct 30, 2015

It's a madhouse this week! We invited Ben Donnelly (@zaeyx) back to discuss a new software framework he's crafted, called #MAD Active Defense. Ben wants to make Active Defense simple enough for even the busiest blue teamer.

The interface takes it design from other well known #software frameworks, namely #Metasploit, #REcon-ng, and even a bit of #SET, he said.

We even did a quick demo of MAD, discussed the tenets of #Active #Defense, and talked about a little skunkworks project of Ben's that you will find enjoyable.

Direct Link: http://brakeingsecurity.com/2015-044-a-mad-mad-mad-mad-world-with-ben-donnelly

Promethean Security MAD GitHub: https://github.com/PrometheanInfoSec/MAD

Demo Video (~110MB): http://traffic.libsyn.com/brakeingsecurity/MAD_Ben_edited.mkv

Backup Demo Download (gDrive) site (~110MB): https://goo.gl/FtWlCM

Check us out using the TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

RSS: http://www.brakeingsecurity.com/rss

#activeDefense #blueTeam #intrusionDefense #benDonnelly

 

Oct 22, 2015

WMI (Windows Management Instrumentation) has been a part of the Windows Operating system since Windows 95. With it, you can make queries about information on hosts, locally and even remotely.

Why are we talking about it? It's use in the enterprise and by admins is rarely used, but it's use in moving laterally by bad actors is growing in it's use.  It's highly versatile, able to be scripted, and can even be used to cause triggers for when other programs run on a system. 

Mr. Boettcher and I sit down and discuss the functions of #WMI, it's history, what classes and objects are, and ways you can leverage WMI to make your admins job much easier.

#assetmanagement #remotemanagement #wbem #wmi #windows

DerbyCon WMI talk: http://www.irongeek.com/i.php?page=videos/derbycon5/break-me12-whymi-so-sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-matt-graeber-willi-ballenthin-claudiu-teodorescu

Wbemtest: http://blogs.technet.com/b/chad/archive/2012/03/08/tip-45-wbemtest-the-underappreciated-tool.aspx

WMI documentation: https://msdn.microsoft.com/en-us/library/aa384642(v=vs.85).aspx

TuneIn podcast Link: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

RSS: http://www.brakeingsecurity.com/rss

 

Show notes

Oct 14, 2015

Just before #Derbycon, we invited Michael Gough (@hackerhurricane) to join us on the #podcast. 

For the last 3-4 months, my co-host Brian and he were engaged in the creation of a software tool that would make #log #analysis of #windows systems quicker, and together they have achieved that with "Log-MD", short for Log Malicious Discovery.

For hosts infected with #Malware and #bots, they always leave a fingerprint of what they are doing behind. This software takes your system, configures it to get the maximum #logging output possible, then puts everything in a nice readable format, enabling you to filter out known good items, leaving you with bad items, or suspicious activity.  This allows you to analyze #logfiles and find malware in less time than before. This will make #forensics of infected systems faster and more economical.

We do some discussion of #Log-MD, and then we have MIchael demo LOG-MD for us.

Video demo: https://youtu.be/0_J90sOVY8c

log-MD site: http://log-md.com/

RSS: http://www.brakeingsecurity.com/rss

iTunes: https://itunes.apple.com/us/podcast/2015-042-log-md-more-malware/id799131292?i=354715938&mt=2

 

Oct 10, 2015

In our last bit of Derbycon audio, I discussed DerbyCon experiences with Mr. Boettcher, Magen Wu (@tottenkoph), Haydn Johnson (@haydnjohnson), and Ganesh Ramakrishnan (@hyperrphysics).  We find out what they liked, what they didn't like, and you get a lot of great information about packing for a con, things you can do to improve your convention going experience.

Hopefully, you'll hear the amount of fun we had, and find the time to go to a convention. There are literally hundreds, many only few hours by plane away. Some can be found in your own town or within driving distance.

1 « Previous 1 2 3 4 5 6 7 Next » 8