Jun 14, 2017
Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.
We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?
We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3
#RSS: www.brakeingsecurity.com/rss
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
----------
Show notes:
going beyond DNS bruteforcing and passively discovering assets from public datasets???
Very interested in hearing about this
Straight OSINT, or what?
Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:
Training gained from internal phishing campaigns
Does it breed internal mis-trust?
Recent campaign findings
Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?
Outlaw Tech on Science Channel
What’s it about? (let’s talk about the show)
http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting
https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit
-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/
http://securewv.com/cfp.html
OneLogin/Docusign breaches
OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/
Docusign: https://www.inc.com/sonya-mann/docusign-hacked-emails.html
http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm
Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/
China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect
Facial recognition for plane boarding: http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html
Keybase.io’s Chrome plugin -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en