7 Minute Security

Part 2 concludes my journey in moving 7ms.us from Tumblr to a Digital Ocean droplet running Ghost. Here are the key resources mentioned during the podcast: How to run multiple Ghost blogs on one DI VPS. The key takeaway here was that I had to upgrade to the $10 droplet (I did a "flexible" resize to add more proc/memory) and then the second instance of Ghost installed fine. Turning on CloudFlare SSL was easy. I chose flexible SSL since I wasn't using a "real" cert. I also wrote a rule to force HTTPs for all connections. And, just for grins, I turned on DNSSEC. Because...why not? :-) I picked a strong root password for my DI droplet, but I still don't like the idea of IPs banging on that connection all day and night. I followed this article on installing Fail2Ban to prevent my SSH login from being abused. There are a few IPs that I want to perma-ban, so I'm going to look throughthis article and this one which looks a tad easier. You can subscribe to the 7 Minute Security podcast here.

Announcing the 7MS PURGE! I've got a back log of episodes banked and I want to get caught up for the new year. So I'm going to release one (or maybe more) episodes per day between now and 2016. Plus (spoiler alerts!) in 2016 we're moving to a Monday/Wednesday/Friday release schedule. Yep, 7MS three times a week - thanks for the idea, mom! Subscribe to 7MS on iTunes here.

In this episode I talk about my adventures in moving my brianjohnson.tv Tumblr content over to a Digital Ocean hosted droplet running Ghost. I think you'll want to check this episode out, because in part 2 I talk about the challenges I faced in hosting multiple Ghost instances on one DI droplet. I will also be talking about how to enable CloudFlare SSL (for free!) as well as enabling Fail2Ban to keep annoying people/IPs from brute forcing your SSH root account!

This episode discusses an important and rhetorical (to me) infosec question: Should phishing campaigns be "fair?"

Today I talk about one of the most moving films I've ever seen - a documentary called Alive Inside.

In this episode I complain about getting stuck in NY for two days, and also how to efficiently scan for vulnerabilities when your time is crunched.

We're going off-topic today and talking about the new(ish) movie about Brian Wilson's life called Love and Mercy.

Part 3 on my series about PCI pentesting. Yeah. That.

Yep, this episode is EXACTLY what the title implies.

This episode is about one of my favorite enumeration tools called Sparta - it's built right into Kali 2. And maybe it was in Kali 1 and I totally missed it. But whatevs. I'm happy to have found it now!

The thrilling (?) conclusion of my experience hacking WPA Enterprise.

This episode is about my experience hacking WPA enterprise. Huge mega tiger uppercut thanks to this site for giving me the fixes I needed to get this working on Kali2! https://warroom.securestate.com/index.php/evil-twin-attack-using-hostapd-wpe/

Movie reviews of It Follows and Backcountry.

Here's part 2 (of probably several to come) about my experience with PWAPT (Practical Webapp Pentesting) training last week!

Hey I'm going to PWAPT this week (http://www.eventbrite.com/e/practical-web-application-penetration-testing-with-tim-tomes-lanmaster53-tickets-16718889649), so in this episode I talk about that...and how I'll probably be too info-overloaded to record anything on Thursday :-). Oh, and I had a fun Web app pentest this week that I wanted to share some fun bits on.

A listener wrote in asking some questions about "a day in the life of" a security analyst, so here's my best stab at it!

Today's totally random episode covers: 1. How bad does this podcast's logo suck? 2. Does this podcast need a theme song? 3. Some interesting training I'm taking next week. 4. The Walking Dead - who should die? 5. Metal Gear Solid and my personal godmode strategy.

Hey I just got a LANTurtle and....these are my first impressions!

This is an off-topic episode about the time I was in the holiday comedy super-smash laugh-fest, Jingle All the Way.

I'm a big fan of Recon-ng and you should be too! Check it out - and learn more about Tim Tomes, its creator - at www.lanmaster53.com. And here's the video I mentioned in the podcast - my first look at Recon-ng in action: https://www.youtube.com/watch?v=vkmNTNl6urw

The new(ish) Chris Farley documentary is fantastic - see it!

Ever had an assessment that you thought would be the death of you? I had one recently, but after sticking it out, it turned out to be a blessing in disguise.

Today's episode gives you some tips on how to deliver bad news in an assessment in a positive way. I think that last sentence was a grammatical nightmare.

So far I've focused on the technical aspects of PCI, but I'm trying to get familiar with the overall scoping questions that my tenacious QSA friends ask when they start a gap analysis. This episode shares some interesting tidbits I learned while doing some QSA "shadowing" on an assessment of a restaurant.

We're going off topic today and talking about video games! LIMBO for the Xbox!

Yep, we're talking about how to make ENEMIES during a security assessment today (and maybe turn them into friends).

When you start a security assessment with a company, not everybody's gonna be glad to see you. The IT dept and other employees may have tense shoulders, thinking that this is an Office Space situation where they're interviewing for their jobs. This episode talks about some ways you might be able to get your assessment off to a right start.

I've been looking for better ways to learn Burp Suite and I struck gold! Check out my recommendations in today's episode!

So yeah, this is kind of off-topic, but have you thought about security in the sense of "What kinds of security things should I be doing before I'm dead?" Today's episode explores that.

Sometimes I get in situations where clients want their WHOLE security program reviewed, but in reality, they are still in the baby steps phase. What's the right thing to do when, for lack of a better term, the client isn't ready to put on their security big boy points?

Today's episode is about Umbrella, a product from OpenDNS that provides a layer of protection against malware, wifi-jacking and other threats.

We're going offtopic today and talking about the Citizen Four documentary, which centers around the Edward Snowden story.

Today we're talking about a new (to me) Web site/app scanning tool called AppSpider by Rapid7. Again, this isn't a commercial or paid advertisement. I just like sharing things that I like and use.

This episode's about a cool security app called GlassWire, which is (kind of) a firewall on steroids. I love it! Oh, and this is not an endorsement or a commercial :-)

Today I talk about challenge I run into when I'm delivering to a mixed audience of C-level folks and IT people. How do you keep things high level enough so everybody "gets it" but also go level enough that the recommendations have some teeth?

This episode concludes the gripping, thrilling, exciting, awesome-ing, death-defying, unsettling, rattling series on OSWP (Offensive Security Wireless Professional). Specifically, I talk (as much as I can without getting into trouble) about the exam and give you some pointers to pass it!

Need an easy way to create a modular/mobile kit of pentest tools to take with you from machine to machine? And ALSO be able to update all those modules in one command? Then check out the PTF! That's what we're talkin' about on today's podcast.

Hey have you heard of Pwn Pads? They're an awesome network pentesting tool that leverages a Nexus tablet - which you can either buy right from Pwnie Express, or create your own if you have a certain model of Nexus lying around. I just happened to have the right Nexus model around, so this podcast episode chronicles my trial and error (mostly error) in making a DIY Pwn Pad! P.S. to get the Android tools installed on Ubuntu 14.04, run these commands: -- sudo add-apt-repository ppa:nilarimogard/webupd8 sudo apt-get update sudo apt-get install android-tools-adb android-tools-fastboot --

in this episode I talk about my first hands-on experience with a Wifi Pineapple, and why you'll probably want one too.

The OSWP series is coming to a close. One final episode today and then the four-quel episode will be all about the test!

A continuation of our thrilling, exciting, mind-blowing series on OSWP (Offensive Security Wireless Professional)!

This episode kicks off a multi-part series all about the OSWP (Offensive Security Wireless Professional) certification.

In episode #79 I shared some gripes about Nessus. Those gripes were quickly answered by Tenable staff/support so I wanted to pass relevant updates on to you!

In this episode I talk about one of my favorite vulnerability scanners, Nessus, and why I want to simultaneously hug it and punch it in the neck.

In this episode I advocate for proper network segmentation, as doing it (well and right!) can seriously reduce your risks!

This week i used my Wifi Pineapple to scare and amuse my coworkers and lure them into a Rickroll trap. All the gory details in today's episode!

I know this is a bit late, but I wanted to talk a little about the LastPass breach and why I'll still remain a customer.

I wanted to share (what I think is) an amusing anecdote about my son's first piano recital, which was topped off by a kid playing the song "Lucky." Many LOLs commenced for me.

In this episode I share some strategies and apps that may help you stay more organized as you go about your infosec work!

This episode is the exciting continuation of a recent pentest I did, in which I got some serious pwnage, including cracking the domain admin password! 7MS #73: PCI Pentesting 101 – Part 2 (audio)