BrakeSec Education Podcast

Dave Kennedy (@hackingDave) TrustedSec Released SEToolkit, Pentester Framework (PTF) PoC release for "Shitrix" bug (was disclosed after Google zero initiative India group) Jeff Snover, Lee Holmes - Powershell gods Arguments against release Tools are released are utilized by the 'bad guys' Tooling makes it more difficult to fingerprint who are who they say they are "Fuzzy Weasel Vs. Psycho Toads" Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids) Arguments for release Tools allow for teaching Blue team, and SIEM/logging systems to understand Learning how something was created, being able to break down the vulnerability https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/ Show #2:DerbyCom - Tell us about it Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en Offensive Security Tool release (PowerShell Empire 3.0) Powershell is re-released, using Python:https://twitter.com/BCSecurity1/status/1209126652300709888 Initial tweet: https://twitter.com/taosecurity/status/1209132572128747520 "We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams." SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. Affirmations and evidence: https://twitter.com/taosecurity/status/1209287582439395330 Nope. One example: Iranian APT "CopyKittens" uses Powershell Empire. Incidentally, I found this example via @MITREattack . https://clearskysec.com/tulip/ https://twitter.com/michael_yip/status/1209151868036886528 One can innovate without sharing with the adversary no? It's literally how the defense industry work or am I missing something? https://twitter.com/michael_yip/status/1209247219796398083 … "Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It's the way they're being shared that's problematic" https://twitter.com/2sec4u/status/1209169724799623169?s=20 The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues. Comments in Support of initial argument https://twitter.com/IISResetMe/status/1209180945011621889?s=20 I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs? (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20 https://twitter.com/cnoanalysis/status/1209169633460150272?s=20 "If we don't create the offensive tools then the bad guys will!" That is a terrible argument for OST release. "We might as well do something that harms because someone else will do that eventually anyway..." there are so many logical fallacies I don't have enough space Rebuttals https://twitter.com/r3dQu1nn/status/1209207550731677697 Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security. https://twitter.com/bettersafetynet/status/1209138002473160707 It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing. https://twitter.com/dragosr/status/1209213064446279680 And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone's metric of responsibility (which is a debatable, very hypothetical line of what's acceptable or not). https://twitter.com/bettersafetynet/status/1209139099979923457 The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. https://twitter.com/bettersafetynet/status/1209139578579275776 It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions. https://twitter.com/bettersafetynet/status/1209154592560353280 My stance is l

Dave Kennedy (@hackingDave) TrustedSec Released SEToolkit, Pentester Framework (PTF) PoC release for "Shitrix" bug (was disclosed after Google zero initiative India group) Jeff Snover, Lee Holmes - Powershell gods Arguments against release Tools are released are utilized by the 'bad guys' Tooling makes it more difficult to fingerprint who are who they say they are "Fuzzy Weasel Vs. Psycho Toads" Makes the bad guys job harder by making them have to create the PoC (presumably most bad actors are skids) Arguments for release Tools allow for teaching Blue team, and SIEM/logging systems to understand Learning how something was created, being able to break down the vulnerability https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/ Show #2:DerbyCom - Tell us about it Dave Kennedy Center for gaming and Leadship https://twitter.com/hackingdave/status/1220150360779710464?lang=en Offensive Security Tool release (PowerShell Empire 3.0) Powershell is re-released, using Python:https://twitter.com/BCSecurity1/status/1209126652300709888 Initial tweet: https://twitter.com/taosecurity/status/1209132572128747520 "We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams." SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. Affirmations and evidence: https://twitter.com/taosecurity/status/1209287582439395330 Nope. One example: Iranian APT "CopyKittens" uses Powershell Empire. Incidentally, I found this example via @MITREattack . https://clearskysec.com/tulip/ https://twitter.com/michael_yip/status/1209151868036886528 One can innovate without sharing with the adversary no? It's literally how the defense industry work or am I missing something? https://twitter.com/michael_yip/status/1209247219796398083 … "Are we really justifying lowering the R&D cost of the adversary is the only way to attract talent to the defensive side. Not to mention - no one is saying developing OST is wrong. It's the way they're being shared that's problematic" https://twitter.com/2sec4u/status/1209169724799623169?s=20 The whole idea is that actors can't just git clone an advanced post exploitation framework which bypasses 95% of organisations defences. It should cost actors time & money to bypass these defences but because red team keep releasing new stuff with bypasses... the cycle continues. Comments in Support of initial argument https://twitter.com/IISResetMe/status/1209180945011621889?s=20 I really _want_ to agree. ... but I also work in an org with million dollar budgets, a dozen full-time detection engineers and analysts and an army of devs and sysadmins, and even we are having a hard time keeping up - how does this arms race "help" non-F500 orgs? (later discussion does mention that he has a hard time seeing it as net negative) https://twitter.com/IISResetMe/status/1209183774182907904?s=20 https://twitter.com/cnoanalysis/status/1209169633460150272?s=20 "If we don't create the offensive tools then the bad guys will!" That is a terrible argument for OST release. "We might as well do something that harms because someone else will do that eventually anyway..." there are so many logical fallacies I don't have enough space Rebuttals https://twitter.com/r3dQu1nn/status/1209207550731677697 Limiting yourself by not exposing more tooling to defenders is NOT how to improve security. Yikes. The more exposure you provide defenders gives you more detection's/IOC's you can build to help defend against APT's. That's the whole point of Proactive security. https://twitter.com/bettersafetynet/status/1209138002473160707 It's vital that we continue to sharpen our swords. The commoditization of attacker techniques allows better defense against what adversaries are doing. https://twitter.com/dragosr/status/1209213064446279680 And this whole discussion ignores a simple fact that released information is way better than exploits passed around quietly or kept in stockpile caches regardless of anyone's metric of responsibility (which is a debatable, very hypothetical line of what's acceptable or not). https://twitter.com/bettersafetynet/status/1209139099979923457 The very fact that you and others who are taking this side are trying to cajole and brow beat to this position shows how weak your argument is. MITRE ATT&CK took off like gang-busters not because they had a better trolling game, but because it was a great idea implemented well. https://twitter.com/bettersafetynet/status/1209139578579275776 It's odd that those who advocate this position point out these reports while ignoring all the vendor patches, all the hardening guidelines, basically all the technical defensive work that ops teams do. Nobody's doubting attackers use these techniques, we doubt your conclusions. https://twitter.com/bettersafetynet/status/1209154592560353280 My stance is l

Nemesis: https://github.com/UnityTech/nemesis https://www.techrepublic.com/article/security-concerns-hampering-adoption-of-containers-and-kubernetes/ Nemesis - a auditing tool to check against a set of benchmarks (CIS GCP only) https://en.wikipedia.org/wiki/Center_for_Internet_Security What does CIS do well? What do the CIS benchmarks do poorly? K8s workload identity - GKE specific github.com/TaylorMutch @mutchsecure Amazon STS tokens https://www.eventbrite.com/e/bsides-seattle-2020-tickets-86351434465 https://www.zdnet.com/article/texas-school-district-falls-for-scam-email-hands-over-2-3-million/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Brakesec Podcast is now on Pandora! Find us here: https://pandora.app.link/p9AvwdTpT3 Book club Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this." Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725 NolaCon Training: https://nolacon.com/training/2020/security-detect-and-defense-ttx Roberto Rodriguez Bio @Cyb3rWard0g on Twitter Threat Intel vs. Threat Hunting = what's the difference? What datasets are you using? Did you start with any particular dataset, or created your own? Technique development - what skills are needed? C2 setup Detection mechanisms Honeypots How can people get involved? Blacksmith - create 'mordor' environment to push scripts to setup honeypot/nets https://Threathunterplaybook.com https://github.com/hunters-forge/ThreatHunter-Playbook https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7 https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml Notebook Example: https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html Lateral Movement - WMI - IMAGE Below SIGMA? What is a Notebook? Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis). https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 Have a goal for expanding to other parts of ATT&CK? Threat Hunter Playbook - Goals Expedite the development of techniques an hypothesis for hunting campaigns. Help Threat Hunters understand patterns of behavior observed during post-exploitation. Reduce the number of false positives while hunting by providing more context around suspicious events. Share real-time analytics validation examples through cloud computing environments for free. Distribute Threat Hunting concepts and processes around the world for free. Map pre-recorded datasets to adversarial techniques. Accelerate infosec learning through open source resources. Sub-techniques: https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a Slack Channel: https://launchpass.com/threathunting Twitter; https://twitter.com/mattifestation https://twitter.com/tifkin_ https://twitter.com/choldgraf https://twitter.com/Cyb3rPandaH on Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 "GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats." Security model - everyone's is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: "Why suck at everything…" Atomic Red Team - https://github.com/redcanaryco/

Full notes and graphics are on www.brakeingsecurity.com Episode 2020-006 Book club "And maybe blurb for the cast could go something like this. Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this." Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725 NolaCon Training: https://nolacon.com/training/2020/security-detect-and-defense-ttx Roberto Rodriguez Bio @Cyb3rWard0g on Twitter Threat Intel vs. Threat Hunting = what's the difference? What datasets are you using? Did you start with any particular dataset, or created your own? Technique development - what skills are needed? C2 setup Detection mechanisms Honeypots How can people get involved? Blacksmith - create 'mordor' environment to push scripts to setup honeypot/nets https://Threathunterplaybook.com https://github.com/hunters-forge/ThreatHunter-Playbook https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7 https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml Notebook Example: https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html Lateral Movement - WMI - IMAGE Below SIGMA? What is a Notebook? Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis). https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 Have a goal for expanding to other parts of ATT&CK? Threat Hunter Playbook - Goals Expedite the development of techniques an hypothesis for hunting campaigns. Help Threat Hunters understand patterns of behavior observed during post-exploitation. Reduce the number of false positives while hunting by providing more context around suspicious events. Share real-time analytics validation examples through cloud computing environments for free. Distribute Threat Hunting concepts and processes around the world for free. Map pre-recorded datasets to adversarial techniques. Accelerate infosec learning through open source resources. Sub-techniques: https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a Slack Channel: https://launchpass.com/threathunting Twitter; https://twitter.com/mattifestation https://twitter.com/tifkin_ https://twitter.com/choldgraf https://twitter.com/Cyb3rPandaH

Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 "GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats." Security model - everyone's is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: "Why suck at everything…" Atomic Red Team - https://github.com/redcanaryco/atomic-red-team ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ Tribe of Hackers https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world's leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you're just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world's top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What's the most important decision you've made or action you've taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesi

Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 "GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats." Security model - everyone's is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: "Why suck at everything…" Atomic Red Team - https://github.com/redcanaryco/atomic-red-team ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ Tribe of Hackers https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world's leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you're just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world's top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What's the most important decision you've made or action you've taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit? https://smile.amazon.com/Tribe-Hackers-Blue-Team

What is Honeycomb.io? From the site: "Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems." SSH 2FA gist https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820 Honeycomb.io for digging into access logs & retracing what pentesters do. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ms. Berlin's appearance on #misec podcast - https://www.youtube.com/watch?v=Cj2IF0zn_BE with @kentgruber and @quantissIA Blog post: https://www.honeycomb.io/blog/incident-report-running-dry-on-memory-without-noticing/ What is Honeycomb.io? From the site: "Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems." What are SLOs and how do you establish them? Are they anything like SLA (Service level agreements)? Can you give us an idea of timeline? Length of time from issue to IR to resolution? Are the dashboards mentioned in the blogs post your operations dashboard? [nope! hashtag no-dashboards] Leading and lagging indicators ( IT and infosec call them detection and mitigation indicators) https://kpilibrary.com/topics/lagging-and-leading-indicators How important is telemetry (or meta-telemetry, since it's telemetry on telemetry, if I'm reading it right --brbr) in making sure you can understand issues? Do you have levels of escalation? How do you define those? When you declared an emergency, how did brainstorming help with addressing the issues? Do that help your org see the way to a proper fix? Did you follow any specific methodology? Did you have a warroom or web conference? Communications: https://twitter.com/lizthegrey/status/1192036833812717568 Can being over transparent be detrimental? Communication methods in an IR: Slack Phone Tree Ticket system Emails What does escalation look like for Ms. Berlin? Mr. Boettcher? (stories or examples?) Confirmation bias (or "it's never in our house") fallacy "I've seen and been a part of that, very prevalent in IT" --brbr Especially when the bias is based on previous outages/issues From the blog: "We quickly found ourselves locked in a state of confirmation bias…" Root Cause Analysis: Once you diagnosed the issue, how quickly was a fix pushed out? What kind of documentation or monitoring was generated/added to ensure this won't happen again? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel Amanda's Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx Follow twitter.com/infosecroleplay Part 1: New year, new things Discussion: What happened over the holidays? What did you get for christmas? PMP test is scheduled for 10 March Proposal: Anonymous Hacker segment Similar to "The Stig" on Top Gear. If you would like to come on and discuss any topic you would like. You'll have anonymity, we won't share your contact info Will allow people worried that they'll be ridiculed to share their knowledge We can record your 20-30 segment whenever (will need audio/video for it) You can take a tutorial from another site (or your own) and review it for us 1-2 segments per month We can discuss content prior to (we won't put you on the spot) We do have a preliminary News: Google removed 1.7K+ Joker Malware infected apps from its Play Store Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html Excerpt: Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware. Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years. The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads. The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions. In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs. "Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total." apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user's carrier." reads the post published by Google. The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill. WAP billing: https://en.wikipedia.org/wiki/WAP_billing Example: "pokemon go allows in-app purchases Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781 Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/ Excerpt: On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw. What type of organizations are affected by CVE-2019-19781? (industries with typically poor or outdated security practices… --brbr) 4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We've discovered this vulnerability currently affects: Military, federal, state, and city government agencies Public universities and schools Hospitals and healthcare providers Electric utilities and cooperatives Major financial and banking institutions Numerous Fortune 500 companies How is CVE-2019-19781 exploited and what is the risk? This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise. Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks. SNAKE #Ransomware Targets Entire Corporate Systems? Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html Excerpt: The new Snake Ransomware family sets out to target the organizations'' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam. The Ransomware upon successful infection subsequently erase

End of year, end of decade Are things better than 10 years ago? 5 years ago? If there was one thing to change things for the better, what would that be? Good, Bad, Ugly Did naming vulns make things better? Which industries are doing a good job of securing themselves? Finance? What do you wished never happened (security/compliance wise)? Ransomware infections with no bounties Still have people believing "Nessus" is a pentest https://nrf.com/ https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49 https://monitorama.com/ https://www.apics.org/credentials-education/events The Future PREDICTIONS!!! Bryan: The rise of the vetting programs (Companies will want to vet content creators in their eco-systems) Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety. Triggering a US GDPR type response. Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10). And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1 JB: a major change in social media/generational shift in how we use it, legal or focus on new types of mobile tech for example… Human networking in real-life in the age of 'social' …."When you hire someone… you also hire their rolodex" --- what do you think about this statement? ..it's role in InfoSec? Talent? JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows) JB - Link to hunting/stopping-human-trafficing org i mentioned : Shoutout Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec ) Other topics Talk about where you were 10 years ago, and what you did to get where you are? Best Hacking tool? Best Enterprise Tool? Recent news https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/ https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/ https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices News Stories from 2010 (see if they still make sense, or outdated) https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/ https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

The day after part 1 Keybase halted the spacedrop the day after the first podcast is complete... Security failures in implementation "We need to push this to market, we'll patch it later!" Risk management discussion for project managers (PMP) CIA Triad… where does 'business goals' fit? Security is at odds with the bottom line **Reference Noid's Bsides Seattle talk and podcast earlier this year.** Other companies that have made security mistakes in the name of business Practical Pentest Labs storing passwords in the clear https://twitter.com/mortalhys/status/1202867037120475136 https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136 https://twitter.com/piaviation/status/1202994484172218368 T-Mobile Austria partial password issues: https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account. Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn't have escalation procedures for vuln disclosure) Insider threats could takeover accounts Follow-up from last week's show with Bea Hughes: I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner". You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders". And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.) As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. **If the 'product owner' or 'empowered team' does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. ** "Empowered teams" Some people aren't fans: https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Patreon donor goodness: Scott S. and Ion S. @_noid_ @davedittrich Their response: "it's not a bug, it's a feature" "Don't write a blog post that will point out the issue" "You pointing out our issues makes things more difficult for us" "It's a free service, why are you hurting us?" https://keybase.io/docs/bug_reporting Nov 22nd Noid (@_noid_) Keybase discussion blog post https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/ Keybase's decision to fix it came out after The Register asked them about the issue… Dec 4th https://keybase.io/blog/dealing-with-spam Dec 5th. https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/ Problems with the implementation: Requiring admins for Keybase to decide what's wrong or if they need to be deleted Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn't have enough issues with bots/shitty people) Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what's the motivation of creating the coin?) They've already opened the spam door, and they'll not be able to shut it. Once they took the VC and aligned themselves with Stellar, the attack surface changes From Account takeover (integrity attacks) to deception (social engineering) What is keybase? Social network? E2E chat Encrypted file share/storage? CryptoCurrency Company? Secure git repo protector? Which ones do they do well? How could they have solved the spam issue? Made the cryptocoin a separate application? Even their /r/keybase is filling up with spammers asking about their Lumens How could they fix it? You can't contact someone unless that person allows you to. Allow someone to contact you, but do not allow adding to teams without permission https://news.ycombinator.com/item?id=21719702 (ongoing HN thread) Noid isn't the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf Stephen Carter's definition of "integrity." Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong. — Stephen Carter, "Integrity." Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/ Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them? noid's blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google: Following Google Security's guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing. 1.2 Avoid harm. 1.6 Respect privacy. 2.1 Strive to achieve high quality in both the processes and products of professional work. 2.7 Foster public awareness and understanding of computing, related technologies, and their consequences. 3.1 Ensure that the public good is the central concern during all professional computing work. 3.7 Recognize and take special care of systems that become integrated into the infrastructure of society. The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose). In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to "teams," could be viewed as conflicting as regards this principle. This is in fact precisely what noid brought up in his initial communication with Keybase: I had a ran

Realistic Threats Nation states aren't after you https://twitter.com/beajammingh/status/1191884466752385025 https://twitter.com/beajammingh/status/1198671660150226946 https://twitter.com/beajammingh/status/1198671952824565762 https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling What are credible threats? Malicious insiders - Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/ Education issue? Is there such a thing as 'non-malicious' or is this just bunk? Real threats https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/ CIO magazine threats -- buzzword threats (we should totally containerize all the things) Vulns that have names (blue team is stuck dealing with 'theoretical' issues e.g. SPECTRE/MELTDOWN) Lack of well-priced training? Dev Training? Security Training? Better management communication will reduce threats Building trust so they don't freak when '$insert_named_vuln' shows up Gotta frame it to business needs "Everyone is vulnerable" - keep FUD to a minimum, don't exaggerate. Know your industry's threats (phishing, money transfer fraud, malware Patreon donor: Michael K. $10 patron! Layer8conf - https://www.workshopcon.com/events https://layer8conference.com/ Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected] Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!! Saturday June 6, 2020, RI Convention Center https://www.dianainitiative.org/ https://twitter.com/DianaInitiative Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Diana Initiative @circuitswan @dianainitiative https://www.dianainitiative.org/ https://twitter.com/DianaInitiative Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri) [email protected] Topics Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don't want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop Better job descriptions Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0 HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka "birds of a feather concept" WAN party / Women's meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/ GitLab security scans (that's me!) We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I'm pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019 Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit 2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events https://layer8conference.com/ Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected] Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!! Saturday June 6, 2020, RI Convention Center Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Diana Initiative @circuitswan https://www.dianainitiative.org/ https://twitter.com/DianaInitiative Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri) [email protected] Topics Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don't want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop Better job descriptions Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0 HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka "birds of a feather concept" WAN party / Women's meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/ GitLab security scans (that's me!) We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I'm pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019 Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit 2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events https://layer8conference.com/ Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to [email protected] Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!! Saturday June 6, 2020, RI Convention Center Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Tagnw.org Amazon Smile - brakesec.com/smile News: https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/ https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list "nuzzle" https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/ https://en.wikipedia.org/wiki/Data_Protection_API https://latesthackingnews.com/2019/11/10/multiple-security-issues-detected-in-cisco-small-business-routers-update-now/ https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/ https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Grrcon update 2019-039- bluekeep Weaponized… and more Bluekeep weaponized https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/ Null sessions and how to avoid them:https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/ https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions Linux has a marketing problem: https://hackaday.com/2019/10/31/linuxs-marketing-problem/ 20 accounts could pwn majority of NPM https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/ Chrome 0day https://thehackernews.com/2019/11/chrome-zero-day-update.html India Nuclear plant is hacked https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/ High Tea Security Podcast: https://www.podcasts.com/high-tea-security-190182dc8 https://TAGNW.org - Bryan Panel and talking about networking Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203 Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE https://www.owasp.org/index.php/Women_In_AppSec OWASP Women in AppSec Twitter: 2013_Nayak (reach and ask to be added) https://www.tagnw.org/events/ Risk in Infosec Risk - a situation which involves extreme danger and extensive amount of unrecovered loss What about risks that are positive in nature? PMP calls them 'opportunities' Risk Analysis - systemic examination of the components and characteristics of risk Analysis Steps - Understanding and Assessment Understand there is a risk What if a company does not have security standards? Identification Identify and categorize risk - Informational risk Network risk Hardware risk Software risk Environment risk? https://en.wikipedia.org/wiki/Routine_activity_theory Scope of risk analysis? Threat modeling to find risks? https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling SWOT (strength/weakness/opportunities/threats) analysis will discover risks? Risk analysis methodologies? https://www.project-risk-manager.com/blog/qualitative-risk-techniques/ https://securityscorecard.com/blog/it-security-risk-assessment-methodology https://en.wikipedia.org/wiki/Probabilistic_risk_assessment https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration Estimation Chance that risk will occur (once a decade, once a week) Design controls to remediate Implementation Risk assessment is a combined approach Combined approach for a risk analysis You mentioned a lot of people, what's the scope? How do you do the risk assessment? Framework? Evaluation Evaluation approach Like an agile approach Provides an informed conclusion Report must be clear (no jargon) Decision Making Examples to Reduce Risk Training and education what kind of testing? Annual Security training? Publishing policies Agreement with organization BAA with 3rd parties Timely testing -

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s Encarta - https://en.wikipedia.org/wiki/Encarta Scott Hanselman's twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409 Congrats on the black badge :) I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/ Jeffrey Snover "The Cultural battle to remove Windows from Windows Server": https://www.youtube.com/watch?v=3Uvq38XOark You talk about "why would anyone want to remove powershell" as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn't realize how powerful it could be as an admin because of it. Powershell slime trail "You can't force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders" If an attacker is going to use powershell, let's make them regret it Powershell has had quite an impact and history. My own sorry logging/alerting attempts You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others? Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf https://github.com/danielbohannon/Invoke-Obfuscation https://github.com/danielbohannon/Revoke-Obfuscation https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch… Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 - Windows Powershell cookbook Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html https://github.com/sans-blue-team/DeepBlueCLI Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ Maslow's security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN https://github.com/infosecn1nja/AD-Attack-Defense - Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa @Lee_Holmes @hackershealth @log-md @infosecCampout @seasecEast @brakesec @bryanbrake @boettcherpwned @Infosystir @packscott @dpcybuck @megan_roddie @consultingCSO

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s Encarta - https://en.wikipedia.org/wiki/Encarta Scott Hanselman's twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409 Congrats on the black badge :) I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/ Jeffrey Snover "The Cultural battle to remove Windows from Windows Server": https://www.youtube.com/watch?v=3Uvq38XOark You talk about "why would anyone want to remove powershell" as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn't realize how powerful it could be as an admin because of it. Powershell slime trail "You can't force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders" If an attacker is going to use powershell, let's make them regret it Powershell has had quite an impact and history. My own sorry logging/alerting attempts You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others? Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf https://github.com/danielbohannon/Invoke-Obfuscation https://github.com/danielbohannon/Revoke-Obfuscation https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch… Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 - Windows Powershell cookbook Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html https://github.com/sans-blue-team/DeepBlueCLI Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ Maslow's security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN https://github.com/infosecn1nja/AD-Attack-Defense - Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa @Lee_Holmes @hackershealth @log-md @infosecCampout @seasecEast @brakesec @bryanbrake @boettcherpwned @Infosystir @packscott @dpcybuck @megan_roddie @consultingCSO

Secure Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt's tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Derbycon Discussion (bring Matt in) Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt's tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa https://medium.com/@InfoSecSherpa https://nuzzel.com/InfoSecSherpa Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511 Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA Plugs: Nuzzel newsletter: https://nuzzel.com/infosecsherpa OSINT-y Goodness blog: https://medium.com/@infosecsherpa Tomato pie: https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey Infosec is a service industry job (gasp!) Customer service is an attitude, not department Reference Interview:https://en.wikipedia.org/wiki/Reference_interview Approachability Does your org make it easy to contact you? What is your tone of writing? What does your outgoing communication look like? Reign in your attitude, language, etc… "I am using an online translator" (great idea!) What is your department's reputation? Create an assessment of your department… "I didn't know there was humans in security?" -- Interest Be interested in solving the problem. Make interaction a 'safe space' No judging, mocking LOL, "EE Cummings" https://poets.org/poem/amores-i Listening Pay attention to what the end user doesn't say. Don't interrupt the end user Interviewing Repeat back what the user said or asked Tone: Ask clarification questions, not accusatory questions Searching Did security fail the user? Answering Teachable moments Building trust/relationship equity "While you're on the phone…" "Thank you for your time" Follow-Up Think of ways to create a culture of security Create canned emails Random acts of kindness cyberCupcakes!!!! Or potentially small value gift cards(?) Kindness as currency Christmas cookies Spreading goodwill building relationship equity Reciprocity Lunch and learns People can't be educated into vaccinations, but behaviorial nudges help "Telling people facts won't change behavior" Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Topics:Infosec Campout report Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let's put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn't strong enough for non-repudiation By default, API server doesn't log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn't enforced Certificates are long-lived, with no revocation capability Etcd doesn't authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn't have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager's group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman "Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakes

This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good. We also got asked about how the show came about, and how we found each other. **Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**

Topics:Infosec Campout report Derbycon Pizza Party (with podcast show!) https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705 Mental health village at Derbycon Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let's put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn't strong enough for non-repudiation By default, API server doesn't log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn't enforced Certificates are long-lived, with no revocation capability Etcd doesn't authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn't have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager's group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman "Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @br

Intro - Ms. DirInfosec "Anna" Call Centers suffer from wanting to give good customer service and need to move the call along. Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people's altruism "Pregnant woman needing help through the security door" "Person on crutches" "Delivery person with arms full" "Can't remember information, others filling in missing bits" Call Center Reps are _paid_ to be helpful. "Customer is never wrong" Creating a sense of urgency to spur action Real-life scenario: "bob calls asking about status of an order" Questions: What were you doing for training prior to these calls? (it's alright if you weren't doing anything) :) Pre-training audio (#1 and #2) What was their reaction about the calls received? Did the training take the first time? What difficulties did you have after the first training? 'Getting better Audio' (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud @consultingCSO on twitter Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.infosecurity-magazine.com/news/95-test-problems/ https://www.databreaches.net/a-misconfigured-aws-bucket-exposed-personal-and-counseling-logs-of-almost-300000-indian-employees/ https://www.scmagazine.com/home/security-news/data-breach/sephora-reports-data-breach-but-few-details/ https://www.infosecurity-magazine.com/news/93-of-organizations-cite-phishing/ https://tresorit.com/blog/the-top-6-takeaways-from-the-2019-cost-of-a-data-breach-report/ Good links: https://github.com/RedTeamOperations/PivotSuite https://www.reddit.com/r/security/comments/cks2jd/12gb_of_powershell_malware/

Intro - Ms. DirInfosec "Anna" Call Centers suffer from wanting to give good customer service and need to move the call along. Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people's altruism "Pregnant woman needing help through the security door" "Person on crutches" "Delivery person with arms full" "Can't remember information, others filling in missing bits" Call Center Reps are _paid_ to be helpful. "Customer is never wrong" Creating a sense of urgency to spur action Real-life scenario: "bob calls asking about status of an order" Questions: What were you doing for training prior to these calls? (it's alright if you weren't doing anything) :) Pre-training audio (#1 and #2) What was their reaction about the calls received? Did the training take the first time? What difficulties did you have after the first training? 'Getting better Audio' (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud @consultingCSO on twitter Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

FIleless malware campaign - https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/ https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/ https://www.extremetech.com/computing/294852-new-zip-bomb-stuffs-4-5pb-of-data-into-46mb-file https://articles.forensicfocus.com/2019/07/15/finding-and-interpreting-windows-firewall-rules/ https://www.theregister.co.uk/2019/02/11/google_gmail_developer/ Privacy issues: Companies integrating with email systems Pulling all information from the inboxes Collecting that information Storing for long periods of time ('training the AI') Check for SOC2 and press them on their data storage and privacy policies Have language in your 3rd party agreements to understand sharing and collection Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec Cool Tools: https://github.com/AxtMueller/Windows-Kernel-Explorer https://github.com/TheSecondSun/Revssl

MITRE Pre-Attack techniques https://attack.mitre.org/techniques/pre/ https://www.bbc.com/news/business-48905907 Zoom - https://www.wired.com/story/zoom-flaw-web-server-fix/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Starting a new business (hanging the shingle) What's a way to become an independent consultant? Especially if you don't have a reputation? Ben's reading list: "Mindset: the New Psychology of success" "Essentialism" "Extreme ownership" "Team of teams" Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Identity analytics "Identity analytics is the next evolution of the IGA (Identity Governance & Administration) market. Identity professionals can use this emerging set of solutions combining big data and advanced analytics to increase identity-related risk awareness and enhance IAM processes such as access certification, access request and role management." --gartner Identity related risk awareness Access certification is the process of validating access rights within systems. ... With access certification, organizations and regulations aim to formally validate users within systems and ensure their access rights are appropriate. Access request - a system must validate that a user has need-to-know Role management - users must be validated in a particular role or roles (admin, superuser, backup controller, launch manager, code committer) What kind of threats are you protecting against? What do you solve that proper administration of users can do? How does technology like this improve IAM processes? If it gathers heuristics, what happens when a user changes? (loses an arm, finger, or sneezes during password login, or just ages?) Where is the best fit for these kinds of systems? Where should you put these systems if you're in a blended environment? And how does this work with systems like Active Directory? Privacy issues… what if any do you have to deal with in this case? That was my next question Entitlements? What's the difference between AuthN? Identity creep -Ben gave a talk on it https://www.brighttalk.com/webcast/17685/362274 Does this monitor, or will it also prevent? If it doesn't, can it send alerts to you IPS to isolate? "Blast radius" https://whatis.techtarget.com/definition/behavioral-biometrics Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Tanya Janca (@shehackspurple) DevOps Tools for free/cheap. They are all on github right, so they are all free? Python, Docker, k8s, Jenkins Licensing can be a problem Free-mium software, or trialware is useful? OWASP DevSlop Module Nicole Becker Pixie - insecure instagram "Betty Coin" SSLlabs - Qualys Mentoring Monday: What is "Mentoring Monday"? What does it take to be a good mentor? Should a mentee have a goal in mind? Something other than "I want to be just like you"? Do you assist in creating the relationship? What if they don't meld? Are there any restrictions? Any place in someone's career? How do you apply? Advocating - Leading Cyber Ladies: https://twitter.com/LadiesCyber WoSec International - https://twitter.com/WoSECtweets 19 Chapters worldwide Africa, No. America, Europe Goal? (hacker workshops) Submitting talks at cons Outreaching (how would people get involved) Mentorship involved in this? Global AppSec Videos on youtube: OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A Blog Site: https://dev.to/shehackspurple Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Announcements: InfoSec Campout Conference (Eventbrite, social contract, etc): https://www.infoseccampout.com All Day Devops (https://www.alldaydevops.com) free talks online... Next conference starts 06 November 2019 ------ Tanya Janca (@shehackspurple) @wosectweets - Women of Security DevOps Tools for free/cheap. They are all on github right, so they are all free? Python, Docker, k8s, Jenkins Licensing can be a problem Free-mium software, or trialware is useful? OWASP DevSlop Module Nicole Becker Pixie - insecure instagram "Betty Coin" SSLlabs - Qualys Mentoring Monday: What is "Mentoring Monday"? What does it take to be a good mentor? Should a mentee have a goal in mind? Something other than "I want to be just like you"? Do you assist in creating the relationship? What if they don't meld? Are there any restrictions? Any place in someone's career? How do you apply? Advocating and being a good ally Leading Cyber Ladies: https://twitter.com/LadiesCyber WoSec International - https://twitter.com/WoSECtweets 19 Chapters worldwide Africa, No. America, Europe Goal? (hacker workshops) Submitting talks at cons Outreaching (how would people get involved) Mentorship involved in this? Global AppSec Videos on youtube: OWASP DevSlop: https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A https://www.youtube.com/channel/UCSmjcWvgVBqF3x_7e5rfe3A Blog Site: https://dev.to/shehackspurple Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

ANNOUNCEMENTS: INFOSEC CAMPOUT TICKETS ARE STILL ON SALE. Go to https://www.infoseccampout.com for Eventbrite link and more information. Part 2 of our Discussion with Chris Sanders (@chrissanders88) Topics discussed: Companies dropping existing frameworks for ATT&CK Matrix, why? Rural Technology Fund - What it is, how does it work, Who can help make it more awesome. https://chrissanders.org/2019/05/infosec-mental-models/ I've argued for some time that information security is in a growing state of cognitive crisis… Demand outweighs supply Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training. That's an HR and hiring manager issue, right? --brbr No. --bboettcher Information cannot be validated or trusted There are few authoritative sources of knowledge about critical components and procedures. Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner. The industry is unable to organize or widely combat the biggest issues they face. Groups of individuals, everyone thinking they have the 'right answer', just like linux flavors --brbr https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/ Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3 https://en.wikipedia.org/wiki/Cognitive_revolution https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/ How do we solve it? We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think. https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned) Mental Model? We use them all the time? Gotta simplify the complex... Distribution and the Bell Curve Operant Conditioning https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html The Scientific Method Applied Models 13 Organ Systems 4 Vital Signs 10 Point Pain scale Defense in Depth OSI model Investigation Process https://en.wikipedia.org/wiki/Inductive_reasoning Model Desperation Companies dumping existing models and embracing something else The problem is that we're model hungry and we'll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don't need fourteen circular saws. What makes a good model? Simple Useful Imperfect? (wuh?)-brbr Creating models Begins by asking a question… (what is the weather going to look like tomorrow? --brbr) What defines the sandwich? (kind of like "https://en.wikipedia.org/wiki/Theory_of_forms" --brbr) Discuss the Rural Tech Fund https://twitter.com/RuralTechFund https://ruraltechfund.org/ Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018 Practical Packet Analysis - https://nostarch.com/packetanalysis3 Suggesting books: https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776 More references on Chris' site https://chrissanders.org/2019/05/infosec-mental-models/ Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo's Egg - September Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://chrissanders.org/2019/05/infosec-mental-models/ I've argued for some time that information security is in a growing state of cognitive crisis… Demand outweighs supply Because so many organizations need experience, they are unable to appropriately invest in entry-level jobs and devote the necessary time for internal training. That's an HR and hiring manager issue, right? --brbr No. --bboettcher Information cannot be validated or trusted There are few authoritative sources of knowledge about critical components and procedures. Large systemic issues persist with no ability to tackle them in a large, mobilized, or strategic manner. The industry is unable to organize or widely combat the biggest issues they face. Groups of individuals, everyone thinking they have the 'right answer', just like linux flavors --brbr https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html https://www.helpnetsecurity.com/2018/07/10/windows-shimcache-threat-hunting/ Dependence on tools: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3 https://en.wikipedia.org/wiki/Cognitive_revolution https://buzzmachine.com/2019/04/25/a-crisis-of-cognition/ How do we solve it? We must thoroughly understand the processes used to draw conclusions. S.M.A.R.T.? Experts must develop repeatable, teachable methods and techniques. Educators must build and advocate pedagogy that teaches practitioners how to think. https://www.maximumfun.org/shows/sawbones - sawbones podcast (amanda mentioned) Mental Model? We use them all the time? Gotta simplify the complex... Distribution and the Bell Curve Operant Conditioning https://www.latimes.com/science/la-sci-emotional-stereotypes-about-women-20190530-story.html The Scientific Method Applied Models 13 Organ Systems 4 Vital Signs 10 Point Pain scale Defense in Depth OSI model Investigation Process https://en.wikipedia.org/wiki/Inductive_reasoning Model Desperation Companies dumping existing models and embracing something else The problem is that we're model hungry and we'll rapidly use and abuse any reasonable model that presents itself. Ultimately, we want good models because we want a robust toolbox. But, not everything is a job for a hammer and we don't need fourteen circular saws. What makes a good model? Simple Useful Imperfect? (wuh?)-brbr Creating models Begins by asking a question… (what is the weather going to look like tomorrow? --brbr) What defines the sandwich? (kind of like "https://en.wikipedia.org/wiki/Theory_of_forms" --brbr) Discuss the Rural Tech Fund https://twitter.com/RuralTechFund https://ruraltechfund.org/ Practical Threat Hunting - https://twitter.com/chrissanders88/status/1133388347194454018 Practical Packet Analysis - https://nostarch.com/packetanalysis3 Suggesting books: https://www.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 https://www.amazon.com/Undoing-Project-Friendship-Changed-Minds/dp/0393354776 More references on Chris' site https://chrissanders.org/2019/05/infosec-mental-models/ Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo's Egg - September Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bryan got phished (almost) - story time! https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564/ Through OpenDNS https://learn-umbrella.cisco.com/product-videos/newly-seen-domains-in-cisco-umbrella Available January 2017, Umbrella filters newly seen or created domains. By using new domains to host malware and other threats, attackers can outsmart security systems that rely on reputation scores or possibly outdated block lists. Umbrella now stops these domains before they even load. Also "unknown" category? pros/cons Good filter time for domains? Amanda: windows logging issues well…. FUCKING EVERYTHING CREATES TASKS IN SCHEDULER https://www.microsoft.com/en-us/windowsforbusiness/windows-atp Breach news: https://www.dutchnews.nl/news/2019/05/hackers-steal-key-info-about-home-hunters-from-housing-agency/ FTA: The hackers now have their name, address, contact information and copies of their passport or ID card, which includes their personal identification number, or BSN. This is sufficient to allow the hackers to open bank accounts or take out loans by using other people's identity. https://www.bleepingcomputer.com/news/security/over-757k-fraudulently-obtained-ipv4-addresses-revoked-by-arin/ Mostly colos, data centers, 'aaS' providers Many in the Mid-West Book Club Cult of the dead cow - June Tribe of Hackers - July The Mastermind - August The Cuckoo's Egg - September https://www.infoseccampout.com EventBrite Link:https://www.eventbrite.com/e/infosec-campout-tickets-61915087694 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://static1.squarespace.com/static/556340ece4b0869396f21099/t/5cc9ff79c830253749527277/1556742010186/Red+Team+Practice+Lead.pdf https://www.reddit.com/r/netsec/comments/bonwil/prevent_a_worm_by_updating_remote_desktop/ https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system https://www.bleepingcomputer.com/news/security/unsecured-survey-database-exposes-info-of-8-million-people/ https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html https://www.elastic.co/blog/found-elasticsearch-security https://dzone.com/articles/securing-your-elasticsearch-cluster-properly Auth is possible, using reverse proxy… this is basic auth :( https://github.com/Asquera/elasticsearch-http-basic Here's one that uses basic auth and LDAP: https://mapr.com/blog/how-secure-elasticsearch-and-kibana/ 2fa setup: https://www.elastic.co/guide/en/cloud/current/ec-account-security.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Things I learned this week: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.helpnetsecurity.com/2019/04/29/docker-hub-breach/ https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/ https://attack.mitre.org/techniques/T1003/ https://github.com/giMini/PowerMemory https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service https://attack.mitre.org/techniques/T1208/

K8s security with Omer Levi Hevroni (@omerlh) service tickets - Super-Dev Omer's requirements for storing secrets: Gitops enabled Kubernetes Native Secure "One-way encryption" Omer's slides and youtube video: https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s We've all experienced it: you're working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that's highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can't). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni Kubernetes Secrets Bad, because manifest files hold the user/password, and are encoded in Base64 Could be uploaded to git = super bad https://kubernetes.io/docs/concepts/configuration/secret/ https://docs.travis-ci.com/user/encryption-keys/ Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/ https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-fb5cec0417b2 "FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions." Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://github.com/owasp-cloud-security/owasp-cloud-security https://www.omerlh.info/2019/01/19/threat-modeling-as-code/ https://telaviv.appsecglobal.org/ https://github.com/Soluto/kamus https://kamus.soluto.io Infosec Campout = www.infoseccampout.com

Agenda: Announce the conference CFP: up soon CFW: up soon Campers: Friday night/Saturday night Like "toorcamp", but if it sucks, you can drive home… :D Limiting tickets, looking for sponsors To support the conference and future initiatives: "Infosec Education Foundation" 501c3 non-profit (we are working on the charity part) www.infoseccampout.com Password spraying https://github.com/dafthack/DomainPasswordSpray Stories: https://blog.stealthbits.com/using-stealthdefend-to-defend-against-password-spraying/ http://blog.quadrasystems.net/post/password-spray-attacks-and-four-sure-steps-to-disrupt-them https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/simplifying-password-spraying/ Detecting one to many…..and at what point/threshold during an attack would it be a PITA for the redteam to slow down to Annoying NXLog CE limitation Log-MD can help detect? Yep CTF Club is happening again Pinkie Pie is running it. Saturdays at 2 -3 pm

Announcements: https://www.workshopcon.com/ SpecterOps (red Team operations) and Tim Tomes (PWAPT) Bsides Nashville https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html "We take security seriously and other trite statements" Wordpress infrastructure (supply chain failure) WordPress plugin called Woocommerce was at fault. Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/ "According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account." "https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/" You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an 'incident'? Timeline:"[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn't have permission to test AoM. They are advised not to do anything that could harm the AoM's production environment." What is the line they should not cross in this case? You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to? [2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access. Seems like working with AoM wasn't difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them? Lessons Learned? Anything you'd do differently next time? Update IR plan? Did they reach out for additional testing? Did the people who got admin get removed? Consult with AoM on better security implementation? Your env wasn't damaged, but did they suffer issues with other customers? *answered* https://www.wordfence.com/ https://en.wikipedia.org/wiki/Gremlins Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/ https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/ https://www.guardicore.com/2018/11/security-incident-response-plan/ https://www.zdnet.com/article/security-risks-of-multi-tenancy/ Upcoming SI events IANS forum (Wash DC) ShowmeCon Webcasts ISC2 security Congress (Wash DC) Patreon Slack Twitter handles iTunes Google Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Announcements: WorkshopCon Training with SpecterOps and Tim Tomes www.workshopcon.com redteam operations with SpecterOps PWAPT with Tim Tomes Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019 Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time. https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/ My last car sync'ed the contact list. Video is a different story, but safety for the vehicle and owner, they'll probably continue to store it. Telemetry data is for changing road conditions, navigation, etc Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected Level of difficulty, no fuse, requires hardware upgrade Encryption at rest, ensuring HTTPS on all incoming/outgoing. https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ Annoying "do you want notifications from this site?" Like an annoying RSS feed… 'Hey, we added a new banner ad!' https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches Why add the switches to allow vulnerabilities? Slippery slope --disable-dirtycow? https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/ https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack Threat intelligence and software detections… Got an email… *Story Time from Mr. Boettcher* Twitter: why do companies not allow copy/paste in password fields? Tesla

Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS "is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. " #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - "If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture." What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 "API") Will this be added later? What is needed to fill that in? (manpower, SME's, etc?) 3 levels of protection… why have levels at all? Why shouldn't everyone be at Level 3? I just don't like the term 'bare minimum' (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS "is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. " ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don't post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - "If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture." What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 "API") Will this be added later? What is needed to fill that in? (manpower, SME's, etc?) 3 levels of protection… why have levels at all? Why shouldn't everyone be at Level 3? I just don't like the term 'bare minimum' (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Log-MD story SeaSec East meetup Gabe (county Infosec guy) https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/ New Slack Moderator (@cherokeeJB) Shoutout to "Jerry G" Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet Noid - @_noid_ [email protected] Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3 Slides (PDF) https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf Security view was a bit myopic? "What do we win by playing?" Cultivating relationships (buy lunch, donuts, etc) Writing reports Communicating findings that resonate with developers and management Often pentest reports are seen by various facets of folks Many levels of competency (incompetent -> super dev/sec) Communicating risk? Making bugs make sense to everyone… The three types of power: https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 (yas!) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec Transcription (courtesy of otter.ai, and modified for readability by Bryan Brake) Bryan Brake 0:13 Hello everybody this is Bryan from Brakeing Down Security this week you're gonna hear part two of our interview with Noid, we did a lot of interesting discussions with him and it went so well that we needed the second week so for those of you here just catching this now Part One was last week so you can just go back and download that one. We're going to start leading in with the "one of us" story because one of the one of the slides he talked about was how you know he you know learned how to be one with his dev team and one of the last topics we had was kind of personal to me I do a lot of pentest writing for reports and stuff at my organization "Leviathan" and and you know, we talked about you know What makes a good report how to write reports for all kinds of people, whether it be a manager that you're giving it to, from an engagement for a customer, or, you know, the technical people who might be fixing the bugs that an engagement person might find, or a pen tester might find in this case. So, yeah, we're we're going to go ahead and lead in with that. Before we go though, SpectreOps is looking for people to go to their classes. They're learning adversary tactics and red team Operations Training course in Tysons Corner, Virginia. It's currently $4,000 to us and it's from April 23, April 26 of this year 2019. That doesn't include also airfare and hotel, so you're gonna have to find your way to Tysons Corner the Hyatt Regency there's a link in the show notes of course to the to the class if you'd like to go You'll learn things like designing and deploying sophisticated resilient covert attack infrastructure, gaining initial access footholds on systems using client side attacks, and real world scenarios cutting edge lateral movement methods to move through the enterprise and a bunch of other cool things... so yeah if you're interested in and hooking that up you can you there's still you still got more than a month to sign up for it it looks like there might still be tickets so knock yourselves out they're also looking for blue team people. "Mike P" on our Slack channel, which will tell you about the end of the show here on how to join if you'd like, he said http://www.workshopcon.com/events they're looking for blue team trainers... you can hang out with folks like you know, SpecterOps and Tim Tomes (LanMaster53) as well there when you you know we can you sign up for the blue team stuff and yeah http://www.workshopcon.com/events and then you can you know learn to be a blue team trainer or actually give blue team trainin

Shout-out to Thomas… Tried to meetup while at SEA comic-con Patreon Log-MD Hacker's Health - Ms. Roddie is at TROOPERS (Ms. Berlin?) 4 podcasts? SpecterOps Training / workshopCon - https://www.workshopcon.com/events Zach Ruble- @sendrublez C2 infra using Public WebApps TARCE - Teaching Assistant RCE(?) - they run your code every week, don't check for backdoors before running it... C2 Basics Local HTTPd server (bashfile) Python scrapes web server 3 components -Servers -Communication channels -Malware and client - 3 Requirements of a C2 -victim receives commands -Vic executes -Send results back Web server serving a static file Malware on machine scraping site with python requests and executing it as commands. Crontab @reboot State change = change the text field https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/ https://uwbacm.com/ Long haul/short haul server Long haul - regain persistence Short haul - sends commands to victims Slack as C2 - Blends in to the Env Send and receive messages Using Real Time Messaging API https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24 https://glitch.com/ Https://github.com/bkup/SlackShell Reddit as a C2 "Reddit Rising" Glitch.com Serverless platform Using Google search results as Would Google Algos see odd behavior of hundreds of hosts searching for the same thing? Log file analysis? How can we protect against this? C2 News (If we go short) : https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining Automating OSINT https://twitter.com/jms_dot_py http://www.automatingosint.com/blog/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Log-MD story (quick one) (you'll like this one, Mr. Boettcher) SeaSec East meetup "Gabe" https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/ New Slack Moderator (@cherokeeJB) Shoutout to "Jerry G" Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet Noid - @_noid_ [email protected] Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3 Slides (PDF) https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf Security view was a bit myopic? "What do we win by playing?" Cultivating relationships (buy lunch, donuts, etc) Writing reports Communicating findings that resonate with developers and management Often pentest reports are seen by various facets of folks Many levels of competency (incompetent -> super dev/sec) Communicating risk? Making bugs make sense to everyone… The three types of power: https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec