BrakeSec Education Podcast

BrakeingDownIR show #10 GrumpySec appearance? https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887 https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618 https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ "Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.' Retpoline = "Return Trampoline" "That's because when using return operations, any associated speculative execution will 'bounce' endlessly." https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html Cool site (Andrei) *long time podcast supporter* UndertheWire.tech - powershell wargame --- PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6 https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/ https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/ Caveats:Network connection you're on must be set to "private", not public WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr) https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/ http://time.com/5349896/23andme-glaxo-smith-kline/ http://thunderclap.io/ https://int3.cc/products/facedancer21 - USB Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bsides Seattle recap (Bryan) New phishing technique to bypass email filters- https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/ https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships Use after free in Linux kernel: https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/ https://www.webopedia.com/TERM/U/use-after-free.html https://cwe.mitre.org/data/definitions/416.html https://www.acodersjourney.com/top-20-c-pointer-mistakes/ https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html https://nvd.nist.gov/vuln/detail/CVE-2019-8912 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/ https://www.owasp.org/index.php/DOM_Based_XSS CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Google Cloud Platform - tip tricks, stuff ms. berlin learned Layer 8 conference - Rhode Island'' I was wrong…..cycles don't sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

SpecterOps Class: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902 https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448 https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/ https://liliputing.com/2019/02/mozillas-project-fission-brings-site-isolation-to-firefox-spectre-and-meltdown-protection.html https://capsule8.com/blog/exploiting-systemd-journald-part-1/ Segue from systemd/journald into: "Super daemon for all daemons" Replaced things like sysvinit, rc.d, and even inetd Lennart Poettering and Kay Sievers Systemd (PID1) Configured using only text files .service .device .swap .timer (.service file of the same time must exist) 'Transient timers can be created' https://wiki.archlinux.org/index.php/Systemd/Timers /etc/systemd/system/foo.timer [Unit]Description=Run foo weekly and on boot[Timer] OnBootSec=15minOnUnitActiveSec=1w [Install] WantedBy=timers.target Logs are in binary format Cgroups - control groups Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes Bound by the same criteria Used a lot of places (hadoop, k8s, docker, LXC) http://without-systemd.org/wiki/index.php/Arguments_against_systemd https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/ https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/ http://0pointer.de/blog/projects/systemd.html https://en.wikipedia.org/wiki/Systemd Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html ShmooCon discussion Bsides Leeds discussion @largeCardinal @bsidesLeeds https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244 https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police https://www.cnbc.com/2019/01/28/apple-facetime-bug-lets-you-listen-even-if-someone-doesnt-answer.html https://www.news5cleveland.com/news/local-news/oh-cuyahoga/trio-of-current-and-former-officials-indicted-in-cuyahoga-county-corruption-probe https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BIO: Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF's KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O'Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London. Liz Rice (@lizrice on Twitter) https://www.lizrice.com/ https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341 https://www.forbes.com/sites/adrianbridgwater/2018/07/23/shift-happens-why-your-software-needs-to-shift-left/#41aac6047f8c https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/ https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/ https://changelog.com/gotime/56 - podcast with Liz https://kubernetes-security.info - co-author of O'Reilly Kubernetes security book https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017 https://docs.docker.com/config/containers/container-networking/ - docker portmapping https://techbeacon.com/9-practical-steps-secure-your-container-deployment If security needs to "Shift Left", what can devs do to accommodate the change? Everyone will have to make adjustments, not just security… right? Reverse uptime… Forgotten data? Test Driven Development Why do we need security as far left? "We don't patch, we just push a fix, " "We'll fix it in production…" Or we pump more resources to overcome perf issues Is there time for code reviews? "We don't need change management…" https://testssl.sh - @drwetter Automation: How does security that solve security issues? Do Microservices solve everything? What don't they solve? What does security need to embrace to make the shift less painful? What does development need to embrace to make the shift less painful? Cause security wants to get in there… There are already DevSecOps processes a-plenty and many . Why aren't companies adopting them? Maturity? Lack of resources? Negligent devs - how can you ignore the news of breaches? Setting Goals "Start Small" - what's an example of a small goal? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

intro CFP for Bsides Barcelona is open! https://bsides.barcelona Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of "do's and don'ts" Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn't make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of "do's and don'ts" Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn't make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

Join the combined forces of: Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/) Bill Gardner from the "RebootIt! podcast" https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2 Ms. Berlin and Bryan Brake for the end of the year podcast! BrakeSec Podcast = www.brakeingsecurity.com RSS: https://www.brakeingsecurity.com/rss

Mike Samuels https://twitter.com/mvsamuel https://github.com/mikesamuel/attack-review-testbed https://nodejs-security-wg.slack.com/ Hardening NodeJS Speaking engagement talks: A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009 Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781 What is a package: (holy hell, why is this so complicated?) A package is any of: a) a folder containing a program described by a package.json file b) a gzipped tarball containing (a) c) a url that resolves to (b) d) a @ that is published on the registry with © e) a @ that points to (d) f) a that has a latest tag satisfying (e) g) a git url that, when cloned, results in (a). https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 https://blog.risingstack.com/node-js-security-checklist/ https://www.npmjs.com/package/trusted-types https://github.com/WICG/trusted-types/issues/31

Adam Baldwin (@adam_baldwin) Director of Security, npm https://foundation.nodejs.org/ https://spring.io/understanding/javascript-package-managers Role in the NodeJS project Advisory? Active role? Maintain security modules? Are there any requirements to being a dev? Are there different roles in the NodeJS environment? Is there any review of system sensitive packages? (or has that ship sailed…) Discussion of timeline from NodeJS security team When were you notified? (or were you notified at all?) What steps were taken to fix the issue? Lessons learned? Official npm security policy: https://www.npmjs.com/policies/security (good stuff!) Event-stream (initial bug report): https://github.com/dominictarr/event-stream/issues/116 Only affected bitcoin Wallets from 'Copay' https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/ "Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote : We've wiped our brows as we've got away with it, we didn't have malicious code running on our dev machines, our CI servers, or in prod. This time." ( https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 "The damage this could have caused is incredible to think about. The projects that depend on this aren't trivial either, Microsoft's original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed." https://thehackernews.com/2018/11/nodejs-event-stream-module.html "The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers." https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/ Hacker News (with comments): https://news.ycombinator.com/item?id=18534392 Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018 2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions) Dependency hell in NodeJS: https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/ "Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws." History of NodeJS security issues: ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/ Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ How to ensure this type of issue doesn't happen again? (or is that possible, considering the ecosystem?) What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team's job easier? What the responsibility is of consumers of open source? What can be done to ensure vetting for 'important' packages? Can someone manage turnover? (or is that ship sailed?) Security scanners: https://geekflare.com/nodejs-security-scanner/ https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0 Threat assessment or 'what could go wrong in the future'? Bad code "Trust issues" Repo corruption Hijacking packages Keep up to date on NodeJS security issues: https://nodejs.org/en/security/ https://groups.google.com/forum/#!forum/nodejs-sec ^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem? npmjs.com/advisories or @npmjs on twitter https://rubysec.com/ -Ruby security group Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Where in the world is Ms. Amanda Berlin? Keynoting hackerconWV Election Security Cuyahoga County: Intro: Jeremy Mio (@cyborg00101 Name? Why are you here? Discussing Ohio does election operations. Walk through the process Pre-Elections Elections Night Post Elections All about the C.I.A. Votes must be confidential Votes must not be compromised (integrity) Voting should be available and without outage Did a tabletop exercise with all counties in Ohio (impressive!) Gamified, using role-reversal Points based system Different technology has different point values Physical security/chain of custody Retention EI-ISAC - election infra ISAC https://www.cisecurity.org/services/albert/ - Albert system https://www.cisecurity.org/best-practices-part-1/ - election security best practices How does the Ohio election process stack up against other states? Media Perception in Elections Hacking and threats 11 year olds 'hacking election' Yes, good for a new article title Goes to show how easy it is to actually hack systems Train someone on SQLI, pwn the things Elections Security Operations and Preparation Technology types Ballot Booths Mail-in ballots Securing election infra What can be done to make it more secure? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@IanColdwater https://www.redteamsecure.com/ *new gig* So many different moving parts Plugins Code Hardware She's working on speaking schedule for 2019 How would I use these at home? https://kubernetes.io/docs/setup/minikube/ Kubernetes - up and running https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677 General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes https://twitter.com/alicegoldfuss - Alice Goldfuss Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater Tesla mis-configured Kubes env: From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/ Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from) Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://github.com/aquasecurity/kube-hunter - Threat Model What R U protecting? Who R U protecting from? What R your Adversary's capabilities? What R your capabilities? Defenders think in Lists Attackers think in Graphs What are some of the visible ports used in K8S? 44134/tcp - Helmtiller, weave, calico 10250/tcp - kubelet (kublet exploit) No authN, completely open 10255/tcp - kublet port (read-only) 4194/tcp - cAdvisor 2379/tcp - etcd Etcd holds all the configs Config storage Engineering workflow: Ephemeral - CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/ Final points: Advice securing K8S is standard security advice Use Defense in Depth, and least Privilege Be aware of your attack surface Keep your threat model in mind David Cybuck (questions from Slack channel) My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics). How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure? Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS?

Jarrod Frates Inguardians @jarrodfrates "Skittering Through Networks" Ms. Berlin in Germany - How'd it go? TinkerSec's story: https://threadreaderapp.com/thread/1063423110513418240.html Takeaways Blue Team: - Least Privilege Model - Least Access Model "limited remote access to only a small number of IT personnel" "This user didn't need Citrix, so her Citrix linked to NOTHING" "They limited access EVEN TO LOCAL ADMINS!" - Multi-Factor Authentication - Simple Anomaly Rule Fires "Finance doesn't use Powershell" - Defense in Depth "moving from passwords to pass phrases…" "Improper disposal of information assets" Red Team: - Keep Trying - Never Assume - Bring In Help - Luck Favors the Prepared - Adapt and Overcome Before the Test Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in 'test/dev', NOT PROD Social Engineering: DO THIS. Yes, you're vulnerable. DO IT ANYWAY. During the Test Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?) After the Test Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don't blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing Ms. Berlin's Legit business - Mental Health Hackers CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019 CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31 Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ian Coldwater- @IanColdwater https://www.redteamsecure.com/ *new gig* So many different moving parts Plugins Code Hardware She's working on speaking schedule for 2019 How would I use these at home? https://kubernetes.io/docs/setup/minikube/ Kubernetes - up and running https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677 General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes https://twitter.com/alicegoldfuss - Alice Goldfuss Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater Tesla mis-configured Kubes env: From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/ Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from) Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://github.com/aquasecurity/kube-hunter - Threat Model What R U protecting? Who R U protecting from? What R your Adversary's capabilities? What R your capabilities? Defenders think in Lists Attackers think in Graphs What are some of the visible ports used in K8S? 44134/tcp - Helmtiller, weave, calico 10250/tcp - kubelet (kublet exploit) No authN, completely open 10255/tcp - kublet port (read-only) 4194/tcp - cAdvisor 2379/tcp - etcd Etcd holds all the configs Config storage Engineering workflow: Ephemeral - CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/ Final points: Advice securing K8S is standard security advice Use Defense in Depth, and least Privilege Be aware of your attack surface Keep your threat model in mind David Cybuck (questions from Slack channel) My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics). How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure? Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS? heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@InfoSecSherpa I have two talks coming up: Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center) *Shameless Plug* My Nuzzel newslettershttps://nuzzel.com/InfoSecSherpa https://nuzzel.com/InfoSecSherpa/cybersecurity-africa News stories - Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law) https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Health & Tech? https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/ https://hackaday.io/project/151388-minder (774 results for "health" on hackaday) (def don't need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/ https://www.adheretech.com/ Privacy implications? Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/ Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/ https://www.papercall.io/dachfest18 Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there. This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website... Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection... Tomasz Tuzel: http://www.irongeek.com/i.php?page=videos/derbycon8/track-4-18-who-watches-the-watcher-detecting-hypervisor-introspection-from-unprivileged-guests-tomasz-tuzel Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Pizza Party Link - https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046 News stories- Software/library bloat http://tonsky.me/blog/disenchantment/ https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/ https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/ https://attack.mitre.org/wiki/Technique/T1170 - HTA file malware examples https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/ https://www.bbc.com/news/technology-45686890 - (facebook account hack) https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc IOC's from various malware UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/ Block These Extensions: File Extension File Type .adp Access Project (Microsoft) .app Executable Application .asp Active Server Page .bas BASIC Source Code .bat Batch Processing .cer Internet Security Certificate File .chm Compiled HTML Help .cmd DOS CP/M Command File, Command File for Windows NT .cnt Help file index .com Command .cpl Windows Control Panel Extension(Microsoft) .crt Certificate File .csh csh Script .der DER Encoded X509 Certificate File .exe Executable File .fxp FoxPro Compiled Source (Microsoft) .gadget Windows Vista gadget .hlp Windows Help File .hpj Project file used to create Windows Help File .hta Hypertext Application .inf Information or Setup File .ins IIS Internet Communications Settings (Microsoft) .isp IIS Internet Service Provider Settings (Microsoft) .its Internet Document Set, Internet Translation .js JavaScript Source Code .jse JScript Encoded Script File .ksh UNIX Shell Script .lnk Windows Shortcut File .mad Access Module Shortcut (Microsoft) .maf Access (Microsoft) .mag Access Diagram Shortcut (Microsoft) .mam Access Macro Shortcut (Microsoft) .maq Access Query Shortcut (Microsoft) .mar Access Report Shortcut (Microsoft) .mas Access Stored Procedures (Microsoft) .mat Access Table Shortcut (Microsoft) .mau Media Attachment Unit .mav Access View Shortcut (Microsoft) .maw Access Data Access Page (Microsoft) .mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) .mdb Access Application (Microsoft), MDB Access Database (Microsoft) .mde Access MDE Database File (Microsoft) .mdt Access Add-in Data (Microsoft) .mdw Access Workgroup Information (Microsoft) .mdz Access Wizard Template (Microsoft) .msc Microsoft Management Console Snap-in Control File (Microsoft) .msh Microsoft Shell .msh1 Microsoft Shell .msh2 Microsoft Shell .mshxml Microsoft Shell .msh1xml Microsoft Shell .msh2xml Microsoft Shell .msi Windows Installer File (Microsoft) .msp Windows Installer Update .mst Windows SDK Setup Transform Script .ops Office Profile Settings File .osd Application virtualized with Microsoft SoftGrid Sequencer .pcd Visual Test (Microsoft) .pif Windows Program Information File (Microsoft) .plg Developer Studio Build Log .prf Windows System File .prg Program File .pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) .reg Registration Information/Key for W95/98, Registry Data File .scf Windows Explorer Command .scr Windows Screen Saver .sct Windows Script Component, Foxpro Screen (Microsoft) .shb Windows Shortcut into a Document .shs Shell Scrap Object File .ps1 Windows PowerShell .ps1xml Windows PowerShell .ps2 Windows PowerShell .ps2xml Windows PowerShell .psc1 Windows PowerShell .psc2 Windows PowerShell .tmp Temporary File/Folder .url Internet Location .vb VBScript File or Any VisualBasic Source .vbe VBScript Encoded Script File .vbp Visual Basic project file .vbs VBScript Script File, Visual Basic for Applications Script .vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft) .vsw Visio Workspace File (Microsoft) .ws Windows Script File .wsc Windows Script Component .wsf Windows Script File .wsh Windows Script Host Settings File .xnk Exchange Public Folder Shortcut .ade ADC Audio File .cla Java class File .class Java class File .grp Microsoft Widows Program Group .jar Compressed archive file package for Java classes and data .mcf MMS Composer File .ocx ActiveX Control file .pl Perl script language source code .xbap Silverlight Application Package ------------------------------ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:

Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events! Thanks to our Patrons! Gonna be at Derbycon, come see us! Congrats to our Derbycon Ticket CTF winners! Winner: @gigstaggart 2nd Place: @ohai_ninja 3rd Place: @SoDakHib Mr. Boettcher's Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t Ms.Berlin's Challenge: potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7 Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN Mr. Brake's Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8 Update on Mental Health GoFundMe: http://www.derbycon.com/wellness Thanks to the #Derbycon organizers for their time and patience on answering the questions posed. Missing event issues: https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement https://github.com/palantir/windows-event-forwarding https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/ https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/ https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/ http://bpatty.rocks/blue_team/weffles.html https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/ Some issues with missing events… Everyone is affected by this! WEF & PowerBI is good for small installations. Any GPOs involved? Can it be done on a server by server basis? Can an attacker simply disable the service once initial access is achieved? Pros and Cons of feeding the WEF output to a MapReduce system? Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog? Need a config? Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff... https://www.malwarearchaeology.com/logging/ Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

CTF information: Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!) Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site. View the page, submit the flags, leave everything else alone... Derbycon Auction - starts September 8th at 9am Pacific Time Slack only - Opening bid is $175 Increments of $25 only 100% goes to Chris Sanders' "Rural Technology Fund" https://ruraltechfund.org/donate/ Amanda's mental health workshop - AWESOME! http://www.derbycon.com/wellness/ https://www.gofundme.com/derbycon-mental-health-amp-wellbeing Mandy Logan - hacking her way out of a coma! https://www.gofundme.com/hacking-recovery-brainstem-stroke https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html https://art-of-lockpicking.com/single-pin-picking-skills/ Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr) Tools: Tension Wrench Picks Parts of lock: Cylinder Driver Pins Key Pins Springs Sites: https://toool.us/ https://art-of-lockpicking.com/how-to-pick-a-lock-guide/ - This is a good guide if you can get past the ADs Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/ https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/ https://twitter.com/InfoSystir/status/1032343381328973827 #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Post-Hacker Summercamp IppSec Walkthroughs Brakesec Derbycon ticket CTF - Drama - (hotel room search gate) AirconditionerGate Personal privacy Ask for ID Call the front desk Use the deadbolt - can be bypassed Plug the peephole with TP Hotel rooms aren't secure (neither are the safes) Probably the most hostile environment infosec people go into to try and be secure/private https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/ This is the company behind a sort-of threat intel site (vulnDB) The original marketing site I figured it was marketing… it smacked of a 'buy our product' site\, but we don't have to mention vulnDB https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/ Based on study by Juniper Research https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS Amanda giving a talk at Diana Initiative Derbycon Talk - mental health Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2 http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/ https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/ https://blogs.technet.microsoft.com/secadv/2018/01/22/parsing-dns-server-log-to-track-active-clients/ https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelo #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com https://en.wikipedia.org/wiki/Mojave_phone_booth https://www.tripsavvy.com/the-mojave-phone-booth-1474047 https://www.dailydot.com/debug/mojave-phone-booth-back-number/ https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/ https://twitter.com/mojavefonebooth https://www.google.com/maps/place/Mojave+Phone+Booth/@35.2873088,-115.6911087,3155m/data=!3m1!1e3!4m5!3m4!1s0x80c587e7172e7259:0xbc30709b3558dd90!8m2!3d35.2856782!4d-115.6844312 https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/ http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/ https://twitter.com/_noid_?lang=en https://www.monoprice.com/product?p_id=8136&gclid=CjwKCAjwy_XaBRAWEiwApfjKHuwvafwlgj6K3bNw6Qoy06i0KlXrTcPu8RLUSnhdEur5Y8PlVNaB1hoClJoQAvD_BwE http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Stories and topics we covered: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ https://osquery.io/ https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698 Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery. Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including: @icssec @bethayoung @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it. https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018 @icssec @bethayoung @bryanbrake @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr

Ben Caudill @rhinosecurity Spencer Gietzen @spengietz Rhino Security - https://rhinosecuritylabs.com/blog/ AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ What is the difference between this and something like Scout or Lynis? Is it a forensic or IR tool? How might offensive people use this tool? What is possible when you're using this as a 'redteam' or 'pentesting' tool? S3 bucket perms? Security Group policy fails Some of the hardening policies for Security groups? RDS? Where are you speaking… BSLV? DefCon? https://aws.amazon.com/whitepapers/aws-security-best-practices/ https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf https://aws.amazon.com/whitepapers/ https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/ https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/ Slack Patreon Bsides Springfield Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs @cydefe CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development https://www.heroku.com/ www.exploit-db.com BrakeSec DerbyCon @dragosinc dragos.com DNS Enumeration: https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md DNS Tools: https://dnsdumpster.com/ https://tools.kali.org/information-gathering/theharvester DNS Tutorial https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS) https://pentestlab.blog/tag/dns-enumeration/ DNS Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines. DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection. NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, "Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed." From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies. How difficult has that become with the advent of GDPR and whois record anonymization? Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens. news stories referenced: https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/ https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/ https://en.wikipedia.org/wiki/Insider_threat https://en.wikipedia.org/wiki/Insider_threat_management Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Area41 Zurich report Book Club - 4th Tuesday of the month https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet TLS_DHE_RSA_AES_256_GCM_SHA256 TLS = Protocol DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy) Perfect Forward Secrecy = session keys won't be compromised, even if server private keys are Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_secrecy) RSA = Digital Signature (authentication) There are only 2 (RSA, or ECDSA) AES_256_GCM - HMAC (hashed message authentication code) https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet https://en.wikipedia.org/wiki/HMAC#Definition_.28from_RFC_2104.29 https://en.wikipedia.org/wiki/Funicular https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://nostarch.com/packetanalysis3 -- Excellent Book! You must buy it. DetSEC mention ShowMe Con panel and keynote SeaSec East standing room only. Crispin gave a great toalk about running as Standard user Bsides Cleveland - https://www.passwordping.com/surprising-new-password-guidelines-nist/ 1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck https://twitter.com/troyhunt/status/1006266985808875521 https://1password.com/sign-up/ https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/ 1,300 complaints of GDPR breaches in the first 6 days of enablement: https://iapp.org/news/a/irish-dpc-received-1300-complaints-since-gdpr-implementation-date/ https://www.pcisecuritystandards.org/about_us/leadership

Ms. Berlin's mega tweet on protecting your network https://twitter.com/InfoSystir/status/1000109571598364672 Utica College CYB617 I tweeted "utica university" many pardons Mr. Childress' high school class Laurens, South Carolina Probably spent as much as a daily coffee at Starbucks… makes all the difference. CTF Club, and book club (summer reading series) Patreon SeaSec East Showmecon Area41con bsidescleveland Here are 50 FREE things you can do to improve the security of most environments: Segmentation/Networking: Access control lists are your friend (deny all first) Disable ports that are unused, & setup port security DMZ behind separate firewall Egress Filtering (should be just as strict as Ingress) Geoblocking Segment with Vlans Restrict access to backups Role based servers only! DNS servers/DCs are just that Network device backups Windows: AD delegation of rights Best practice GPO (NIST GPO templates) Disable LLMNR/NetBios EMET (when OSes prior to 10 are present) Get rid of open shares MSBSA WSUS ** run as a standard user ** no 'localadmin' Endpoints: App Whitelisting Block browsing from servers. Not all machines need internet access Change ilo settings/passwords Use Bitlocker/encryption Patch *nix boxes Remove unneeded software Upgrade firmware MFA/Auth: Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899 Setup centralized logins for network devices. Use TACACS+ or radius Least privileges EVERYWHERE Separation of rights - Domain Admin use should be sparse & audited Logging Monitoring: Force advanced file auditing (ransomware detection) Log successful and unsuccessful logins - Windows/Linux logging cheatsheets Web: Fail2ban For the love of god implement TLS 1.2/3 URLscan Ensure web logins use HTTPS Mod security Other: Block Dns zone transfers Close open mail relays Disable telnet & other insecure protocols or alert on use DNS servers should not be openly recursive Don't forget your printers (saved creds aren't good) Locate and destroy plain text passwords No open wi-fi, use WPA2 + AES Password safes IR: Incident Response drills Incident Response Runbook & Bugout bag Incident Response tabletops Purple Team: Internal & OSINT honeypots User Education exercises MITRE ATT&CK Matrix is your friend Vulnerability Scanner Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://darknetdiaries.com/ Jack Rhysider Ok I think these topics should keep us busy for a while. Topics for discussion: Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html In the 90's strong crypto was illegal online. https://en.wikipedia.org/wiki/Data_Encryption_Standard https://en.wikipedia.org/wiki/EFF_DES_cracker The NSA scrapes social media and regular OSINT techniques to figure out how to best attack a network. Manfred made a living hacking MMORPGs for the last 20 years. And he tried to do it as ethically as possible. When a single CA is breached, it breaks the security for the whole internet. Toy companies aren't securing children data What are options when you find a major security flaw in a home router but the vendor refuses to acknowledge it much less fix it? And there's no bug bounty.

Vuln mgmt tools CVE scores suck. Threat modeling is good. Forces you to know your environment https://en.wikipedia.org/wiki/Kanban https://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.html https://twitter.com/lnxdork/status/998559649271025664 https://www.google.com/search?q=house+centipede&rlz=1C5CHFA_enUS759US759&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiypKyfpZjbAhWJjlkKHd0lASYQ_AUICigB&biw=1920&bih=983 https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://www.theregister.co.uk/2018/05/17/nethammer_second_remote_rowhammer_exploit/ Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Converge Detroit Jack Rhysider- Podcaster, DarkNet Diaries https://darknetdiaries.com/ Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/telnet-default-account-admin-password-password http://census2012.sourceforge.net/paper.html Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

GDPR will affect any information system that processes or will process people… like it or not. Derby Tickets CTF and auction Keynote Converge Detroit I'll be at nolacon too Boettcher Recap BDIR #3 https://blog.netwrix.com/2018/05/01/five-reasons-to-ditch-manual-data-classification-methods/ https://blog.networksgroup.com/data-loss-prevention-fundamentals Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Container security Jay Beale @inguardians , @jaybeale Containers What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we've had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don't keep the image running for so long? Don't run as root More Containment stuff Non-privileged containers Remap the users, so root in container isn't root outside Drop root capabilities Seccomp for kernel syscalls AppArmor or SELinux All of above is about Docker, what about Kubernetes Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements Network policy (egress firewalls) RBAC (define what users and service accounts can do what) Use namespaces per tenant and think hard about multi-tenancy Use the CIS guides for lockdown of K8S and the host Kube-bench Difference between containers and sandboxing Roll your own - Containers Using public registries - leave you vulnerable Use your own private repos for deploying containers Reduce attack surface Reduce user access Automation will allow more security to get baked in. https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide https://www.vagrantup.com/downloads.html https://www.vmware.com/products/thinapp.html https://www.meetup.com/SEASec-East/events/249983387/ S3 buckets / Azure Blobs https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Report from Bsides Nash - Ms. Berlin New Job Keynote at Bsides Springfield, MO Mr. Boettcher talks about Sigma Malware infection. http://www.securitybsides.com/w/page/116970567/BSidesSpfd **new website upcoming** Registration is coming and will be updated on next show (hopefully) DBIR -https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf VERIS framework http://veriscommunity.net/ 53,000 incidents 2,216 breaches?! 73% breaches were by outsiders 28% involved internal actors (but needs outside help?) Not teaching "don't click the link", but instead teach, "I have no curiosity" Discuss "Dir. Infosec" Slack story as method to halt infection https://www.tripwire.com/state-of-security/security-awareness/women-information-security-amanda-berlin/ The "Living off the Land" trend continues with attack groups opting for tried-and-trusted means to infiltrate target organizations. Spear phishing is the number one infection vector employed by 71 percent of organized groups in 2017. The use of zero days continues to fall out of favor. Off boarding people… so much process to get people on, but it's just not mature getting people out... Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bryan plays 'stump the experts' with Ms. Berlin and Mr. Boettcher this week... We discuss SIEM logging, and tuning... How do SIEM deal with disparate log file types? What logs should be the first to be gathered? Is a SIEM even required, or is just a central log repo enough? Which departments benefit the most from logging? (IT, IR, Compliance?) Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Megan Roddie discusses being a High functioning Autistic, and we discuss how company and management can take advantage of the unique abilities of those with high functioning autism. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-011.mp3 Matt Miller's Assembly and Reverse Engineering Class: Still can sign up! The syllabus is here: https://drive.google.com/open?id=1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0 SHOW NOTES: Link to Megan's slides Megan Roddie (@megan_roddie Diversity - Why managers should strive for diverse teams - First, Break All the Rules: What the World's Greatest Managers Do Differently Strengths - hire people based on their strengths, not their weaknesses (see StrengthsFinder 2.0) regarding Grant and Lee Megan: 1. Achiever, 2. Learner, 3. Intellection, 4. Focus, 5. Harmony Bryan: Learner, Ideation, Futuristic, Significance, Focus Amanda: Restorative, Learner, Input, Ideation, Focus Brian: Maximizer, Learner, Responsibility, Individualization, Belief Scores Weaknesses - weaknesses are made irrelevant by the strengths of others. If one employee has a weakness, you can hire someone who has great strength in that area. Sports teams quote (Slide 6) What is it? (vs. neurotypical) What are weaknesses of HFAs? What are strengths of HFAs? (Slides 17 - 22) HFA One-on-one time is the SINGLE most effective management tool, works with HFAs and neurotypicals alike → guide Examples (Slide 28) Pants Introductions (vendor meet at BSides example) Some (most?) neurotypicals get offended How to manage or work with HFAs Tips (slides 32-34) Structure and Routine → Productivity Clarity → Thorough Work Patience and Understanding → Dedicated & Passionate Employee Needs #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Matt Miller's #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd Stories: https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/ TLS1.3 - https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/ https://slate.com/technology/2018/03/facebook-acknowledges-it-kept-records-of-calls-and-texts-from-android-users.html https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13 Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3 Topics discussed: How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs. Best methods to retool yourself if you are trying to move to a new industry Why 'hitting the ground running' isn't the sign of an immature organization... Matt Miller's #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec SHOW NOTES: Guests: Mr. Jay Beale Guest: Mr. Brad Ammerman @????????? Announcements: RE/ASM class (Matt Miller) SeaSec East Meetup at Black Lodge Jay's class at Black Hat https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html Slack channel "M3atshield" What jobs are good segues into either blue or red teams/pentesting? SOC Analyst (network security, pcap, IR) SysAdmin (obviously) Cod devs (audits, binary analysis, they know the code internals) System architects (they know the nuts and bolts) Security architects (segue to red team, they know how to defend, threat analysis) Project management /management (client/customer facing, can understand the business side) Journeyman pipelines vs. intern pipelines Different than interns = Already highly skilled in 'something' Code devs Physical security audit/compliance project/program management System admin Management "generalist" Retooling can be difficult May be a paycut Fear of failure How do we alleviate that? (mentorship model?) Companies looking for skilled people can't look for what they want Think in the bigger picture Is not being able to see the value in a non-infosec person coming to the team a sign of immaturity in a company? The phrase "must be able to hit the ground running" Turn off for those wanting to make that change Feel they must already know the job People should be considered as like a block of clay, not an immutable stone. People can change if they want to… 2 party comfort zone. Both the person changing role/title, and the company understanding where the person sits in the position. mentorship/menteeship in an org

BDIR Episode - 001 Our guests will be: Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry Topic of the Day: CREDENTIAL STEALING EMAILS WHAT CAN YOU DO Join us for Episode-001, our guest will be: Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry Topic of the day will be: "CREDENTIAL STEALING EMAILS WHAT CAN YOU DO" Show Notes: Introductions Introduce our Guest Martin Brough Twitters - @HackerNinja Blog - InfoSec512.com More show notes at https://www.imfsecurity.com/podcasts/2018/2/28/bdir-podcast-episode-001

https://www.auditscripts.com/free-resources/critical-security-controls/ Thanks to Slacker Ben Chung, who heard about this from John Strand... BsidesIndy report - Amanda Bsides Austin - Brian Log_MD 2.0 - www.log-md.com https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/ https://itsfoss.com/kali-linux-debian-wsl/ https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-packages-as-threats/ Matt Miller's #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Topics: Secure Framework documents Modifying chromebooks so you can use Debian/Ubuntu Memcached is the new DDoS hotness Announcement of the next BrakeSec Training Class (see Show Notes below for more info) Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec --Show Notes-- Announcements: Matt Miller's class on Assembly and Reverse engineering Starts 2 April - 6 sessions 2nd Class - 6 sessions, beginning 21 May Beginner course on Assembly Advanced course, dealing with more advanced topics $150 for each class, or a $250 deal if you sign up for both classes paypal.me/BDSPodcast/150USD - Specify in the NOTES if you want the "Beginner" or "Advanced" course paypal.me/BDSPodcast/250USD - If you want both courses We need a minimum of 10 students per class Projects: Chromebook with Debian Bit of a pain, if I could be honest.. Needed USB hub with eth0, and a USB soundcard USB3 low profile thumbdrives would be better https://www.amazon.com/gp/product/B01K5EBCES/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 https://www.securecontrolsframework.com/ ←--well well worth the signup https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d - 'secure.xlsx' http://www.dummies.com/programming/certification/security-control-frameworks/ Numerous security frameworks already exist: Cisco NiST CoBIT ITIL (can be utilized) SWIFT https://www.accesspay.com/wp-content/uploads/2017/09/SWIFT_Customer_Security_Controls_Framework.pdf "My weird path to #infosec" on twitter https://en.wikipedia.org/wiki/Hydrocolloid_dressing

Topics on today's show: NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems? Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it. Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta' Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec SHOW NOTES: Previous podcast referenced: http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3 NPM - https://www.techrepublic.com/article/series-of-critical-bugs-in-npm-are-destroying-server-configurations/ https://www.bleepingcomputer.com/news/linux/botched-npm-update-crashes-linux-systems-forces-users-to-reinstall/ Using 'pre-production' software without testing is not advisable Unfortunately, many assume all software is stable A product of 'devops' - failing forward "we'll just fix it in post" Talked last podcast about 'supply chain security' https://givan.se/do-not-sudo-npm/ https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/ Developers can leave a project, leaving code unmaintained… or dependencies Also, a modicum of trust is required… verifying the code before you use it. Verification that the code came from where it was supposed to Many important code bases aren't signed or have verification Wordpress does not appear to publish file hashes Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf Bsides NASH- https://bsidesnash.org/2018/02/20/interview-and-resume-workshop/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3 Topics: Discussion of Ms. Berlin's course CAPEC discussion RTF malware MS Office A Phishing story... Mobile Supply Chain Security CMS Supply Chain Security Ms. Berlin's course - recap of 2nd session Brakeing Down IR -date? Any malware of note? Upgrade your Office! Just double-clicked, used rtf and document never opened, just the script ran. Supply chain isn't just Hardware… software stacks abound and not followed Wordpress plugins, CMS plugins/themes… not monitored, weakly secure Keeping track is as important as asset management Do you know what your CMS is running, plugin wise? And if plugins aren't bad enough, you have PHP to deal with Suggestions: Buy plugins - you get what you pay for Check what support you get (always a good idea) Require reviews for new plugins, and old ones, esp if they haven't updated in a while Are they still maintained? (abandonware bad) New owners? (many plugins and apps get bought and then start changing permissions, or worse, serving malware) Joomla - Vulnerable Extensions list - https://vel.joomla.org/live-vel Wordpress - WPScan https://wpvulndb.com/plugins https://capec.mitre.org/ https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 PYPI - https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/ CCleaner - https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security News: https://hotforsecurity.bitdefender.com/blog/uh-oh-how-just-inserting-a-usb-drive-can-pwn-a-linux-box-19586.html Adversary generation systems Red Baron - https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/february-2018/introducing-red-baron https://github.com/uber-common/metta https://github.com/NextronSystems/ https://www.kitploit.com/2018/02/venom-1015-metasploit-shellcode.html Quickly building Redteam Infrastructure https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/ If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale, And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Show Notes: https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing Topics Discussed: New tool : AutoSploit - Does it lower the bar? How should Blue teamers be using Shodan? Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about. ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast, send as a 'gift' Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale, And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is the inaugural episode of the "Brakeing Down Incident Response" Please check it out! BDIR Episode - 000 Our guests will be: Dave Cowen - Forensic Lunch Podcast and G-C Partners Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering Topic of the Day: WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER? "Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR" SHOW NOTES: https://www.imfsecurity.com/podcast/2018/1/18/bdir-podcast-episode-000