BrakeSec Education Podcast

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here: 2017-040 #infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like. One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms. We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties. Direct Show Download: http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3 ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale, And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec Show Notes: Mr. Boettcher gave a talk (discuss) http://DETSec.org Brakeing Down Incident Response Podcast Amanda's class (starts 4 february, $100 for 4 sessions, $50 for early video access) I need to mention HITB Amsterdam David's Resume Review -- Bsides Nash Resume Review SANS SEC504 Mentor course Guest: Nicolas Valcarcel Twitter: @nxvl Possible News to discuss: https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/ Mechanical Turk https://www.mturk.com/ CircleCi 2.0 https://circleci.com/docs/2.0/ TaskRabbit https://www.taskrabbit.com/ Historically: https://en.wikipedia.org/wiki/The_Turk Expensify using Amazon Mechanical Turk https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ FTA: ""I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I'm looking at someone's Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter." https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/ "About those tasks, they're called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work." "Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings." Kind of like a Yelp for HIT reviewers? Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties? Is it an acceptable risk? Privacy questions to ask for companies that employ ML/AI tech? Are they using Mturk or the like for training their algos? Are they using Master level doers for processing? Nxvl links: Securely Relying on the Crowd (pap

John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes extortion or blackmail. We go over some of the things he's found, and discuss how we could address these issues. Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences. The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD. Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3 #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3 The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware). Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D ) We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner. We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline. I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q) Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week! #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". ---Show Notes--- Music change Couldn't remember where I got the other music Little more news than we used to Try to shy away from news everyone will talk about Brakeing Down Incident Response (BD-IR) podcast Hosted by Mr. Boettcher and Michael Gough Vendor talks Sponsors (provisionally) News: http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/ https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/ https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/ Upcoming Training: Amanda? - Cyber KillChain training Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour) Matt Miller - Reverse Engineering course More advanced, still working on details with him (no promises yet) Michael Gough - Malware Archaeology Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org Houston - April 3rd - 1 Day - HouSecCon Preparing and Responding to an endpoint incident, what to configure, and look for Tulsa - April 11-12th - 2 Days - BSides Oklahoma Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for Job postings on our Slack Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA) Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA He's on Twitter (https://twitter.com/mfourdraine) or join us in our Slack Many positions he has will relocate you to lovely Bellevue, WA MG just posted "James Avery Information Security Manager" Teaching a mentor course in Seattle (SEC504) starting March 1st. Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Great if you work a job where you get called a lot Less

As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content. Please enjoy! And please seek out these podcasts and have a listen! Slight warning: some rough language People and podcasts in attendance: Tracy Maleef (@infosecSherpa) Purple Squad Security Podcast (@purpleSquadSec) - John Svazic (@JohnsNotHere) Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe) Danny Akacki (@dakacki) - RallySec Podcast (@rallysec) Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin) *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training . The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks. While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices. We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. Direct Link: https://brakesec.com/2017-042 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training . The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". --Show Notes-- https://github.com/int0x80/githump http://ptrarchive.com/ https://hunter.io/ https://www.data.com/ https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/ https://securelist.com/unraveling-the-lamberts-toolkit/77990/

Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals. DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack. In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program. Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails. Direct Download Link: https://brakesec.com/2017-041 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec --Show Notes-- Malware report https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/ https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html https://github.com/swannman/ircapabilities - DFIR Hierarchy Based on Maslow's Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs Requirements must be met before you can move on. It's not perfect, but gives a general idea of how needs should be met.

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world. Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews. Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way. Direct Link: https://brakesec.com/2017-040 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ---Show Notes--- Agenda: Trip report from Amanda to New Zealand Did we talk about Amanda's appearance on PSW? Discuss last week's show about custom training Comments? Suggestions for custom training solutions? https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Expensify - https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy How is this different than like a medical transcriptionist? Don't you go in and modify the receipts yourself? Or is that a feature you can force? It's a privacy issue. Hotel receipts, boarding passes, even medical receipts Turn off 'smart scan'? Many companies like using it, and some will only accept smart scanned receipts Fat fingering receipts isn't 'cool' Snap a photo, move along Expensify is global, and could have wide reaching effects for this new 'feature'... Expensify used Mechanical Turk, a 'human intelligence tasks' Micropayments to do menial tasks Example of why periodic review of your 3rd parties is necessary New 'features' = new nightmares Privacy requirements change Functionality not in alignment with your business goals Apple 'passwordless root' http://appleinsider.com/articles/17/11/29/apple-issues-macos-high-sierra-update-to-fix-password-less-root-vulnerability HIgh Sierra before today (29 November 2017) had the ability to login as root with no password… That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752 It also works on remote services, like ARD (apple remote desktop), and file shares… Rolling IR Was it necessary? Serious, yes Was discovered two weeks prior https://forums.developer.apple.com/thread/79235 Dev (chethan177) on the forum "didn't realize it was a security issue" Easy enough fix (Bryan IR story) Open Terminal Sudo passwd root Change password Do you trust users to do that? Not across a large enterprise

This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday. I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training. Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics" Take a listen and we hope you enjoy it! Direct Link: https://brakesec.com/2017-039 RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ---Show notes (from Bryan and JB)--- Ms. Berlin in New Zealand Mr. Boettcher with the family Training What makes us despise training so much? Cookie cutter Scenarios do not match environments Speaking is a little too perfect Flash based UI is horrible Outdated Easy questions Infosec training is worse 2 hours of training each year Not effective Why not make your own? Been doing it at work No more than 7 minutes Custom made Tailored for your own company Do you training like a talk at a con Time limit: 7 (no more than 10 minutes) Create some slides (5-7 slides) Do it on a timely topic Recent tabletop exercise results Recent incident response Phishing campaign Script or no-script required Sometimes talking plainly can be enough https://screencast-o-matic.com/ - Windows (free version is 7 minutes long) Quicktime - OSX (free) (Screenflow) Handbrake (convert to MKV or MP4) Microphone (can use internal microphones if you have a quiet place) [begin notes: SANS Berlin REMOTE segment]corresp. JB reach jb at(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/--pre-NetWars chat with the SEC 503 class:-what do you like about SANS conference-european privacy laws, even country to country!-biggest priority for next year: building a SOC, working together with sales, asset management, constant improvement, password reuse--special BrakeSec members only cameo--"bring your own device" interview with an Information Security/forensics professionalpassword elimination or no reuse--interview with Heather Mahalik (@HeatherMahalik)Bio https://www.sans.org/instructors/heather-mahalik-"game over" whatsapp, unpatched android, other known-historically weak tools as "assume breach of mobile"-interesection of network forensics and mobile-open source tools and the lack of, how to judge your tools-Heather's recent blog-getting into mobile, decompiling, etc.-number one topic for next year: encryption for Andriod 8 Oreo, iOS 12-"most popular android is still v4.4"Heather's blog we mentionedhttp://smarterforensics.comlink to the book Heather mentioned:https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/ --link to blog mentioned, jb's initial reflections on SEC 503https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost JBs blog main link, or if you're not a fan of linkedinhttps://cherokeejb.blogspot.de/ small featured music clips used with permission from YGAM Records, Berlin"Ж" by the artist Ōtone (Pablo Discerens), (c)(p)2016 Get it for free or donate at http://ygam.bandcamp.com !book club EMEA!:message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can't make the main call ! ---[end segment]

Direct Link: https://brakesec.com/2017-038 Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team. So I asked him on, and we went over the highlights of his talk. Some of the topics included: Discussing with management your manpower issues Who to include in your team Communication between teams RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ----SHOW NOTES: Amanda's appearance on PSW Building an AppSec Team - Michael de Libero (@noskillz) https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\ https://www.owasp.org/index.php/OWASP_AppSec_Pipeline https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett Need link to Michael's slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing Random Notes from Mike: Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. "security health" Role of management Managing a "remote" team Handling incoming requests from other teams How do you sell a company on having an appsec team if they don't have one? If you have an existing 'security team', how easily is it to augment that into an appsec team? Can you do job rotation with some devs? Do devs care enough to want to do code audits "That's not in my job description" Skills needed in an appsec team Does it depend on the tech used, or the tech you might use? Internal security vs. consultants Intro to RE course with Tyler Hudak Bsides Wellington speaker Amanda Berlin

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3 We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this. We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement. Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us. #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: Oreilly con report Malware report from Mr. Boettcher DDE (Dynamic Data Exchange), all the rage https://en.wikipedia.org/wiki/Windows_2.0 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216 https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/ Why asset management? Know what's in your environment CIS Top 20...no wait, it's the TOP THREE of the 20. It all builds on this… Know what's in your environment http://www.open-audit.org/ https://metacpan.org/pod/App::Netdisco Where do you store that data? Or is it just enough to know where to get it? Systems you can pull asset data from: Patching systems Chef WSUS FIM systems Tripwire DLP systems Vuln Scanners AV/EDR management router/switch tables DNS Asset management systems are a gold mine for an attacker Names IPs email addresses Coverage gaps in these systems will cause you to lose asset visibility http://www.businessinsider.com/programmer-automates-his-job-2015-11

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use. Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto). RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: Ideas and suggestions here: Start with "What is threat modeling?" What is it, why do people do it, why do organizations do it? What happens when it's not done effectively, or at all? At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to 'check a compliance box'? Data flow diagram (example) - process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike - http://octotrike.org/ https://en.wikipedia.org/wiki/Johari_window Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303 NIST CyberSecurity Framework: https://www.nist.gov/cyberframework Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design: https://adam.shostack.org/blog/2017/10/emergent-design-issues/ https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source) Adam's Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me= Is the book still applicable? New book What traps do people fall into? Attacker-centered, asset-centered approaches Close with "how do I get started on threat modeling?" SecShoggoth's Class "intro to Re" Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered. I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices https://preossec.com/ Joe Basirico discusses the proper environment to get the best out of your bug bounty program. points from his abstract: Bug Bounty Programs - Why you want to invite security researchers to hack your products Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness. How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix. Source conference YouTube Channel: https://www.youtube.com/channel/UCAPQk1fH2A4pzYjwTCt5-dw/videos (2017 is not available yet, but all talk from 2008-2015 is available) agenda of the talks that occurred at Source Seattle 2017 https://www.sourceconference.com/seattle-2017-agenda https://www.sourceconference.com/copy-of-seattle-2016-agenda-details RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3 We are back this week after a bit of time off, and we getting right back into it... What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done. We also talk a bit about 3rd party vendor reviews, and what would happen if your 3rd party doesn't have a proper plan in place. Finally, we discuss the upcoming #reverseEngineering course starting on 30 October 2017 with Tyler Hudak, as well some upcoming appearances for Ms. Berlin at SecureWV, GrrCon, and Bsides Wellington, #newZealand RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---SHOW NOTES--- You have enacted your BC/DR plan Step 1. Panic Step 2. Panic more, or let your management panic Step 3. Follow the plan… you do have a plan, right? Enacting a BC/DR plan RPO/RTO - https://www.druva.com/blog/understanding-rpo-and-rto/ Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan's maximum allowable threshold or "tolerance." https://en.wikipedia.org/wiki/Recovery_point_objective Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity. https://en.wikipedia.org/wiki/Recovery_time_objective https://uptime.is/99.99 Excerpt from "Defensive Security Handbook" - Buy from Amazon (sponsored link): http://amzn.to/2zcmWBY Recovery Point Objective The recovery point objective (RPO) is the point in time that you wish to recover to. That is, determining if you need to be able to recover data right up until seconds before the disaster strikes, or whether the night before is acceptable, or the week before, for example. This does not take into account of how long it takes to make this recovery, only the point in time from which you will be resuming once recovery has been made. There is a tendency to jump straight to seconds before the incident; however, the shorter the RPO, the more the costs and complexity will invariably move upwards. Recovery Time Objective The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO. To illustrate with an example, if you operate a server that hosts your brochureware website, the primary goal is probably going to be rapidly returning the server to operational use. If the content is a day old it is probably not as much of a problem as if the system held financial transactions whereby the availability of recent transactions is important. In this case an outage of an hour may be tolerable, with data no older than one day once recovered. In this case the RPO would be one day, and the RTO would be one hour. There is often a temptation for someone from a technology department to set these times; however, it should be driven by the business owners of systems. This is for multiple reasons: It is often hard to justify the cost of DR solutions. Allowing the business to set requirements, and potentially reset requirements if costs are too high, not only enables informed decisions regarding targets, but also reduces the chances of unrealistic expectations on recovery times. IT people may understand the technologies involved, but do not always have the correct perspective to make a determination as to what the business' priorities are in such a situation. The involvement of the business in the DR and BCP plans eases the process of discussing budget and expectations for these solutions. RPO should be determined when working through a Business impact analysis (BIA) https://www.ready.gov/business-impact-analysis https://www.fema.gov/media-library/assets/documents/89526 There i

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3 Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend. We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the last 7 years. We talk to Ms. Wynter (@sec_she_lady) about her experiences at her first Derbycon. Mr. Matt Miller (@milhous30) talked about some of his #reverse #engineering challenges that were in the #Derbycon #CTF Lots of great talks happened there this year, check them all out over on @irongeek's site (http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist) RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

*Apologies for the continuity this was recorded before we went to Derbycon 2017.* Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate. Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reputable companies. We also discuss job descriptions, getting management buy in for a good candidate, and more. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-034-Preston_Pierce_recruiting_job_descriptions.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Show Notes: https://news.slashdot.org/story/17/09/01/1729237/us-employers-struggle-to-match-workers-with-open-jobs Blueteamers Looking at job descriptions, Fix if outdated or unnecessary Managers Be realistic about expectations Recruiters Better research of people Discuss realistic demands from customers You Update your LinkedIn removing overly generalized terms (healthcare, for example) When should you reach out to a recruiter? Right away? After you've already completed some leg work? Companies do a poor job of marketing for their current openings.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3 SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner) We actually did talk about the skills gap, resume workshop held at Derbycon, and so much else. If you haven't been to Derbycon, you should definitely make plans now to attend... RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?) So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen... Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --SHOW NOTES-- Security shifts from being a gatekeeper to enabling teams to be secure by default Require a culture shift Should that be implemented before the shift to CI/CD, or are we talking 'indiana jones and the rock in the temple'? How? Secure coding? Hardening boxes/Systems? If it's just dev -> prod, where does security have the chance to find issues (i.e. test and QA belong there)? We used to have the ability for a lot of security injection points, but no longer Lowers the number of people we have to harangue to be secure…? Security success = baked in to DevOps Shift from a 'top down' to 'bottom up' Eliminate FPs, and forward on real issues to devs Concentrate on one or two types of vulnerabilities Triage vulns from most important to least important Go for 'quick wins', or things that don't take a lot of time for devs to fix. Grepping for 'system(), or execve()' Primitives (hashing, encryption, file system operations) How do you stop a build going to production if it's going out like that? Do we allow insecurity to go to Production? Or would it be too late to 'stop the presses'? "We'll fix it in post…" Instead of the 'guardrail not speedbump' you are the driving instructor... But where does security get in to be able to talk to devs about data flow, documentation of processes? 5 Y's - Why are you doing that? Setup things like alerting on git repos, especially for sensitive code Changing a sensitive bit of code or file may notify people Will make people think before making changes Put controls in terms of how they enable velocity You like you some bug bounties, why? Continuous feedback Learn to find/detect attackers as early in the attack chain Refine your vuln triage/response Use bug reports as IR/DFIR... https://www.youtube.com/watch?v=ORtYTDSmi4U https://www.slideshare.net/zanelackey/how-to-adapt-the-sdlc-to-the-era-of-devsecops http://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization In SAST, a modern way to decide what to test is start with a small critical vuln, like OS command injection. Find those and get people to fix it. BUT don't developers or project teams get unhappy [sic] if you keep "moving the goal post" as you add in the next SAST test and the next SAST test. How do you do that and not piss people off? [15:16] How do you make development teams self sufficient when it comes to writing a secure application? Security is a road block during a 3 month release schedule….getting "security approval" in a 3 day release cycle is impossible. [15:17] But then…what is the job for the security team? If DevOps with security is done right, do you still need a security team, if so what do they do???? Do they write more code??? I don't think your Dev'ops'ing security out of a job...but where does security see itself in 5 years? Last one if there is time and interest. If Zane Lackey was a _maintainer_ of an open source project, what dev ops sec lessons would he apply to that dev model…to the OpenSource model? (We've got internal projects managed with the open source model...so im interested in this one) Even with out any of those questions the topics he covered in his black hat talk are FULL of content to talk about. Heck, even bug bounties are a topic of conversation. The idea of a feedback loop to dev...where an application under attack in a pen test can do fixes live....how that is possible is loads of content.

Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc. This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath. And in case you've been under a rock, #equifax was breached. 143 million credit records are in the ether. We discuss the facts as of 9 September 2017, and what this means to the average user. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-032-incident_response-equifax-done2.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---SHOW NOTES--- Incident response Must go beyond 'threats'. What is in your environment Struts aren't a threat, or are they? Equifax didn't think so at the time… Insider threat External entities Libraries plugins/themes used (Wordpress) Risk analysis Qualitative Quantitative What makes a good incident response exercise ( Following the creation and implementation of security controls around use cases, can be the testing of tabletop exercises and drills as a proof of concept. A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.Tabletop exercises are composed of several key groups or members. During a tabletop exercise there should be a moderator or facilitator that will deliver the scenario to be played out. This moderator can answer "what if " questions about the imaginary emergency as well as lead discussion, pull in additional resources, and control the pace of the exercise. Inform the participants that it is perfectly acceptable to not have answers to questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes to mitigate them prior to an actual incident.• A member of the exercise should also evaluate the overall performance of the exercise as well as create an after-action report. This evaluator should take meticulous notes as well as follow along any runbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of situations. In this case having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.• Participants make up the majority of this exercise. Included should be groups such as Finance, HR, Legal, Security (both physical and information), Management, Marketing, and any other key group that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise. What to include in the tabletop:• A handout to participants with the scenario and room for notes.• Current runbook of how security situations are handled.• Any policy and procedure manuals.• List of tools and external services. Post-exercise actions and questions:• What went well?• What could have gone better?• Are any services or processes missing that would have improved resolution time or accuracy?• Are any steps unneeded or irrelevant?• Identify and document issues for corrective action.• Change the plan appropriately for next time. Tabletop TemplateThe Federal Emergency Management Agency (FEMA) has a collection of different scenarios, presentations, and tabletops that can be used as templates. Derbycon channel on Slack Intro to RE class https://blogs.apache.org/foundation/entry/apache

This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg. We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3 Ms. Berlin is going to be at Bsides Wellington! Get your Tickets NOW! https://twitter.com/bsideswlg https://www.bsides.nz/ RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --show notes-- NCC group talks in Seattle NIST guidelines - no security questions, no SMS based 2fa Vuln OSINT Sites have information like Spokeo… Breadcrumbs Take Java for example (CVE-2017-10102): info is sparse Other sites have more https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle's site (impressive crappery) Some are better: RHEL is fairly decent https://access.redhat.com/errata/RHSA-2017:2424 Ubuntu has some different tidbits https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10102.html Arch has info https://security.archlinux.org/CVE-2017-10102 Point is, just because you use a specific OS, don't limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you. https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102) Derbycon CTF walkthrough Looking for an instructor for an 'intro to RE' course. Dr. Pulaski = Diana Maldaur Dr. Crusher = Gates McFadden

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection. What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update? After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure. Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --SHOW NOTES-- Gough says 'something is bad about CIS' CIS benchmarks need revamping -- BrBr /var, /var/log in separate partitions? Password to access grub? Disable root login to serial pty? Many cloud instances and VMs don't have serial ports (not in a traditional sense) What's the use case for using them? What problem will they solve? Misconfiguration? Proper logging? NTP sources? So many, dilution possible SCAP OVAL STIG (complex as well) CIS Infosec: how do we get IT past the "that's good enough", as many customers and compliance frameworks want to see 'hardening' done. What is a good baseline? Write your own? How do we tell them that it's not going to stop 'bad guys' ( or anyone really)? It's not 'security', and it's technically not even 'best practices' anymore (not all of it, anyway) On windows, they are needlessly complicated and cause more problems Roles have to be created "backup admin" Can cause unintended issues https://twitter.com/HackerHurricane/status/898629567056797696 https://twitter.com/HackerHurricane/status/892838553528479745 Category Sub Category 7/2008 8.1 2012 Win-7 Win-8.1 WLCS ThisPC Notes Detailed Tracking Process Termination NA NA NA NA NA S/F S Object Access File Share NA NA NA NA NA S/F S/F Object Access File System NA NA NA F NA S S/F Object Access Filtering Platform Connection NA NA NA NA NA S S Object Access Filtering Platform Packet Drop NA NA NA NA NA NA NA Log Sizes: ------------- Security - 1 GB Application – 256MB System – 256MB PowerShell/Operational – 512MB – 1 GB v5 Windows PowerShell – 256MB TaskScheduler – 256MB Log Process Command Line (5) (5) (5) (5) (5) Yes Yes ------------------------------------------------------------------------------------------------------------------------- PowerShell Logging v5 (5) (5) (5) (5) (5) Yes Yes ------------------------------------------------------------------------------------------------------------------------- TaskScheduler Log (5) (5) (5) (5) (5) (1) Yes ----------------------------------------------------------------------------------------------------------------- (5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that. We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network. We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---SHOW NOTES--- Twitter discussion - https://twitter.com/Computerworld/status/894611609355603968 http://www.computerworld.com/article/3214146/microsoft-windows/it-s-time-to-check-your-windows-machines-and-temporarily-turn-off-automatic-update.html [sic] "tons of problems with Automatic Update patches so far this year" [sic] "if you're savvy enough to be reading this, you should consider turning Auto Update off, too" Advocating disabling auto-updates in an OS is reckless. Home networks for majority of users is completely flat One Vlan (e.g. 192.168.1.0/24) 'Savvy' = technical Which many of our users are not Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled. The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/ http://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html http://www.csoonline.com/article/3214487/security/pentest-firm-calls-carbon-black-worlds-largest-pay-for-play-data-exfiltration-botnet.html#tk.twt_cso --this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure) Agreed… that shiz is damaging -- brbr NoStarch TCP guide - https://www.nostarch.com/tcpip.htm IPV4 -https://en.wikipedia.org/wiki/IPv4 [graphic of IPv4 header from wikipedia article] IHL - size of the header (minimum of 5) DSCP - has to do with traffic shaping and QoS ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate Must be supported by both ends, and completely optional to enforce Total Length - total size of the packet Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it's used for 'used for uniquely identifying the group of fragments of a single IP datagram" https://github.com/tcstool/Fireaway http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3 Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required? We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow. Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ show notes what is the required amount of data required to properly train the algorithms how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative) Xoke Soru: "why are you trying to make skynet and kill us all? Do you hate humanity?" Who will ML replace? Who in security? Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other. Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)" https://en.wikipedia.org/wiki/Artificial_neural_network https://en.wikipedia.org/wiki/Machine_learning https://en.wikipedia.org/wiki/Portal:Machine_learning https://www.slideshare.net/allyslideshare/something-wicked-78511887 https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751 O'Reilly Conference 31 October Mick douglas class Derbycon CTF Book club Patreon slack

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3 GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared. This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK. If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info. ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started. The info is also in the show notes, including the form you need to post your flag information. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---Show Notes:---- The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Would it be better if companies stored less data, or de-anon it to the point where a breach Massive fines for breaches. Usually some percentage of profits… (up to 4% of annual global turnover or €20 Million (whichever is greater)) "Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33)." Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain Right to be forgotten (not realistic): "A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data " GDPR full text: http://ec.europa.eu/newsroom/document.cfm?doc_id=45631 Good intro: https://www.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html Controversial topics: http://www.eugdpr.org/controversial-topics.html Key Changes: http://www.eugdpr.org/key-changes.html Difficulty of doing GDPR in the cloud https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662 US businesses largely ignoring GDPR http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec Fears of breach cover-up (due to massive fines 'up to 4% of profits') http://tech.newstatesman.com/news/gdpr-cover-ups-security From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2) https://www.auditscripts.com/ CTF for derby ticket Level 1- The internet is a big place :) I've hidden 3 flags out on it and it's your job to see how many you can find. I'll give you a few hints to start. Company Name = Big Bob's C

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3 The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them. So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do... -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat and Defcon https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html ------- Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --Show Notes-- Chris Sanders: Cult of Passion http://chrissanders.org/2017/06/the-cult-of-passion/ Exercise Start playing ingress or Pokemon Go, just to get out and gamify activity Reduce alcohol consumption Defcon : Friends of Bill W. Agent X : 3/5K events at Defcon Critics comments You won't please everyone, so don't try Spend time away from infosec Family, friends Hobbies If you are in a job with 'secrets', find someone to talk to Another person with the same 'secrets' or similar job https://www.scientificamerican.com/article/gut-second-brain/ @DAkacki (what is your podcast @rallysec) Da667's book [I love murder]@tottenkoph @jimmyvo @andMYhacks (works with Jimmy) @infosecmentors

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3 Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it? We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage? Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show. -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat and Defcon https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html ------- Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --- Show Notes: AppArmor SELinux Privilege Escalation - InGuardians Murderboard Port Knocking (Single Pack Authorization) OSSEC ModSecurity Linux Containers Jess frizelle -bane Dan walsh - selinux Selinux troubleshoot daemon https://en.wikipedia.org/wiki/System_call "In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system." OpenBSD pledge(2): https://man.openbsd.org/pledge.2 https://www.raspberrypi.org/products/raspberry-pi-2-model-b/ Suhosin https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html @inguardians @jaybeale www.inguardians.com ---- What are you doing at Black Hat and Def Con? Training class at Black Hat - 2 days Def Con Workshop - ModSecurity and AppArmor - 4 hours Packet Hacking Village Workshop - Container security Vapor Trail at Def Con Labs (Larry and Galen) Dancing my butt off?

Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3 This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later? Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --SHOW NOTES-- 10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx Really great stuff On This Page Law #1: Nobody believes anything bad can happen to them, until it does Law #2: Security only works if the secure way also happens to be the easy way Law #3: If you don't keep up with security fixes, your network won't be yours for long Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with Law #5: Eternal vigilance is the price of security Law #6: There really is someone out there trying to guess your passwords Law #7: The most secure network is a well-administered one Law #8: The difficulty of defending a network is directly proportional to its complexity Law #9: Security isn't about risk avoidance; it's about risk management Law #10: Technology is not a panacea https://www.linkedin.com/in/scott-culp-cissp-8b69572a/ http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager https://www.databreaches.net/irony-when-blackhats-are-our-only-source-of-disclosure-for-some-healthcare-hacks/ https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/ https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast. Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly. One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments. So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community. Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers. Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music) Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3 #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing. We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them? We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3 #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---------- Show notes: going beyond DNS bruteforcing and passively discovering assets from public datasets??? Very interested in hearing about this Straight OSINT, or what? Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I'm working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like: Data from the certificate transparency project (https://www.certificate-transparency.org/) rDNS and forward dns dataset from https://scans.io/ Sonar Scans - Rapid7 Sublist3r: https://github.com/aboul3la/Sublist3r And other datasets that are out there Crime Flare https://krebsonsecurity.com/tag/crimeflare-com/ -> crimeflare.com Discuss why brute forcing DNS leaves such a heavy footprint for blue team forensics How cloud providers like CloudFlare, and others, do not take advantage of DNS bruteforcing error messages Special shout out to Ryan Sears @ CaliDog Security for his research into this field https://en.wikipedia.org/wiki/Markov_chain Smart DNS Bruteforcing - https://github.com/jfrancois/SDBF Training gained from internal phishing campaigns Does it breed internal mis-trust? Recent campaign findings Why do it if we know one account is all it takes? Because we know it's a 'win' for security? Outlaw Tech on Science Channel What's it about? (let's talk about the show) The show itself is on the Science channel (Discovery) The aim of the program is to discuss the technology behind many of the biggest crimes (heists, el chapo's communication network, etc) And how I play a part in it https://www.spoofcard.com/ https://www.sciencechannel.com/tv-shows/outlaw-tech/ Rhinosecuritylabs.com http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - "Estonia buoys cyber security with world's first data embassy" - interesting https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit -- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/ http://securewv.com/cfp.html OneLogin/Docusign breaches OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/ Docusign: https://www.inc.com/sonya-mann/docusign-hacked-emails.html http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/ China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect Facial recognition for plane boarding: http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html Keybase.io's Chrome plugin -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues. We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy. ------- Upcoming BrakeSec Podcast training: Ms. Sunny Wear - Web App Security/OWASP 14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC) $20 USD on Patreon to attend the class $9 USD for just the videos to follow along in class Patreon: https://www.patreon.com/bds_podcast If you want the videos and don't care about the class, they will be released a week after class is over for free. -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Show Notes: http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766 I don't trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr https://twitter.com/jessysaurusrex/status/859123589123121152 "So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on" What are the ~10 things? First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around. Passwords Multifactor authentication Device encryption Ad blocking Browser hardening via extension/plugin Safe browsing (this breaks into a few different topics) Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser Social engineering (this breaks into a few different topics) Segmentation/compartmentalizing data + communications Secure storage(local vs cloud data) Media storage safety (thumbdrives! Charge-only cables for mobile devices!) Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late Regularly reviewing permissions granted to apps through oAuth Backups http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/ "The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior." summed up our entire industry in this paragraph --brbr https://securingthehuman.sans.org/resources/security-awareness-report-2017 ^^^^ saw this on Twitter yesterday -brbr Key takeaways: The study recommends the following for addressing communications: Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value. Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting. Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications. Take communications training; they can be easily developed with the right focus. Align with human resources to ensure an awareness program is tied into company culture. Keep an eye on your audience, as it grows and shift, and recognize that the same message that work

We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out. Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet? We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities. Details are in the show notes and in our Slack Channel. Ms. Sunny Wear is doing a web app security class Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC) Sign up for the class at the $20 dollar Patreon level (if you plan on attending) Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along) Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information) https://www.patreon.com/bds_podcast Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3 RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: SANS experience Pity Quincenera - I (bryan) sucked Need more experience Speed kills (I (bryan) got flustered and I shutdown) you took speed? No Kali - was surprised, until I thought of why :D Was not helpful to my team (jacek, ryan, Michael C., David) John Strand was phenomenal Frank Kim was great The audio was not, unfortunately :( Samba/SMB (port 445) vulns Use case for having it exposed? **** OPEN TO SUGGESTIONS ***** What does that say about the company? No security team, or the security team is ineffectual about telling people about the risks? What MS17-010 is the new MS08-067 http://thehackernews.com/2017/05/samba-rce-exploit.html Over 400,000 open to the web https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Training announcement: Ms. Sunny Wear doing a web app security class Starts June 14th Sign up for the class at the $20 dollar Patreon level Sign up for immediate video access at the $10 Patreon level https://www.patreon.com/bds_podcast Who's Slide is it Anyways? @ImprovHacker https://docs.google.com/forms/d/e/1FAIpQLSeLS0barWRdKVjPPyZ82lvC0UQMaDTJXRwF11qItlbZOrrf6A/viewform?c=0&w=1 #infosec #podcast #webAppSec #application #security

Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right? Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible. Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it. Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645) Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast --------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ show notes: The lines are blurring: DevOps NetOps SDN SDP docker/containerization 2FA authentication https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129 http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827 All good points, except no one wants to do the needful bits (ID'ing information, data flow, proper network design) https://www.beyondcorp.com/ https://en.wikipedia.org/wiki/Software_Defined_Perimeter Where is this Google article??? http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html https://cloud.google.com/beyondcorp/ https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/ Who benefits from this? Network engineers, apparently… :) Devs? IT? Sounds like a security nightmare… who would get the blame for it failing How do we keep users from screwing up the security model? Putting certs on their personal boxes? Prior BrakeSec shows: Software Defined Perimeter with Jason Garbis http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3 http://shop.oreilly.com/product/0636920052265.do Doug Barth Twitter: @dougbarth Evan Gilman Twitter: @evan2645 Runs counter, right? We are used to not trusting the client… A Mature company can only implement Device inventory Config management Data flow Asset management Micro-services? Brownfield networks Sidecar model - Certain OSes not possible

Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys. The latest marketdroid speak appears to be the term 'fileless malware', which by definition... FTA: "Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic." https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not 'fileless' But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection. This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects https://business.kaspersky.com/targeted-attacks-trends/6776/ http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr) --------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues? We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr) --------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed. After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off. We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference. Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 --------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --- show notes---- Discuss AIDE with Ms. Berlin Log-MD.com posted their first video. Fingerprint Masters (a case against biometrics): http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/ Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/ ShadowBrokers dump "Worst since Snowden" https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/ Making policies, easier said than done Discuss DefSec chapter on Policies Difficulty: aligning policies with compliance standards FedRamp, PCI, etc Writing a good policy so that it follows the guidelines http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook

Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token. We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3) This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 --------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Show Notes: What does MFA try to solve: Mitigate password reuse Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials Cred theft: Getting to the point where old mate literally has more password dumps than time https://www.troyhunt.com/i-just-added-another-140-data-breaches-to-have-i-been-pwned/ Honestly not going away, and combined with password reuse makes things pretty bad Phishing: Happens. META: do we need to back this up with some stats? https://blog.barkly.com/phishing-statistics-2016 MFA / Bad things happening with that: AU Telecommunications provider sent multifactor SMS to wrong people https://www.itnews.com.au/news/telstra-sending-sms-to-wrong-numbers-after-exchange-fire-449690 RSA was owned years ago - and had to reissue a bunch of tokens http://money.cnn.com/2011/06/08/technology/securid_hack/ https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0 On the plus side, obviously increased cost to attacker significantly to do that Phishing frameworks are everywhere Misc / Turns out U2F makes phishing kind of dead? (Read first amendment) https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ Appears Backed up by the spec ( 'Origin' / https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf) Phishing/2FA/Solutions? a) What does multifactor actually solve? b) Are we (infosec industry) issuing multifactor solutions to people just so people make money? c) Do these things give a *false* sense of security? d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they're entered. Internal training / is this actually working? Australia Post didn't think so https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987 Counterpoints: It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 ) C: I don't like running some silly app on my phone C: I also don't like running around with a physical token C: Embedding a Yubico nano in my usb slot leaves me with one usb port left Also doesn't solve when someone just steals that token Does any of it matter: Beyondcorp / "Lets make the machines state be part of the credential" https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids Is there some way we (not google) can make it so a credential is worthless? Solutions: Duo / "There's an app on my phone and it has context about what wants to do something right now" Probably a step in the right direction Kind of like so

One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track. I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary) So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?) Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth... Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 ----- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ -- Show Notes: UK apprenticeship schemes: long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering. End Point Assessment - project based final assessment. A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom's taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions) Other schemes include (new and existing): Cyber Intrusion Analysts Cyber Security Technologists Data Analysts Digital Marketers Infrastructure Technicians IT Technical Salesperson Network Engineers Software Developers Software Development Technicians Software Testers Unified Communications Trouble-shooters (no idea what these ones are) Unified Communications Technicians https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page). https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need. Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there's a difference between people who appreciate structured learning, are autodidactic, learn extra and over what's expected, dev, risk, red/blue team, academic, hands-on, etc. Internships (rarer, though some degrees offer a year in industry and will assist in making positions available) Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni. IBM has a trade school - hiring 2,000 US Veterans in the next 5 years https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html Technical schools http://www.browardtechnicalcolleges.com/ http://www.bates.ctc.edu/ITSpecialist DoL apprenticeship programs https://oa.doleta.gov/bat.cfm Difference between 'for-profit' and 'trade schools' Internships = some companies are paying fat bank: http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries Washington State trades/apprenticeships Mostly 'blue' collar positions http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/ Few 'technical pos

We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines. So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below). This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based... So have a listen! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 ----- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --- Show Notes: https://en.wikipedia.org/wiki/Software_Defined_Perimeter https://cloudsecurityalliance.org/group/software-defined-perimeter/ Hmmm… seems like a standard created by companies selling their products for it Have a product, create a problem, fix the problem... How much alike is this to things like 'Beyondcorp'? https://www.beyondcorp.com/ http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html De-perimeterization - removing all the bits 'protecting' your computer Treat your computers as 'on the Internet' https://en.wikipedia.org/wiki/De-perimeterisation https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf https://github.com/WaverleyLabs/SDPcontroller 2FA becomes much more important, or just plain needed, IMO --brbr Questions: How will development of applications change when attempting to implement these technologies? If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control? Can this cut down on the "Shadow IT" issue? Does the user control the certs? How does this work with devices with no fully realized operating systems? Phones, HVAC, IoT Legacy SCADA or mainframes? What is the maturity level of a company to implement this? What minimum requirements are needed? Asset management? Policies? Who/how do you monitor this? More blinky boxes? Will WAFs and Web proxies still function as expected? Are there any companies companies were this is not a good fit? What's the typical timeline for moving to this network model? What's the best way to deploy this? Blow up old network, insert new network? Phase it in with new kit, replacing old kit? Compliance How do explain this to auditors? "We don't have firewalls, that's for companies that suck, we are 1337" Other than "scalability" (which seems like regular solutions would have as well) I'd like to know what real value they provide

Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook" We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you. The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link) Hope you enjoy! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 Previous Lee Brotherston episodes: Threat Modeling w/ Lee Brotherston Is your ISP MiTM-ing you Lee fills in for Mr. Boettcher, along with Jarrod Frates TLS fingerprinting application #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA). This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers. To help us, we asked Mr. Dave Kennedy (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC. Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2. We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved. We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3 Youtube: https://www.youtube.com/watch?v=lqXGGg7-BlM iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2 #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --show notes-- http://www.bbc.com/news/world-us-canada-10758578 WL: "CIA 'hoarded' vulnerabilities or 'cyber-weapons' Should they not have tools that allow them to infiltrate systems of 'bad' people? Promises to share information with manufacturers BrBr- Manufacturers and devs are the reason the CIA has 'cyber-weapons' Shit code, poor software design/architecture Security wonks aren't without blame here either http://www.bbc.com/news/technology-39218393 -RAND report Report suggested stockpiling is 'good' "On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve." Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems… http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668 (somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1) Wikileaks - more harm than good? Guess that depends on what side you're on What side is Assange on? (his own side?) Media creates FUD because they don't understand Secure messaging apps busted (fud inferred by WL) In fact, data is circumvented before encryption is applied. Some of the docs make you wonder about the need for 'over-classification' Vulnerabilities uncovered Samsung Smart TVs "Fake-Off" Tools to exfil data off of iDevices BrBr- Cellbrite has sold that for years to the FBI CIA appears to only have up to iOS 9 (according to docs released) Car hacking tech Sandbox detection (notices mouse clicks or the lack of them) Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html Not new: https://attack.mitre.org/wiki/Technique/T1093 **anything Mr. Kennedy feels is important to mention** What can blue teamers do to protect themselves? Take an accounting of 'smart devices' in your workplace E

If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah? "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?' We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links) Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk. What do we mean? Listen to our show and find out. #AIDE - https://appyide.org/events/ $60 more info: https://appyide.org/1313-2/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3 #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---show notes--- AWS S3 outage (hopefully more information by the end of the week) Massive outages - many sites down IoT devices borked https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/ https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/ TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Brian: Water sprinkler story… Do we put too much stock in Amazon? Email Story time: Recent IR exercise Mostly AWS shop "If we suspend reality" drinking game World War Z "the 10th man" Not the 1st time AWS was involved in an outage: http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle Realistic IR exercises need to examine the 'ultimate' bad… Even if you're in 'suspend reality' mode https://theoutline.com/post/1166/programmers-are-confessing-their-coding-sins-to-protest-a-broken-job-interview-process http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/ No problem with copy/paste, hunting up functions, etc Problem comes when failure to understand the code you're using, and the integration of that code therein Programming Interviews Exposed LOVED this idea…. https://letsjusthackshit.org/platypuscon2016.html "In the spirit of what brought this community together, we're aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we're putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new." Patreon - just pop a dollar CTF Club - Tuesdays 9am Pacific / 6pm Pacific Book club - Defensive Security Handbook - Starting 15

Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion. We have 3 interviews here this week: Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not. Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles. Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets... If you are looking for some great content, a Bsides is nearby, just look around... Other Twitter handles mentioned on the show... @ben_ra @firewater_devs (both phone hackers) Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3 YouTube: iTunes: Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible. Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series. We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO. From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/): "Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office. Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy." Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3 iTunes (generic link, subscribe for podcast): https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ------- Show Notes: Joel Scambray In a bio: "Joel's words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional's challenge is to bring the most evidence possible to support those decisions, both technical and non." Building and maintaining a security program Which is better? starting with a few quick wins Or having an overarching project to head where you want to go Starting companies (buyouts / stock options / lessons learned) Hacking Exposed Will you stop at '7'? Will there be a "hacking exposed: IoT"? Medical devices What leadership style works best for you? Things we couldn't cover due to time: Security Shift from network layer to app layer Software defined networking, for example How to set policies to keep your devs from running amok ------

Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors. But this week, we have a different Mr. Douglas. This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering. Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge. Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Mick's document: https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0 Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3 https://attack.mitre.org/wiki/ATT%26CK_Matrix Mick's last appearances on BrakeSec: http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3 http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3 http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3 http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3 iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4 Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software. Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors. We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD ---------- HITB announcement: "Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3 iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2 YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582 ----------- Show notes: Sandboxing tech - https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use. Various types of sandbox tech Jails - freebsd Much like Solaris 10's zones, restricted operating system, also able to install OSes inside, like Debian http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html Pledge(8) - new to OpenBSD Program says what it should use, if it steps outside those lines, it's killed http://www.tedunangst.com/flak/post/going-full-pledge http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html Chroot - openbsd, linux (chroot jails) "A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children" Example: "www" runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is '/' Rules based execution - AppArmor, PolicyKit, SeLinux Allows users to set what will be ran, and which apps can inject DLLs or objects. "It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer." https://en.wikipedia.org/wiki/Seccomp https://en.wikipedia.org/wiki/Linux_Security_Modules Android VMs Virtual machines - sandboxes in their own right Snapshot capability Revert once changes have occurred CON: some malware will detect VM environments, change ways of working Containers (docker, kubernetes, vagrant, etc) Quick standup of images Blow away without loss of host functionality Helpful to run containers as an un-privileged user. https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/ Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md Emulation Vs. Virtualization http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware --seems like a good link VMware Thinapp (emulator): https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224 (continued next page) Malware lab creation (Alienvault blog): https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide https://www.reverse.it/ News: (assuming it goes short) SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/ (whitelisting files in Apache) https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937 http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html https://github.com/robertkuhar/java_coding_guidelines https://www.us-cert.gov/sites/default/files/publications/South%20Korean

Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/) Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It's always amazing to watch people talk about what they are passionate about, and Shmoocon is a great relaxed environment where that happens frequently." James Green @greenjam94 Aaron Lint @lintile Jon? @hackeducate Melanie Rich-Wittrig @securitycandy Amanda Berlin attended ShmooCon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/) Melanie Rich-Wittrig (@securitycandy) discusses how she's empowering kids to get into information security, even as early as age 10 or 11. She discusses how she motivates by teaching CTF and hacking concept, and gamifying by using point systems. www.securitycandy.com RSS: http://www.brakeingsecurity.com/rss Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-003-ShmooCon_Audio.mp3 YouTube: ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582 ----------

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike. But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc. We discuss some of the issues using them, discuss how to use them in your #environment. Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor... RSS: www.brakeingsecurity.com/rss Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3 iTunes: https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2 YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582 ---------- Show Notes: HANGOUTS: https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme 2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring Threat Lists (didn't have much time to research :/) THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/ Don't use threat list feeds (by IP/domain) as threat intelligence Can use them for aggressively blocking, don't use for alerting https://isc.sans.edu/suspicious_domains.html https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt http://iplists.firehol.org/ https://zeltser.com/malicious-ip-blocklists/ https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx Spamhaus: https://www.spamhaus.org/ leachers Open rulesets - You can always depend on the kindness of strangers Advantage is that these are created by companies that have worldwide reach Updated daily Good accompanying documentation You can buy large rulesets to use in your own IDS implementation Depends on your situation if you want to go managed or do yourself Regardless you need to test them Managed security services will do this for you I don't recommend unless you have a team of dedicated people or you don't care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself Only a good idea for one-off, targeted attacks DIY IDS/IPS rulesets https://securityintelligence.com/signature-based-detection-with-yara/ http://yararules.com/ http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/ Yara rules For Mentors Set expectations & boundaries Find a good fit Be an active listener Keep open communication Schedule time Create homework Don't assume technical level Ask questions Do your own research Find a good fit Put forth effort It's not the Mentor's job to handhold, take responsibility for own learning Value their time Come to each meeting with an agenda For Mentees Mentoring frameworks? InfoSec Mentoring https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741 Podcasts (Courtesy of Ms. Hannelore) https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender). We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try to find some understanding. With all the various secure messaging systems out there, we discuss how why secure messaging systems fail so poorly with regards to #interoperability and the difficulties in getting average non-infosec people to adopt one. We also discuss #Perfect #Foward #Security and how it prevents people from decrypting old messages, even if the key is compromised. ---------- HITB announcement: "Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582 ---Show Notes--- News story: http://www.latimes.com/politics/la-pol-sac-crime-ransomware-bill-20160712-snap-story.html "If this legislation gives prosecutors the tools that they didn't have before, where are the cases that they have lost because they didn't have these tools?" said Brandon Perry, a senior consultant for NTT Com Security. "Authorities are focused on prosecuting criminals that they can't even find, as opposed to educating the victims to prevent this from happening again and again." Ransomware won't infect you if you watch training videos: http://thehackernews.com/2017/01/decrypt-ransomware-files.html Secure messaging - stuck in an Apple ecosystem Too many, no interoperability Signal, Whisper, Wickr, Wire, WhatsApp, FB messenger I uninstalled Signal… can't convince people to adopt something if everyone cannot message one another --BrBr OpenPGP is 'dangerous' http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/ Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy "A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm." (input given gives the same output every time) Perfect Forward Secrecy - "In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Ms. Amanda's pentest homework: "https://docs.google.com/document/d/17NJPXpqB5Upma2-6Hu5svBxd8PH0Ex7VgCvRUhiUNk8/edit"

It's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner. I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps. We also discuss some the previous episodes of the year, some recent developments to build our #community, like our book club and upcoming #CTF club. Plus, there is one other surprise, but you'll have to wait until our next episode to find out! Enjoy our final episode of 2016. Our regular show will return the week of 9 January 2017! https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Legal_and_commercial_responses iTunes: YouTube: https://www.youtube.com/watch?v=w56W5gMMg0E Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-051-State_of_the_podcast_Finding_and_managing_risk.mp3 Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until 31 December 2016. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582 Google Play Store https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast