BrakeSec Education Podcast

Brakesec Podcast joined: Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec) Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec) And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also get to hear my lovely wife come in and bring me #holiday #sweeties and even dinner, as she had no idea we were recording at the time (she later told me "You sounded like you were having too much fun, so I assumed you weren't recording") **there might be some explicit language** Join us won't you, and listen to 3 fantastic podcasts mix it up for the holidays. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-050-holiday_spectacular-defsec-advpersistsec-brakesec-infosystir.mp3 #YouTube: https://www.youtube.com/watch?v=sJaAG0KRpDY #iTunes: https://itunes.apple.com/us/podcast/2016-050-holiday-spectacular/id799131292?i=1000379206297&mt=2 Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting #Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

"Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters. A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work... We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether. We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2 Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information). Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production. Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :) Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry. Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705 Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/ Gary's twitter is @cigitalgem Joe Gray's twitter is @C_3PJoe Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2 YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4 Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: [email protected] #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Just a quick episode this week... As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM) We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so. Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html You can find the github of this script and the audit software that I mentioned below: https://github.com/rebootuser/LinEnum.git #Lynis (from CISOfy: https://cisofy.com/lynis/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3 #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2 #YouTube: https://www.youtube.com/watch?v=Kd_ZzvVNqoA #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do. We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal? All that and more this week on Brakeing Down Security Podcast! Check out our official #Slack Channel! Sign up at https://brakesec.signup.team Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705 (ebook is available of Safari books online) BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document: https://twitter.com/boettcherpwned/status/799726266693713920 Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3 Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes: https://twitter.com/newsyc200/status/799761390915424261 #BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack ICMP Type 3, Code 3 (Destination Port unreachable) http://www.faqs.org/rfcs/rfc792.html #SHA1 deprecated on website certs by Chrome on 1 January 2017 http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522 #Benevolent #malware (buenoware) https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703 #Atombombing http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/ http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2 Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc. This podcast was not meant to turn you into an expert, but instead to go over the finer points of the process, and even where you should turn to if you need help. Certified Ethical Hacker book I was referencing in the show: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119252245,miniSiteCd-SYBEX.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-044-Evidence_chain_of_custody_data_integrity.mp3 #YouTube: https://www.youtube.com/watch?v=aJA2ry6npKI #iTunes: https://itunes.apple.com/us/podcast/2016-044-chain-custody-data/id799131292?i=1000377566298&mt=2 #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.** Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing. We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices. Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having. We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it. Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2 YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier. I was able to interview a number of people from the conference. You can see a partial list of them here: http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights Interviewed Chip McSweeney from OpenDNS (@chipmcmalware) and Rob Cheyne about the conference and got a bit of information about Chip's talk on "Domain Generating Algorithms" (DGA) that #malware use for domain C&C, and how to detect and reverse certain algos. Rob Cheyne is the organizer of Source, so we talked a bit about the history and difficulties putting on 3 of these a year, and what makes the "Source" conference format so different. Masha Sedova was one of the keynote speakersto discuss how she gamified her information security program and got everyone involved. Really excellent talk about changing organizational behavior. Rob Fuller gave two days of Metasploit training, to show the versatility and to teach about the effectiveness of this tool. I also ask if Metasploit has reached it's end, since it's easily detected in many environments. Rob is a great interview and gives me his unvarnished opinion. Mike Shema from https://cobalt.io/ discussed expanding and tailoring your bug bounty program to suit your organization and to ensure that your bug bounty program is mature. Using private bug bounties, and ensuring proper follow through in a timely manner can ensure maximum bang for the buck. Last but not least, Deidre Diamond who did a keynote about 'Words to Stop Using now'. Deidre is the CEO of a national cyber security staffing company (Cyber Security Network) and Founder of a not-for-profit that empowers women in the infosec industry. Hear her thoughts on how leadership training is needed in the corporate environment, I ask her why we still need recruiters with hiring sites and why job descriptions are still a thorn in everyone's sides. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-042-Source_Seattle_2016_audio.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-042-audio-from-source/id799131292?i=1000377063127&mt=2 YouTube: https://www.youtube.com/watch?v=sj_SD2k7zXw #RSS: http://www.brakeingsecurity.com/rss #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry. Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community. We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your company culture better. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-041-Ben_johnson.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-041-ben-johnson-company/id799131292?i=1000376744922&mt=2 YouTube: https://www.youtube.com/watch?v=HrTPH97-YIY #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great. If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out. But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how we can make security, compliance, and DevOps to play nice with one another. Gene Kim's new book (excerpt): http://itrevolution.com/handbook-excerpt Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-040-Gene_Kim-Josh_Corman-Getting_Security-and_DevOps_playing_nice.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-040-gene-kim-josh-corman/id799131292?i=1000376417012&mt=2 YouTube: https://www.youtube.com/watch?v=fOuSRYJtiKo #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws. We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and managers. Robert's Website is chock full of good information about threat modeling and secure coding practices at http://www.roberthurlbut.com Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-039-Robert_Hurlbut-threat_modeling_and_analysis.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-039-robert-hurlbut-threat/id799131292?i=1000376171899&mt=2 YouTube: https://www.youtube.com/watch?v=P5jEVJTymOg #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Mr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast. It is truly a labor of love and something that we hope everyone can learn something from. We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensics-af-int0x80-of-dual-core) and how to evade log monitoring with Mr. Brian Boettcher and Michael Gough. (shout-out to @mattifestation, @dualcore, @baywolf88, @carlos_perez) We sat down with Mr. Osman (@surkatty) from the Sound Security Podcast (@SoundSec), who was a first time attendee to #DerbyCon. We get his thoughts about DerbyCon and what talks he enjoyed. Finally, our 2nd Annual podcast with our fellow podcasters was on. We had it in Bill Gardner's room (ReBoot-It podcast) (@oncee), Amanda Berlin (@infosystir) from #Hurricane #Labs Podcast, Jerry Bell (@MaliciousLink) from #Defensive #Security Podcast, Ben Heise (@benheise) from Rally #Security Podcast, Tim DeBlock (@TimothyDeBlock) from Exploring Information Security Podcast, and SciaticNerd (@sciaticnerd) from Security Endeavors podcast IronGeek's website has all the videos available to listen to here: http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist Whiskey Bent Valley Boys: http://whiskeybentvalley.tumblr.com/ or iTunes: https://itunes.apple.com/us/artist/whiskey-bent-valley-boys/id318874442 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-038-Derbycon_podcast.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-038-derbycon-audio-2nd/id799131292?i=1000375934157&mt=2 YouTube: https://www.youtube.com/watch?v=W7ylsfwGyhc #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Have you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in? This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users... We also find out how B1ack0wl learned his stock and trade. https://www.exploit-db.com/exploits/40332/ Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening to the finding. http://www.devttys0.com/ -- #embedded device hacking blog http://io.netgarage.org/ -- #wargame site #B1ack0wl mentioned Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-037-b1ack0wl_responsible_disclosure-belkin_routers.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-037-b1ack0wl-responsible/id799131292?i=1000375462991&mt=2 YouTube: https://www.youtube.com/attribution_link?a=kChiecG0Sv4&u=/watch%3Fv%3D9_qS2s3GrT4%26feature%3Dem-upload_owner #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs. During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere. Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/ So, we wanted to have Nick on to discuss any updates that occurred, and also asked an MSSP owner, Kevin Johnson, from SecureIdeas (@secureideas on Twitter), as Kevin is well versed with both sides, being a customer, and running an MSSP with his product, Scout (https://secureideas.com/scout/index.php) We go over what an MSSP is (or what each person believes an MSSP is), we discuss the facts from Nick and his client's side, we try and put ourselves in the shoes of the MSSP, and if they handled the issue properly. We also find out how Nick managed to save the day, the tools they used to solve the problem. We did a whole podcast on it, and maybe it's time to re-visit that... Finally, we discuss the relationship between an MSSP and the customer, what expectations each party should see from each other, and what are the real questions each should ask one another when you're searching out an MSSP. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-036-mssp-nick_selby-kevin_johnson.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-036-mssp-pitfalls-nick/id799131292?i=1000375157370&mt=2 YouTube: https://www.youtube.com/watch?v=b1rEpaBAKpQ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Paul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN) Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer. Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications. And there's more good news (if you're a black hat), there's no role based security, parts of the #specification isn't fully fleshed out yet, and there are vendor specific frameworks of their own, that may not be fully interoperable with each other... Paul talks to us about some background of #SDN, some of the pitfalls and what you need to think about when implementing Software Defined Networking. Links referred to in the Show: https://www.rsaconference.com/writable/presentations/file_upload/tech-r03-sdn-security-v3.pdf https://www.blackhat.com/docs/eu-14/materials/eu-14-Pickett-Abusing-Software-Defined-Networks-wp.pdf http://onosproject.org/2015/04/03/sdn-and-security-david-jorm/ https://people.eecs.berkeley.edu/~rishabhp/publications/Sphinx.pdf https://www.opendaylight.org/ https://www.opennetworking.org/certification Ras Pi as an OpenFlow controller: https://faucet-sdn.blogspot.com/2016/06/raucet-raspberry-pi-faucet-controlling.html Zodiac FX SDN boards (Excellent customer service!): http://northboundnetworks.com/ Excellent site discussing SDN: http://www.ipspace.net/Main_Page Coursera SDN course: https://www.coursera.org/learn/sdn Brakeing Down Security RSS: http://www.brakeingsecurity.com/rss Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-035-Paul_Coggin_SDN.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-035-paul-coggin-discusses/id799131292?i=1000374972931&mt=2 YouTube: https://www.youtube.com/watch?v=YuuNzeiexUY #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Another great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking. In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts. This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems or networks, like the #SWIFT banking transfer. This discussion also is great for showing management the time and effort required to gain access to systems. We also talk about the #OODA loop (https://en.wikipedia.org/wiki/OODA_loop) and how disrupting that will often cause attacks to go awry or to be stunted, reducing the effectiveness. Sean T. Malone website: http://www.seantmalone.com/ Slides and presentation referred to in the podcast: http://www.seantmalone.com/docs/us-16-Malone-Using-an-Expanded-Cyber-Kill-Chain-Model-to-Increase-Attack-Resiliency.pdf Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-034-CyberKillChain.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-034-sean-malone-from/id799131292?i=1000374642630&mt=2 YouTube: https://www.youtube.com/watch?v=eBOCjaGmbMg #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Bill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled) Here is the synopsis of his talk that you can now see at DerbyCon: Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other techniques I've used to limit exposure to credential theft and lateral movement. I hope to show fellow blue teamers these types of controls are feasible to implement, even in small environments. TechNet article referenced on the show: https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-033-PAWs-Bill_Voecks-Rejected_Talks.mp3 RSS: http://www.brakeingsecurity.com/rss iTunes: https://itunes.apple.com/us/podcast/2016-033-privileged-access/id799131292?i=1000374432509&mt=2 YouTube: https://www.youtube.com/watch?v=0DwR9RcEBo0 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Co-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp" Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare for the contest next year, and steps it took to solve the challenges. The final item of the night was about travel security, since the Olympics are on, and there was a report about Olympic athletes who were robbed at gunpoint. We discuss safety while traveling, keeping a low profile, reducing risk, and reminding you to leave the overly Patriotic shirts and apparel at home. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-032-Defcon-blackHat_debrief-travel-security_CTF-writeup-final.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-032-blackhat-defcon-debrief/id799131292?i=1000374155086&mt=2 YouTube: https://www.youtube.com/watch?v=Df-JL-PiGus #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

A couple of weeks ago, we discussed on our show that not all incident response events required digital forensics. We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on. Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities. We discuss definitions of what digital forensics are, and how that term really has a broad range for classification. Brian will be teaching SEC566 in Long Beach in September. Here is the link for more information to sign up for this course... https://www.sans.org/community/event/sec566-long-beach-26sep2016-brian-ventura Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-031-DFIR_discussion_and_rebuttal.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-031-dfir-rebuttal-handling/id799131292?i=1000373849931&mt=2 YouTube: https://www.youtube.com/watch?v=e3Dy001GdWM #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table. When improperly configured, the passwords are stored in memory, often in plain text. This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks. Links to blogs: https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html https://jimshaver.net/2016/02/14/defending-against-mimikatz/ Praetorian Report on pentests: http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-030-Defense_against_Mimikatz.mp3 YouTube: https://www.youtube.com/watch?v=QueSEroKR00 iTunes: https://itunes.apple.com/us/podcast/2016-030-defending-against/id799131292?i=1000373511591&mt=2 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough. Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go. This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest. We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance). We ask questions like Who should be involved setting scope? Should #Social #Engineering always be a part of a pentest? Who should be notified if/when a #pentest is to occur? Should your SOC be told when one occurs? What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)? And how long do you want the engagement to be? And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well... It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagements. If your organization is about to engage a company for a pentest, you'd be wise to take a moment and listen to this. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-029-Jarrod_Frates-What_to_do_before_a_pentest_starts.mp3 #iTunes: https://itunes.apple.com/us/podcast/2016-029-jarrod-frates-steps/id799131292?i=1000373091447&mt=2 #YouTube: http://www.youtube.com/attribution_link?a=p2oq6jT3Iy0&u=/watch%3Fv%3DsTc_seN-hbs%26feature%3Dem-upload_owner #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3) I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understand why it was started. This is its inaugural year, and they already have some excellent schwag and sponsors. This is not just an event for ladies, but a way of #empowering #women, creating #mentorship opportunities, and assistance for people moving into the #infosec industry. Also, since Ms. Cheryl's loves discussing #ICS and #SCADA problems and headaches, we got into the headaches, #challenges, and maybe some 'logical' solutions to fixing SCADA vulns... but does the logical approach work in a business sense? TiaraCon official site: http://tiaracon.org/ TiaraCon Dates: Thursday Aug 4 - Friday Aug 5 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-028-Cheryl_Biswas_Tiaracon_ICSSCADA_headaches.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-028-cheryl-biswas-discusses/id799131292?i=1000372642921&mt=2 Youtube: https://www.youtube.com/watch?v=vsolDjsz5M4 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Mr. Boettcher is back! We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required. We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts. Platypus: http://sveinbjorn.org/platypus Eleanor Malware on OSX: https://www.grahamcluley.com/2016/07/mac-malware-uses-tor-obtain-access-systems/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-027-DFIR_policy_controls.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-027-dfir-conference-dfir/id799131292?i=1000372256055&mt=2 YouTube: https://www.youtube.com/watch?v=RPN0nDGYA5c#action=share SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil. Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet). Tyler tells us about using Cobalt Strike for creating persistent connections that are more easily hidden when you are on an engagement. Adam's demo can be found on our YouTube channel: https://youtu.be/rj--BfCvacY Tyler's demo of Throwback and using Cobalt Strike can be found on our YouTube Channel: Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups). This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself. We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions. And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. You can find reglister here: http://www.securityforrealpeople.com/2015/08/introducing-new-forensics-tool-reglister.html We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-025-Windows_Registry-RunKey_artifacts-finding_where_malware_hides.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2 SoundCloud: https://soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company. She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role. Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that their internal teams may have missed. We are going to discuss with her why they decided to make it a private bug bounty, and what was the result. https://www.youtube.com/watch?v=GbW777t1tTA -- more about the bug bounty We also discuss why#HIPAA seems to be so far behind in terms of being able to protect #PHI/#PII and what if anything can be done to fix it. http://www.darkreading.com/analytics/hipaa-not-helping-healthcares-software-security-lagging/d/d-id/1322715 We finish up discussing a recent news story about the how the National Football League (#NFL) team Washington Redskins had a trainer lose a laptop with the PII and health information on several thousand NFL players. We discuss why they did not violate HIPAA, and what if anything they did violate. https://www.washingtonpost.com/news/dc-sports-bog/wp/2016/06/01/nfl-players-medical-records-reportedly-stolen-from-redskins-trainers-car/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-024-Kim_Green-HIPAA-CISO_as_a_service-HIPAA_maturity_redskins-laptop.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-024-kim-green-on-cisoaas/id799131292?i=1000371021883&mt=2 YouTube: https://www.youtube.com/watch?v=F9zvkeuON4I&list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K&index=1 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet. You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning. What do you do? In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met. Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly. We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ. In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2 YouTube: https://youtu.be/67huikA2QFg Links we used to discuss sinkholing: Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/ *UPDATED literally hours after I posted this show* Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153 http://resources.infosecinstitute.com/dns-sinkhole https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523 http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769 Blackhole DNS servers -- http://www.malware-domains.com/ or http://www.malwaredomains.com/ http://handlers.dshield.org/gbruneau/sinkhole.htm Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/ http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455 http://someonewhocares.org/hosts// -massive dns sinkholing list Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ images: Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole

Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware. This week we sit down with him to understand the #Angler EK. He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even get to hear about how the creators "rent" out the EK, and how they also control the malvertising side as well. Great insights into how the EK eco-system operates... We talk about some of the vulns used by exploit kits. Contrary to popular belief, the vulns used don't always have to be 0day. Blue teamers will learn valuable insights in protecting your networks from this EK. Direct Link:http://traffic.libsyn.com/brakeingsecurity/2016-022-earl_carter_dissects_angler_ek.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-022-earl-carter-dissects/id799131292?i=1000370105193&mt=2 Links referenced during the show: Earl's slides from Bsides Austin: http://www.slideshare.net/EarlCarter3/bsides-anglerevolution-talk-60408313 http://blog.0x3a.com/post/118366451134/angler-exploit-kit-using-tricks-to-avoid-referrer http://blogs.cisco.com/security/talos/angler-flash-0-day http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681 http://blogs.cisco.com/security/talos/angler-flash-0-day https://hiddencodes.wordpress.com/2015/05/29/angler-exploit-kit-breaks-referer-chain-using-https-to-http-redirection/ https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/ Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc). We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry. Ben discusses with us the Layered Approach to EDR: 1. Hunting 2. Automation 3. Integration 4. Retrospection 5. Patterns of Attack/Detection 6. indicator-based detection 7. Remediation 8. Triage 9. Visibility We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry. Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people. Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :( Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2 YouTube: https://youtu.be/I10R3BeGDs4 RSS: http://www.brakeingsecurity.com/rss Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info) https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better? We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well. Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language. ASM book used in the above class: http://www.drpaulcarter.com/pcasm/ Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip We also discuss free alternatives for learning out there, and how effective they are. Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-020-college-vs.-certifications/id799131292?i=1000369124337&mt=2 YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K RSS FEED: http://www.brakeingsecurity.com/rss Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30 #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization. We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include: 1. Aligning business goals and operational goals 2. How to discuss ROI with management 3. Getting actionable information for business requirements from affected parties 4. Steering yourself away from confirmation bias or optimism bias, and ensuring you're thinking critically when comparing the current status quo vs. a new solution 5. Information you might want to gather from potential vendors to make a more informed decision as to whether their product is the one you want And finally, we discuss how to handle the dread vendor demos. There may be a number of them, and they are arguably the best method of knowing the software or hardware is going to work for you. This is a topic that affects everyone, whether you are a manager, or a user of the technology involved. We also like to remind people that our DerbyCon CTF and raffle are still going on. There is plenty of time to get involved if you want a chance to get a ticket to Derbycon 2016! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-019-business_cases_and_justifications-final.mp3 Itunes: https://itunes.apple.com/us/podcast/2016-019-creating-proper-business/id799131292?i=1000368774135&mt=2 YouTube Link: https://youtu.be/8sWn1IYpgtY Links referred to in the show: http://www.ask.com/business-finance/business-justification-example-cdebe6f929949e8c http://www.iso20022.org/documents/BJ/BJ044/ISO20022BJ_ATICA_v4_with_comments.pdf http://klariti.com/business-case-2/business-case-justify-business-need/ https://en.wikipedia.org/wiki/Business_case https://en.wikipedia.org/wiki/Optimism_bias http://www.ehow.com/how_6672801_write-business-justification.html http://www.acqnotes.com/acqnote/careerfields/establishing-software-requirements Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Windows has all the tools you need to secure an OS, but we rarely use them. One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install. We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restricting access to certain functions or applications. Also, the 2nd clue for our CTF can be found in this podcast... see if you can find the giant clue... :) **NOTE: We had an issue with Mr. Boettcher's Windows 10 install, he's using Windows 10 Home, which does not appear to have Applocker or Software Restriction Policy by default. So, I cut a lot of us bickering^H^H^H^H discussing how to get it to work, so the middle around 25:00 mark will feel a tad off. Apologies... I should have stopped recording. Links referred to during the podcast: https://technet.microsoft.com/en-us/library/hh831534.aspx http://mechbgon.com/srp/ - LOL, mentions the use of 'parental controls' to restrict systems http://www.instructables.com/id/Getting-past-Software-Restriction-Policies/ http://www.itingredients.com/how-to-deploy-software-restriction-policy-gpo/ https://technet.microsoft.com/en-us/itpro/windows/keep-secure/using-software-restriction-policies-and-applocker-policies Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3 #iTunes Link: https://itunes.apple.com/us/podcast/2016-018-software-restriction/id799131292?i=1000368338483&mt=2 #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

You might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning. We also brainstorm ideas on how people in our community keep their skills sharp, and why some seem to allow them to atrophy once they get a specific certification or degree. We cite examples of things and actions that allow you to gain more knowledge, and to ensure your company will still see you as an SME. CPEs can be gained in the most simplest of methods. Just by listening to this podcast, for example, you can receive one CPE (1 hour = 1CPE) there are many other ways of getting them. and we cite several in this podcast. We also discuss the continued use of unsalted, weakly hashed passwords in systems, and why a recent breach of a custom Minecraft implementation allowed it to occur. Story: http://news.sky.com/story/1687550/minecraft-hack-exposes-seven-million-passwords But I think the most exciting part of the podcast is theannouncement of the 1st annual Brakeing Down Security PodcastCTF!The details can be found in the podcast. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-017-Networking-Podcast_CTF-salted_hashes.mp3 #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #iTunes: https://itunes.apple.com/us/podcast/2016-017-art-networking-salted/id799131292?i=367885714&mt=2 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Angler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come. We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get better... *BONUS*... after the audio, listen to me (Bryan) failing at understanding buffer overflow exercises I'm doing as part of my #OSCP certification... Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-016.-Exploit_kits_Talent_Gaps_and_buffer_overflows.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-016-exploit-kits-talent/id799131292?i=367465364&mt=2 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3 iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2 Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing You open the flash animation, click click click, answer 10 security questions that your 5 year old could answer, get your certificate of completion... congratulations, you checked the compliance box... But what did you learn in that training? If you can't remember the next day, maybe it's because the training failed to resonate with you? Have you ever heard red team #pentester say that the weakest link in any business is not the applications, or the hardware, but the people? If they can't find a vulnerability, the last vulnerability is the people. One email with a poisoned .docx, and you have a shell into a system... Targeted trainings, and the use of certain styles of #training (presentations, in-person, hand puppets, etc) can be more effective for certain groups. Also, certain groups should have training based on the threat they might be susceptible to... Dr. Hend #Ezzeddine came by this week to discuss how she helps #organizations get people to understand security topics and concepts, to create a positive security culture. Maybe even a culture that will not click on that attachment... **If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout. Get more information at the "Hack In The Box" conference by visiting: http://conference.hitb.org/hitbsecconf2016ams/ Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2 Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion. What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a language barrier? I don't mean Spanish/English, but do we do a good job at speaking "user"? How can we do a better job at that if we find ourselves failing? How can speaking 'manager' or 'VP' help us get help that we need? For many, it's like the difference in communicating with someone who speaks Mandarin. We discussed the need to educate people against thumbdrive insertion, even in the face of a study of people inserting random thumbdrives into their computers. We discuss the motivation of users who do so, whether it's altruistic, or malicious: http://www.pc-tablet.co.in/2016/04/07/25826/study-shows-users-access-random-pendrives-computers-overlooking-risk/ We discussed an app logic flaw that were found recently in the news: http://www.digitaltrends.com/mobile/free-pizza/ Which is exactly what we were talking about when talking to Ben Caudill a few weeks ago about app logic flaws. This flaw has been in the app for a good long time, and while the security researcher saw fit to report it, the ethical implications of keeping it secret could have cost Domino's a lot. Mr. Boettcher gives us a report of Bsides Austin, and how it's grown in the past few years. We finish up discussing infosec conferences and how they appear to be thriving. Is it good marketing, or are companies finally understanding their importance? **If you are planning on attending "Hack In The Box" in Amsterdam, The Netherlands on 23-27 May 2016, you can receive a 10% discount by entering 'brakesec' at checkout. Get more information at the "Hack In The Box" conference by visiting: http://conference.hitb.org/hitbsecconf2016ams/ Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3 iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2 We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2-part podcast on ITIL with Tim Wood, which is a service based solution to enable your IT and infosec initiatives to also align with your business needs. From the ISSM whitepaper: "organizations need to build and run an integrated service management system that addresses security and risk management as well as the regulatory compliance imposed on the agency while ensuring that agreed services are provided to internal and external customers and managed end-to-end. For agencies and organizations to achieve meaningful service outcomes, technology and agency decision makers need to align their goals and strategies more closely while dealing with an increasing amount of technologies, threats, and regulatory compliance requirements." We discuss the idea of the "5 P's", which are "Policy, Process, People, Products (or technology), and Proof", and how they are important to the implementation of the #ISSM reference model Finally, we discuss a typical engagement using the ISSM model. Creation of the 7 Core components and additional using a maturity model to self-assess your company in an effort to show transparency to your internal processes. Important links: http://www8.hp.com/h20195/V2/getpdf.aspx/4AA2-2350ENW.pdf?ver=1.0 http://www.digitalgovernment.com/media/Downloads/asset_upload_file772_2477.pdf https://en.wikipedia.org/wiki/Information_security_management_system http://www.davebolick.com/SampleNewsletterHPFinancialAdvisor.pdf http://media.govtech.net/HP_RC_08/Security_RC/ISSM_for_SLG.pdf Integrating ITIL into infosec: http://traffic.libsyn.com/brakeingsecurity/2015-018-Integrating_infosec_with_ITIL.mp3 http://traffic.libsyn.com/brakeingsecurity/2015-017_ITIL_and_infosec.mp3 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #cobit, #cmmi, #maturity model, #ISSM, #ITIL, #Service, #management, #reference model, #ISO, #27002, #27001, CISSP, #podcast, #infosec, #compliance

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3 Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2 Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site? Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw. This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles.. We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed. http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/ http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3 iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2 Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with. https://en.wikipedia.org/wiki/Hector_Monsegur This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet. Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side? In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day... https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/ Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you... We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker... Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email. We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks. Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices. Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3 #iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Podcast Links we used for information: http://www.slideshare.net/BizuworkkJemaneh/dns-42357401 300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D https://technet.microsoft.com/en-us/library/cc770432.aspx http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html http://tldp.org/HOWTO/DNS-HOWTO-6.html https://en.wikipedia.org/wiki/Domain_Name_System https://en.wikipedia.org/wiki/DNS_spoofing http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/161-protocols-dns-response.html http://www.thegeekstuff.com/2012/05/ettercap-tutorial/ https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/ https://support.google.com/a/answer/48090?hl=en http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf https://tools.ietf.org/html/rfc882 https://tools.ietf.org/html/rfc883 https://tools.ietf.org/html/rfc1034 https://tools.ietf.org/html/rfc1035

We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center. "Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website To learn more, visit https://r-cisc.org/ We discussed with Brian a bit of the history of the #R-CISC, and why his organization was brought into being. We ask Brian "How do you get companies who make billions of dollars a year to trust another competitor enough to share that they might have been compromised?" "And how do you keep the information sharing generic enough to not out a competitor by name, but still be actionable enough to spur members to do something to protect themselves?" Other links: Veris framework Mr. Boettcher mentions: http://veriscommunity.net/ TAXII protocol: https://taxiiproject.github.io/ STIX https://stixproject.github.io/ https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari https://www.paloaltonetworks.com/company/press/2015/palo-alto-networks-joins-the-retail-cyber-intelligence-sharing-center-in-newly-launched-associate-member-program.html http://www.darkreading.com/cloud/r-cisc-the-retail-cyber-intelligence-sharing-center-signs-strategic-agreement-with-fs-isac-to-leverage-services-and-technologies-for-growth/d/d-id/1320363 Comments, Questions, Feedback: [email protected] Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-009-brian_engle_rcisc_information_sharing.mp3 On #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ iTunes: https://itunes.apple.com/us/podcast/2016-009-brian-engle-information/id799131292?i=364002695&mt=2 #actionable, #brian, #engle, #cissp, #cpes, #data, #financial, #infections, #isac, #malware, #podcast, #rcisc, #retail, #security, #infosec, #threat #intelligence Photo of Brian Engle courtesy of https://r-cisc.org **I (Bryan) apologize for the audio. I did what I could to clean it up. Seriously don't know what happened to screw it up that badly. I can only imagine it was bandwidth issues on my Skype connection**

This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us. Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can. So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS. We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes. Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo Linux for mainframes: http://www-03.ibm.com/systems/linuxone/ Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2

We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. We do a bit of history about #TLS, and the versions from 1.0 to 1.2 Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint. Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action! Video demo: https://youtu.be/im6un0cB3Ns https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png http://blog.squarelemon.com/tls-fingerprinting/ https://github.com/LeeBrotherston/tls-fingerprinting http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition https://www.youtube.com/watch?v=XX0FRAy2Mec http://2015.video.sector.ca/video/144175700 Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism Moxie: noun "force of character, determination, or nerve." Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise. But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional. Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools. Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics. We discussed a number of topics: Cloud migrations What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration? We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures. Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates. It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time. Some #articles we drew upon for questions to ask Mr. Heim: http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/ http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/ http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734 Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast #iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3 Partick Heim image courtesy of darkreading.com

BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster... We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more! Bill's Twitter: https://www.twitter.com/oncee Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&sr=1-2 (non-sponsored link) Bill's "Reboot It" Podcast: http://www.rebootitpodcast.com/ Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-004-Bill_Gardner.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-004-bill-gardner/id799131292?i=361222239&mt=2

#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971. This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them. And what options do you have if you don't want to use anti-virus? We also argue about whether it's just a huge industry selling snake oil that is bolstered by #compliance #frameworks, like #PCI? #mcafee,#symantec,#panda,#avg,#kaspersky,#logging,#siem *NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec #Podcast #Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-003-AntiVirus_what_is_it_good_for.mp3 Itunes:https://goo.gl/Jk3CxU

This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap. Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo? We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/ Book: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 Show Notes: https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing *NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: [email protected] Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2

#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks. For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program. Jay Schulman's #website: https://www.jayschulman.com/ Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1 Jay's Twitter: https://twitter.com/jschulman TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: [email protected] iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3

Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET). You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets. But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we interviewed a couple of weeks ago) and others to improve #ISC2 processes, and to make #CISSP and other certs more competitive in the #infosec/IT community. And yes... we find out about what is going on with DerbyCon and get some updates with what will happen in the next DerbyCon. iTunes Link: https://itunes.apple.com/us/podcast/2015-054-dave-kennedy/id799131292?i=359677576&mt=2 TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: [email protected]