Explorez tous les épisodes du podcast BrakeSec Education Podcast
| Titre | Date | Durée | |
|---|---|---|---|
| Jay Beale discusses his K8s class at BlackHat, Kubernetes developments, and mental health | 17 Jul 2025 | 01:48:38 | |
Youtube Video at: https://www.youtube.com/watch?v=yHPvGVfPgjI
Questions and topics: (please feel free to update or make comments for clarifications)
| |||
| Socvel intel threat quiz, Pearson Breached, nintendo bricking stuff, and kevintel.com | 10 May 2025 | 01:24:40 | |
socvel.com/quiz if you want to play along! join the Discord: https://bit.ly/brakesecDiscord
Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred "Flex" by Jeremy Blake | |||
| AccidentalCISO on BrakeSecEd, talking Leadership, SaaS development, and Appsec | 02 Feb 2024 | 00:29:35 | |
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information, and do not represent views of past, present, or future employers.
Recorded: 28 Jan 2024 Youtube VOD: https://youtube.com/live/uX7odQTBkyQ
Questions and topics:
Additional information / pertinent LInks (Would you like to know more?):
Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec | |||
| 2021-011- Dr. Catherine J Ullman, the art of communication in an Incident - Part 2 | 21 Mar 2021 | 00:45:37 | |
In this episode: knowing your audience - discussing the IR impact And much more!
Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester
Spoke at SeaSec meetups:
Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA)
It's important to share necessary information with senior level people and higher ups, but is there a thing as 'oversharing'? How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-010- Dr. Catherine J Ullman, the art of communication in an Incident - Part 1 | 17 Mar 2021 | 00:34:07 | |
Dr. Catherine J. Ullman (@investigatorchi)
Incident Response communications
Reminders: Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester
Spoke at SeaSec meetups:
Qualys Update on Accellion FTA Security Incident | Qualys Security Blog
Security Advisory | SolarWinds
Family Educational Rights and Privacy Act (FERPA)
It's important to share necessary information with senior level people and higher ups, but is there a thing as 'oversharing'? How do you toe the line between oversharing and nothing at all?
In higher Ed, are you beholden to different disclosure requirements than businesses?
What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-009-Jasmine_Jackson-TheFluffy007-analyzing_android_apps-FRida-Part2 | 07 Mar 2021 | 00:50:01 | |
@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn't for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works. Link to YouTube Channel → thefluffy007 - YouTube thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud The Mobile App Security Company | NowSecure owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub Rana Android Malware (reversinglabs.com) These 21 Android Apps Contain Malware | PCMag Android Tamer -Android Tamer The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd Android Debug Bridge (adb) | Android Developers Goal: discussing best practices and methods to reverse engineer Android applications Introduction to Java (w3schools.com) JavaScript Introduction (w3schools.com) Introduction to Python (w3schools.com) Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages) GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida) Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub Reverse-Engineering - YobiWiki IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator Background: **consider this a primer for any class you might teach, a teaser, if you will**
Why do we want to be able to reverse engineer APKs and IPKs? Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they're proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code. What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application. When testing apps for security, how easy is it to emulate security and physical controls if you're not on a handset? Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively. Are there ever any times you HAVE to use a handset? An app that tests something like Android's Safetynet and won't run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions? When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?
Lab setup IntroToAndroidSecurity VM Android Emulator Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks Methodology Decompile the application - can use a tool titled - Apktool (free) Look "under the hood" of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it's located. Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning - Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-008-Jasmine jackson - TheFluffy007, Bio and background, Android App analysis - part 1 | 02 Mar 2021 | 00:52:33 | |
@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn't for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works.
Link to YouTube Channel → thefluffy007 - YouTube
thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud
The Mobile App Security Company | NowSecure
owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub
Rana Android Malware (reversinglabs.com)
These 21 Android Apps Contain Malware | PCMag
Android Tamer -Android Tamer
The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd
Android Debug Bridge (adb) | Android Developers
Goal: discussing best practices and methods to reverse engineer Android applications
Introduction to Java (w3schools.com)
JavaScript Introduction (w3schools.com)
Introduction to Python (w3schools.com)
Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages)
GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)
Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub
Reverse-Engineering - YobiWiki
IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator
Background: **consider this a primer for any class you might teach, a teaser, if you will**
Why do we want to be able to reverse engineer APKs and IPKs? Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they're proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code.
What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application.
When testing apps for security, how easy is it to emulate security and physical controls if you're not on a handset? Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively.
Are there ever any times you HAVE to use a handset? An app that tests something like Android's Safetynet and won't run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?
When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?
Lab setup IntroToAndroidSecurity VM Android Emulator
Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks
Methodology Decompile the application - can use a tool titled - Apktool (free) Look "under the hood" of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it's located.
Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning - Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit.
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-007-News-Google asking for OSS to embrace standards, insider threat at Yandex, Vectr Discussion | 21 Feb 2021 | 00:57:01 | |
Links to discussed items: Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com) Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com)
https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-006-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh - part2 | 14 Feb 2021 | 00:39:21 | |
Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub
Feel free to add anything you like Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)
Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:
6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com) Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include "Is our network more secure today than it was before?" or "Have the changes of network configurations improved our security posture?" The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.
DNS over HTTPs DNS over HTTPS - Wikipedia | |||
| 2021-005-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh | 09 Feb 2021 | 00:35:43 | |
Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)
Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:
6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com)
Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include "Is our network more secure today than it was before?" or "Have the changes of network configurations improved our security posture?" The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.
DNS over HTTPs DNS over HTTPS - Wikipedia Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-004-Danny Akacki talks about Mergers and Acquisitions - Part 2 | 03 Feb 2021 | 00:47:45 | |
Discussion on Mergers and acquisitions processes On being acquired, but also if you're acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com) The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com) Security Considerations in the Merger/Acquisition Process (sans.org) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) "We've been acquired by X!" First thing people think "oh no, what's gonna happen to me." Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
| |||
| 2021-003- Danny Akacki, open communications, mergers&acquistions | 26 Jan 2021 | 00:46:09 | |
Discussion on Mergers and acquisitions processes On being acquired, but also if you're acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com)
The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com)
Security Considerations in the Merger/Acquisition Process (sans.org) Women Unite Over CTF 3.0 (ittakesahuman.com) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) "We've been acquired by X!" First thing people think "what's gonna happen to me."
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2021-002-Elastic Search license changes, Secure RPC patching for windows, ironkey traps man's $270 million in Bitcoin | 19 Jan 2021 | 00:46:50 | |
Secure RPC issue - Elastic Search https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks "There are those who will point to the FAQ for the SSPL and claim that the license isn't interpreted in that way because the FAQ says so. Unfortunately, when you agree to a license you are agreeing to the text of that license document and not to a FAQ. If the text of that license document is ambiguous, then so are your rights and responsibilities under that license. Should your compliance to that license come before a judge, it's their interpretation of those rights and responsibilities that will hold sway. This ambiguity puts your organisation at risk." Doubling down on open, Part II | Elastic Blog - license change affecting Elastic Search and Kibana MongoDB did something similar in 2018: mjg59 | Initial thoughts on MongoDB's new Server Side Public License (dreamwidth.org) Hacker News Discussion: MongoDB switches up its open source license | Hacker News (ycombinator.com) [License-review] Approval: Server Side Public License, Version 2 (SSPL v2) (opensource.org) "We continue to believe that the SSPL complies with the Open Source Definition and the four essential software freedoms. However, based on its reception by the members of this list and the greater open source community, the community consensus required to support OSI approval does not currently appear to exist regarding the copyleft provision of SSPL. Thus, in order to be respectful of the time and efforts of the OSI board and this list's members, we are hereby withdrawing the SSPL from OSI consideration." (could be 'open-source', but negative feedback on mailing lists and elsewhere made the remove it from consideration from OSI) Open Source license requirements: The Open Source Definition | Open Source Initiative What does this mean? If you have products that utilize ElasticSearch/MongoDB/Kibana in some way, talk to your legal teams to find out if you need to divest your org from them. These are not 'opensource' licenses… they are 'source available' It might not affect your organization and moving to SSPL might be feasible. If your product makes any changes internally to ElasticSearch, Notable links JTNYDV - specifically the CIS docker hardening Twitter: @jtnydv https://www.coindesk.com/anchorage-becomes-first-occ-approved-national-crypto-bank https://www.cnn.com/2021/01/15/uk/bitcoin-trash-landfill-gbr-scli-intl/index.html
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 1st show of 2024! Our 10th Anniversary... | 09 Jan 2024 | 00:59:35 | |
It's our 10th anniversary and the first show of our 2024 season! Amanda was on "7 minute security" https://7minsec.com/projects/podcast
Check out the complete VOD at https://youtu.be/vbmEtkxhAMg Explicit language warning
| |||
| 2021-001-news, youtuber 'dream' doxxed, solarwind passwords bruteforced, malware attacks | 12 Jan 2021 | 00:46:57 | |
Dream Doxxed: Minecraft YouTuber Dream Doxxed Following Speedrun Controversy (screenrant.com) Osint issues… found him by breadcrumbs and using zillow internal pics of his house. Craziness How to Use APIs (explained from scratch) (secjuice.com) Hackers target cryptocurrency users with new ElectroRAT malware | ZDNet
Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 | ZDNet
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-046-solarwinds-fireeye-breaches-GE-medical-device-issues-and-2021_predictions | 17 Dec 2020 | 00:52:02 | |
End of year podcast
Blumeria sponsorship
NEWS:
IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters
FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News
https://krypt3ia.wordpress.com/ - 16 december 2020
Microsoft flexing muscle to shutdown c2: Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach - GeekWire
Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com)
FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs
US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com)
Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds?
Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News
System oriented programming - Cloud-Sliver (cloud-sliver.com)
G'bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com) IT workers worried about AI making them obsolete… IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com)
Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com)
https://www.atlasobscura.com/places/encryption-lava-lamps - "The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. "
It's been the year of the business continuity program this year… and how agile yours is. --thoughts?
Future? Bryan: Companies that are 'all in' on remote work will back track. Amanda: I think we'll see way more keep the wfh now that they realize it saves $$
heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| SPONSORED- Nathanael Iversen from Illumio, future of microsegmentation, | 07 Dec 2020 | 00:36:30 | |
BrakeSec Sponsored Interview with Nathanael Iversen
Questions, comments, and other content goes here:
Illumio Nathanael Iversen BDS Podcast Messaging
Topic: Overview of development and deployment of micro-segmentation
Where does segmentation fit into your security strategy?
The keys to a successful micro-segmentation deployment: As with any security control, it's important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly:
There are three broad preventive security actions:
Potential questions:
| |||
| 2020-045-Marco Salvati, supporting open source devs, incentivizing leeching companies who don't give back- part2 | 07 Dec 2020 | 00:44:33 | |
https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco's Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries
Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors How is this different than shareware? "As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects." Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from 'unpaid customers' is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where's the chain broken at? Devs who expect help/support for their project? "Many eyes make for less vulns" (LOL, sounds good, not true anymore --brbr) What is the 'status quo' of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is 'meaningful' contributions? What is the definition of 'widely-used'? Why support widely-used OSS hacking tools? And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati | |||
| 2020-044-Marcello Salvati (@byt3bl33d3r), porchetta industries, supporting opensource tool creators, sponsorship model | 02 Dec 2020 | 00:29:18 | |
https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco's Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries
Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors How is this different than shareware? "As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects." Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from 'unpaid customers' is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where's the chain broken at? Devs who expect help/support for their project? "Many eyes make for less vulns" (LOL, sounds good, not true anymore --brbr) What is the 'status quo' of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is 'meaningful' contributions? What is the definition of 'widely-used'? Why support widely-used OSS hacking tools? And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati | |||
| 2020-043-Software_Defined_Radio-Sebastien_dudek-RF-attacks- IoT and car RF attacks | 24 Nov 2020 | 00:31:42 | |
Sébastien Dudek - @FlUxIuS@penthertz Why we are here today? Software Defined Radio (sdr-radio.com) What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks? What other kinds of attacks can be launched? (I mean, other than replay type attacks) Door systems (badge systems) NFC? Contactless credit card attacks Smart building/home control systems Bluetooth attacks Point Of Sale systems Cellular radio 3g/4g/5g Industrial control systems Home appliances Medical telemetry systems Drones! DASH7 - Wikipedia - custom TCP stack for LoRa Vehicle-to-grid - Wikipedia (V2G) Automatic Wireless Protocol Reverse Engineering | USENIX
Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek Carrier Aggregation explained (3gpp.org) Mobile phone jammer - Wikipedia World's top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard Supply chain attacks - systems tend to use wireless chipsets or protocols
LTE-torpedo-NDSS19.pdf (uiowa.edu) -privacy attacks on 4g/5g networks using side channel information How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas) Lots of IoT devices use your typical home wifi connection, can't you just sniff packets to get what you need? Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io) Attacks on Tesla wireless entry: Tesla's keyless entry vulnerable to spoofing attack, researchers find - The Verge Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical
Kid's toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED
What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations? Cellular? Zigbee? I'm a wireless manufacturer of some kind of device. I'm freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me? Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com) | |||
| SPONSORED Podcast: Katey Wood from Illumio on deployment and using WIndows Filtering Platform | 17 Nov 2020 | 00:42:53 | |
**Apologies on the Zoom issues** This is the 2nd of 3 sponsored podcast interviews with Illumio about Their zero trust product. Katey Wood is the Director of Product Marketing at Illumio. https://www.linkedin.com/in/kateywood/ Topic: Conversation on segmentation and ransomware Topic Background: The attack surface and vulnerabilities are on the rise, along with cyber attacks Why? Remote everything - cloud collaboration (including processing PII) is the new normal and that means the attack surface is heightened. This requires appropriate network, cloud, and endpoint security. Double ransom with #data #exfiltration -- more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin - often in the headlines. Privacy is a chief security concern now more than ever before, as remote everything continues and #cyberattacks and #ransomware attacks skyrocket. For businesses, Covid and the new WFH normal means even more vulnerabilities and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation. Enter Segmentation. Perimeter security is important, but unfortunately, we all know that alone it's not enough (i.e. breach, after breach, after high-profile breach). #ZeroTrust the assume breach mentality/default deny are philosophies that take security deeper to protect organizations from a threat moving laterally within their environment. This is helpful because it's often not the initial point of breach that causes so much damage – it's the breach spreading to more critical data and assets that's so destructive. #Network #segmentation is a crucial control to secure critical data and PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to only allowed parties with a legitimate business purpose and stops the attacker from moving freely across the network to the most valuable data. #Illumio helps #healthcare, academic, and other critical industries keep their crown jewels safe through better, more scalable micro-segmentation that decouples Zero Trust from the constraints of the network by implementing it on the workload.
Vertical 'Brakedown' - Healthcare and Education Businesses in the healthcare and education industry often have large numbers of customers and employees, and handle large volumes of PII, are especially at risk. Both have already been under scrutiny for privacy concerns around PII for years, through regulations like #HIPAA in healthcare and #FERPA in education (and now #CCPA). Now that distance learning is the norm and medical records have gone largely electronic, it's even easier for attackers to move between systems if there are no network segmentation access policies in place to prevent it.
Potential Questions: Customer data cases:
'Dead data'
With today's workforce largely remote, tell me what that means from a security standpoint. What challenges are businesses facing to protect important data/PII? What is that data "worth" and what are the consequences of falling victim to a ransomware attack or similar event from a bad actor? Talk to me about the "assume breach mentality." What does that mean and how can you/why should you use this philosophy in your approach to security? How does segmentation relate to compliance? How do the two go hand in hand? How does segmentation protect organizations against large scale breaches? In terms of cost, is segmentation a sizable investment for SMBs? Is it a worthwhile investment, in terms of dollars saved from ransomware attacks? #Segmentation is often thought of as a big (perhaps cumbersome) project – how do you suggest organizations make it more scalable? How does segmentation protect end users?
| |||
| 2020-042-Kim Crawley and Phillip Wylie discuss "Pentester Blueprint", moving into pentesting career | 15 Nov 2020 | 01:10:39 | |
Phillip Wylie @philipwylie and kim Crawley @kim_crawley Amazon: The Pentester BluePrint: Your Guide to Being a Pentester: 9781119684305: Computer Science Books @ AmazonSmile November 24th for paper copy Steven levy: Hackers: Heroes of the Computer Revolution: Steven Levy: 9781449388393: Amazon.com: Books Why did you write the book? What is a pentester? Skills needed Education of hacker Building a lab Kali linux Pentester Framework Docker OWASP Juice Box Vulnhub Overthewire PicoCTF
Developing a plan Gaining experience Gaining employmen Hacking is not Crime - hackivist org? https://www.hackingisnotacrime.org/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
| |||
| 2020-041- Conor Sherman, IR stories, cost of not prepping for an incident | 10 Nov 2020 | 01:17:47 | |
"Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom. --Victor Frankl https://smile.amazon.com/Mans-Search-for-Meaning-audiobook/dp/B0006IU470
https://twitter.com/conordsherman
Conor Sherman - IR stories and more Security Strategy and Incident Response, eZCater Confident Defense Podcast - https://www.confidentdefense.com/podcast https://www.linkedin.com/in/conordsherman/
Agenda: Bio (How did I get here?)
Prior preparation and planning prevents poor performance - https://military.wikia.org/wiki/7_Ps_(military_adage) Discover Unique malware FIN 6 - https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/ FIN 7 - https://threatpost.com/fin7-retools/149117/ CCPA - https://oag.ca.gov/privacy/ccpa CIS 20 is 'reasonable security program' per California AG - https://www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html IBM breach cost: "Cost Of A data Breach" (Search This)
Cloud Infra Compliance- Governance as Code - https://www.cio.com/article/3277611/governance-as-code-keeping-pace-with-the-rate-of-change-in-the-cloud.html "In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business."
Detection as Code "Freedom within Limits" - Security as Solutions Engineers
Sigma: https://github.com/Neo23x0/sigma "Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file."
Japan CIRT event ID whitepaper: https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf https://jpcertcc.github.io/ToolAnalysisResultSheet/
"Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders." IR Playbooks - process of creating them (probably the hardest) Implementation Tabletop exercise (length, stakeholders, crafting a scenario to compare against)
What if an org has nothing? "We just blow up the environment and start over."
RTO/RPO metrics: How long can you survive as a company with an outage? How long does it take to get back online and operational? What's your appetite for the risk of that?
Lots of dependencies to creating
https://swimlane.com/blog/incident-response-playbook
Tabletop discussion -
sponsors involved Initiating condition Threat modeling Process steps Best practices and local policies End state - what is the goal? (eradicate infection, back to operating status) Relation to governance/regulatory reqs. (do we have to report? What do we report? Fallout from incident, etc) Lessons Learned
https://sbscyber.com/resources/7-steps-to-building-an-incident-response-playbook (seems like there are different methodologies)
Why are the things that will give organizations the biggest benefit over time the cause of the most consternation?
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP | |||
| 2020-040- Jeremy Mio, State of Ohio Election Security | 02 Nov 2020 | 01:03:35 | |
Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio
Jeremy Mio (@cyborg00101)
https://itsecurity.cuyahogacounty.us/
(added cybersecurity Directives during 2018 last podcast -jmio)
Einstein (US-CERT program) - Wikipedia Albert Program (added new cybersecurity Directives since last podcast -jmio)
LaRose issues directive to set a new standard for election security in 2020 (added -jmio)
Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov) Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr)
Ohio to ramp up election security with new federal funds | TheHill "Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a "civilian cyber security reserve" to defend against potential cyberattacks.
"His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio's crop of "white-hat" hackers — the good guys, opposite malevolent "black-hat" hackers — to break into the state's election system, find bugs and report them so officials can ensure they're fixed by Election Day. There are some strings attached: White hats aren't allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they're expected to report it." How did the threat model shift from the last time we talked? What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech? How did covid change how voting occurred? How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information?
Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr) What does physical security look like in terms of people going to the polls? (wasn't sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio) Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org) LaRose Setting New Standard For Election Security - Ohio Secretary of State (ohiosos.gov) 88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press release
Background checks | |||
| Brakesec Call to Action 2023 | 18 Dec 2023 | 00:02:51 | |
Youtube Video: https://youtu.be/IUDPlQaQg8M https://forms.gle/rf145MoN7cskwMjf8 Thank all of you for listening and for your input. RSS feed for the audio podcast is at https://www.brakeingsecurity.com/rss | |||
| 2020-039-Philip Beyer-leadership- making an impact | 28 Oct 2020 | 00:56:39 | |
Phil Beyer - Bio (CISO at Etsy) Importance on books about behavioral science. "Thinking Fast and Slow": https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 "Predictably irrational": https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/ New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/ Podcasts: Manager Tools Podcast: https://manager-tools.com Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking - Temptation bundling - Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian's Recommendations: Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X Bryan's Book Recommendations: Malcolm Gladwell's Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504 Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship 'budget' with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP | |||
| SPONSORED PODCAST: Neil Patel, Illumio on Microsegmentation, and adopting the Zero Trust philosophy | 23 Oct 2020 | 00:33:18 | |
http://brakeingsecurity.com/2020-023-jame-nelson-from-illumio-cyber-resilence-business-continuity
What is Zero Trust and why should companies adopt a Zero Trust philosophy?
Amanda: What are one of the more important steps someone should take when looking to implement zero trust?
How does segmentation fit in a Zero Trust model? What are some of the challenges and benefits that come with segmentation?
Are there real-world examples of how segmentation has stopped a breach and how that relates to the Zero Trust philosophy?
How can Zero Trust principles help prevent the spread of ransomware or another security epidemic?
Do you need 100% asset mgmt already before implementing or is that part of what you do as well?
Integrations: you mentioned auth functions, but how integrated can Illumio go with your env? EDR? NDR? (saw on your site, you're fully integrated with Crowdstrike falcon)
Tell us more about the Forrester Wave? What do the findings mean and why do they matter? https://www.illumio.com/resource-center/research-report/forrester-wave-zero-trust-2020 Twitter: https://twitter.com/illumio LinkedIn: https://www.linkedin.com/company/illumio/mycompany/ | |||
| 2020-038-Phil_Beyer-etsy-CISO-leadership-making-an-impact | 20 Oct 2020 | 00:41:45 | |
Phil Beyer - Bio (CISO at Etsy) Importance on books about behavioral science. "Thinking Fast and Slow": https://smile.amazon.com/Thinking-Fast-Slow-Daniel-Kahneman/dp/0374533555 "Predictably irrational": https://smile.amazon.com/Predictably-Irrational-Revised-Expanded-Decisions/dp/0061353248/ http://humanhow.com/list-of-cognitive-biases-with-examples/ Influence: the Psychology of Persuasion: https://smile.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Brain at Work: https://smile.amazon.com/Your-Brain-Work-Revised-Updated/dp/0063003155/ Atomic habits: https://smile.amazon.com/Atomic-Habits-Proven-Build-Break/dp/0735211299/ Tiny habits: https://smile.amazon.com/Tiny-Habits-Changes-Change-Everything/dp/0358003326/ New leaders 100 day action plan: https://smile.amazon.com/New-Leaders-100-Day-Action-Plan/dp/1119223237/ Podcasts: Manager Tools Podcast: https://manager-tools.com Career Tools Podcast: https://www.manager-tools.com/all-podcasts?field_content_domain_tid=5 Seth Godin Akimbo: https://www.akimbo.link/ Masters of scale: https://mastersofscale.com/ Habit stacking - Temptation bundling - Availability Heuristic: https://en.wikipedia.org/wiki/Availability_heuristic Brian's Recommendations: Big 9: https://www.amazon.com/Big-Nine-Thinking-Machines-Humanity/dp/154177373X Bryan's Book Recommendations: Malcolm Gladwell's Talking to Strangers: https://smile.amazon.com/Talking-to-Strangers-audiobook/dp/B07NJCG1XS The Effective Manager by Mark Horstman: https://smile.amazon.com/The-Effective-Manager-audiobook/dp/B071JSWHBJ ADKAR: A Model for Change in Business, Government and our Community https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504 Improved interviews online First 90 days as CISO First 90 day plan: https://www.manager-tools.com/2012/06/90-day-new-job-plan-overview Capability Assessment: https://www.strategyand.pwc.com/gx/en/unique-solutions/capabilities-driven-strategy/capabilities-assessment.html Socratic method: https://en.wikipedia.org/wiki/Socratic_method Impacts to make Building rapport with new directs Creating a new relationship 'budget' with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP | |||
| 2020-037-Katie Moussouris, Implementing VCMM, diversity in job descriptions - Part 2 | 11 Oct 2020 | 00:39:18 | |
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
What's the timeline for this process? "We need something for a product launch next week…" Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html How does an org use this to communicate vulnerabilities in their own products? What's the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive "no legal action will be taken". People want money… not tours, not 10-point font. How do you convince 'good' bug writers to want to help you for a 'thank you'? Should incentive be a 'Level 3' or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn't bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-036-Katie Moussouris, Vulnerability Coordination Maturity Model, when are you ready for a bug bounty - Part 1 | 06 Oct 2020 | 00:37:08 | |
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
What's the timeline for this process? "We need something for a product launch next week…" Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html How does an org use this to communicate vulnerabilities in their own products? What's the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive "no legal action will be taken". People want money… not tours, not 10-point font. How do you convince 'good' bug writers to want to help you for a 'thank you'? Should incentive be a 'Level 3' or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn't bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-035-ransomware death in Germany, Zerologon woes, drovorub, and corp data on personal devices | 29 Sep 2020 | 01:09:09 | |
FIND US NOW ON AMAZON MUSIC! https://music.amazon.com/podcasts/51b7da82-c223-4de4-8fc1-d1c3dd61984a/Brakeing-Down-Security-Podcast Shout to the organizers of Bsides Edmonton, Alberta, Canada for a great conference! Amanda's social media take over this week Bryan's plumbing story (A tale of 3 toilets) https://www.infosecurity-magazine.com/news/corporate-data-on-personal-devices/ https://www.infosecurity-magazine.com/news/fatality-after-hospital-hacked/ https://fortune.com/2020/09/18/ransomware-police-investigating-hospital-cyber-attack-death/
Zerologon - https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/ US govt orders federal agencies to patch dangerous Zerologon bug by Monday, 21 September 11:59 EDT)Tweet mentioning not needing to reset passwords for access: https://twitter.com/MsftSecIntel/status/1308941504707063808?s=20 Linux malware (drovorub) https://www.tripwire.com/state-of-security/featured/drovorub-malware/ Rampant Kitten's arsenal includes Android malware that bypasses 2FA
https://exploit.kitploit.com/2020/09/tp-link-cloud-cameras-ncxxx-bonjour.html https://www.infosecurity-magazine.com/news/former-pm-passport-phone-hacker/ https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-034-Fortnite account selling, process change agility, IRS wanting to track the 'untrackable' | 14 Sep 2020 | 00:53:32 | |
https://www.kitploit.com/2020/05/web-hackers-weapons-collection-of-cool.html
https://www.ehackingnews.com/2020/09/hackers-attack-gaming-industry-sell.html
https://www.secjuice.com/windows-10-penetration-testing-os/ Nice to see stories about using Win10 as a pentest platform. Was always a PITA to update Kali or whatever. @secjuice One reason I enjoyed Dave Kennedy's 'pentester framework' --brbr
https://www.ehackingnews.com/2020/09/a-new-security-vulnerability-discovered.html
https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support
https://kbondale.wordpress.com/2020/09/13/lets-flatten-five-agile-fallacies/ Speak more to the need for process improvement. Trying to embrace a new 'agile' methodology is bunk. Find inefficiencies, work to improve those, collect metrics to show improvements.
https://www.linkedin.com/pulse/intersection-change-management-project-paula-alsher/ Lead to an excellent segue to our book club.
By the book, https://brakesec.com/adkar - used books on Amazon going for less than $10 USD Thursday 17, 2020 - 7pm Pacific FEEDBACK: "Gotta say I'm really enjoying this book. It has my mind moving in so many directions - our team's change initiatives and desires, the agency-level initiatives, other change leaders in our org and their tools/techniques and successes/failures."
https://securityscorecard.com/blog/the-cisos-guide-to-reporting-cybersecurity-to-the-board This came up during a discussion on our Slack. Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-033-garmin hack, Tesla employee thwarted IP espionage, Slack RCE payout, and more! | 31 Aug 2020 | 01:13:08 | |
WWFH Class: (Ms. Berlin) "Breaching the Cloud" @dafthack
https://www.blackhillsinfosec.com/breaching-the-cloud-perimeter-w-beau-bullock/
https://wildwesthackinfest.com/wwhf-at-secure-wv/
IWCE 2020 panel: "Being a thought leader"
ADKAR class Book Club: 03 September 2020 7pm: https://smile.amazon.com/ADKAR-Change-Business-Government-Community/dp/1930885504/ref=sr_1_1?dchild=1&keywords=ADKAR&qid=1598543747&sr=8-1
TLS cert life is 13 months now (397 day) than now:
Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/
https://hackerone.com/reports/783877 https://www.reddit.com/r/netsec/comments/iifh3r/remote_code_execution_in_slack_desktop_apps/
Reserved Campsites for InfosecCampout 2021
MHH Feel Good Boxes Trojan - "not my fault" Segfaults and then injects DLLs @seaseceast | |||
| 2020-032-Dr. Allan Friedman, SBOM, Software Transparency, and how the sausage is made - Part 2 | 24 Aug 2020 | 00:57:42 | |
Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/
Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce
NTIA.gov - National Telecommunications and Information Administration
https://www.ntia.gov/sbom SBOM guidance
Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf
Allan's talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ
Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between "Software transparency" and "Software bill of materials"?
How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?
Where in the development (hardware or software) would you be creating an SBOM?
You mention in your BSSF talk about 'how detailed it should be'. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?
IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?
How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?
As we saw with RIPPLE20, many companies don't know what they have. How would SBOM help keep another RIPPLE20 from happening?
Rob Graham's blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns?
Sharing information Best way to share information about IoT components?
Could an information sharing org (ISAC) track these more readily?
vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?
Interesting feedback from NTIA's RFC
Other SBOM types (clonedx, openbom, FDA's CBOM)
Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD "927" issue? https://xkcd.com/927/
non-US implementations of SBOM?
How do we get our companies to implement these?
SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?
What is a 'Bill of Materials'?
SBOM - Definition
As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/
NTIA did an RFC on "promoting the sharing of Supply Chain Security Risk Information"
Secure and Trusted Communications Network Act of 2019 (Act) - Calling it "CBOM"
Other groups working on similar: FDA https://www.fda.gov/media/119933/download
SPDX: LInux Foundation:https://spdx.org/licenses/
https://github.com/CycloneDX/specification
https://www.fda.gov/medical-devices/digital-health/cybersecurity
Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf
Companies are helping to get "CBOM" for devices: ""It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA," said MedCrypt CEO Mike Kijewski in a news release" https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/
SBOM doesn't work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops
Intoto software development: https://www.intotosystems.com/
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is made | 18 Aug 2020 | 00:44:50 | |
Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan's talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors? Is there any difference between "Software transparency" and "Software bill of materials"?
How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?
Where in the development (hardware or software) would you be creating an SBOM?
You mention in your BSSF talk about 'how detailed it should be'. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?
IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?
How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?
As we saw with RIPPLE20, many companies don't know what they have. How would SBOM help keep another RIPPLE20 from happening?
Rob Graham's blog post highlighted that vulns like HeartBleed would not have been stopped. How does this help us track potential vulns?
Sharing information Best way to share information about IoT components?
Could an information sharing org (ISAC) track these more readily?
vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?
Interesting feedback from NTIA's RFC
Other SBOM types (clonedx, openbom, FDA's CBOM)
Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD "927" issue? https://xkcd.com/927/
non-US implementations of SBOM?
How do we get our companies to implement these?
SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?
What is a 'Bill of Materials'? SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on "promoting the sharing of Supply Chain Security Risk Information" Secure and Trusted Communications Network Act of 2019 (Act) - Calling it "CBOM" Other groups working on similar: FDA https://www.fda.gov/media/119933/download
SPDX: LInux Foundation:https://spdx.org/licenses/
https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get "CBOM" for devices: ""It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA," said MedCrypt CEO Mike Kijewski in a news release" https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn't work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/ | |||
| How to get more headcount, BLUFFs Vulnerability, and Ranty Clause debuts! | 04 Dec 2023 | 01:19:11 | |
Show Topic Summary: Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and "Ranty Claus" talks about CISA's remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults. #youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c Questions and topics: Additional information / pertinent LInks (Would you like to know more?):
Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Twitter: @brakesec Youtube channel: https://youtube.com/c/BDSPodcast Twitch Channel: https://twitch.tv/brakesec | |||
| 2020-030- Mick Douglas, Defenses against powercat, offsec tool release, SRUM logs, and more! | 10 Aug 2020 | 01:23:12 | |
WISP.org donation page: https://wisporg.z2systems.com/np/clients/wisporg/donation.jsp Mick Douglas (@bettersafetynet on Twitter) Powercat: https://github.com/besimorhino/powercat Netcat in a powershell environment https://www.hackingarticles.in/powercat-a-powershell-netcat/ Defenses against powercat? LolBins: https://www.cynet.com/blog/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/ ElasticSearch bought Endgame; https://www.elastic.co/about/press/elastic-announces-intent-to-acquire-endgame https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/ Twitter DM to @bettersafetynet: https://twitter.com/hrbrmstr/status/1287442304593276929 My thinking is if Cisco and others didn't try to intentionally downplay vulnerabilities by announcing them on a Friday, would we be more likely to patch sooner? Also, greater need for testing of patches to ensure that 80% of your workforce rely on that technology now. What's worse? Patching on a Friday evening (after several hours explaining the vuln to a manager), and then having it fuck something up so you're up at crack of dawn Monday troubleshooting something missed Friday night because testing was rushed/not conducted because the CEO can't access email? I have thoughts, I've added this to the show note google doc. https://www.reddit.com/r/netsec/comments/hwaj6f/nmap_script_fot_cve20203452/ -- nmap PoC script? Embargoed vulns… Getting management buy-in to patch | |||
| 2020-029- Brad Spengler, Linux kernel security in the past 10 years, software dev practices in Linux, WISP.org PSA | 31 Jul 2020 | 01:05:34 | |
WISP.org PSA at 35m56s - 37m 19s
Agenda: Why are you here (topic discussion) What is the Linux Security Summit North America
Questions from the meeting invite:
This only affects people who want to use a custom kernel, correct? This doesn't affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right?
What options do people have in cloud environments?
Does the use of microservices make grsecurity less worthwhile?
You mentioned ARM 64 processors in your first slide as making significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it?
https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video
https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides
https://lwn.net/Articles/569635/ - Definition of KASLR
LTS kernels moved from 2 years to 6 years - why? 6 years is pretty much "FOREVER" in software development. Patches get harder to backport, or worse; Could introduce new vulnerabilities Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html
LTSI: https://ltsi.linuxfoundation.org/
4.4 XLTS is available until Feb2022 - If fixes and all bugs haven't been backported (1,250 security fixes aren't in the latest stable 4.4 kernel) What are the "safe" kernels? Has anything changed since the presentation you gave earlier in July 2020
Syzkaller Let's discuss Slide 27 (what are those tems?) "Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?" Slide 29 audio, you mention that you use Syzkaller… why do you use it?
Exploitation Trends Attackers still don't care about whether a vulnerability has a CVE assigned or not Don't many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel?
500K IF the kernel vuln affects major distros (Centos, Ubuntu) https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities
Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don't need to worry about the kernel to do so?
Many of the new security features are protecting against bad programming practices? So by adding all these things, who are you securing systems against? Bad actors, or devs who employ poor coding measures? Why do you think we see lower adoption rates of security
Problem solving: Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html
If we have time…
Threat models in a kernel Where do they go in the development lifecycle? If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model Is there an example somewhere that we can see? What is the format? Methodology?
Do you think static code analysis of the kernel is worthwhile at all? Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own.
OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products? That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we test with all versions from 4.5 to 10.
What do you think of proposed XPFO patch? https://lwn.net/Articles/784839/ The performance profile is a big problem, and it doesn't address that the same attack can be performed in a different way that it wouldn't handle (that limitation is also mentioned in the original paper). So we haven't invested in it at all with our own work.
how about git sha-256 security measures ? Not my domain of expertise, but sounds like a good idea.
What is the status of KASLR on non-Intel architectures? ARMv7/v8? It exists there as well, and is shipped in Android. It's also recently been added for PowerPC.
What dynamic analysis/testing tools do you use for the kernel? We have a couple racks of hardware, including some new AMD EPYC2 systems dedicated entirely to testing and syzkaller fuzzing. We have syzkaller in place (along with backports of functionality to improve its functionality/coverage) for all kernels we support, as well as a good mix of physical/VM systems for major distros, and automated build/boot/functionality/regression testing in a number of configs across ARM/ARM64/MIPS/PowerPC/SPARC64/i386/x86_64. Thanks! Do you write your own configs/definitions for syzkaller? Yes, including some changes to the code to have it detect some of our specific kernel message (size_overflow, refcount, RAP, etc)
What do you think about LKRG? Also, does grsec provide any similar runtime protection/detection/security? I think it's a good alternative to some other commercial security products, but it's not what our goal is with grsecurity. I like the author of LKRG, but heuristic-based security is always problematic as you can't perform the checks everywhere they need to be performed, or as often as they need to be performed. When an attacker knows the checks performed (or has a general idea), then it's easy to devise an attack that would bypass it, knowing how computationally complex it would be to detect. So in grsecurity we focus on providing real defense vs just having a chance to detect something after the fact.
Do you plan on implementing RAP on PowerPC Architecture? We haven't seen any commercial interest in it, but RAP is technically architecture-independent. We've done some demos for non-x86 architectures, and also just recently (within the past month or so), released a version for i386.
For how long GRSecurity is planning to support 5.4 LTS and LTS generally? What do you think is a good rule of thumb? We've always generally supported them for 3 years, regardless of upstream's support periods. We have an independent process for performing backports that involves looking at all the upstream commits and other sources of information, regardless of any stable/Fixes tags (basically a manual version of AUTOSEL).
What is your opinion of the recently proposed Function-Granular KASLR series? Not a fan of *KASLR in the kernel in general. It tries to deal with a problem (poorly) that there already exists a much better solution for: CFI.
Could you comment on how well (relative to your x86 detailed knownledge) ARM and PPC security fixes are backported? We have many years of reverse engineering experience (15+ on my end) across multiple architectures. We were the first to develop software-based PXN/PAN for ARM for instance. We've also developed functionality specifically for non-x86 architectures. Within the past 2 years or so, we added POWER9 support for REFCOUNT, and have the physical hardware on site (in additional to qemu-based testing) to perform the work. But yes, our backports cover all architectures we support.
What is your opinion on the use of BPF for security-purposes, i.e. security monitoring and newer approaches like KRSI? Enabling something like BPF solely for the use of security seems like it could backfire, given how invasive it is. As long as it's not controllable by an unprivileged user, I think it's fine. Anything that avoids the hassle of having to upstream something in order to implement some new kind of security check, is a good idea. They'll still be limited by the LSM interface itself, so that would be the next barrier to go. With BTF, there's a lot of possibility there.
Regarding exploiting containers: isn't the issue with containers that they have very poor defaults and that people don't use the features they could? For example: mounting sysfs or procfs into a container or not adjusting seccomp/apparmor (or better(?) selinux) policies? That's a problem, but the crucial problem is the shared kernel among all containers. If you look at past exploits, they've been in things like futex, mremap, waitid, brk, etc, all syscalls that would be allowed in nearly all of the most strict seccomp policies. The granularity of current seccomp policies is really not that great, and any sufficiently complex code will necessarily have exposure to a large part of kernel attack surface.
What do you think about the CIP Projects' focus on CVE tracking (especially for the kernel)? It's a good initiative, but the main problem with the kernel is that most vulnerabilities in the kernel don't get a CVE in the first place. I know for certain that many of the security issues we've tweeted haven't had a CVE assigned. The ones that do are when a distro with the vuln present in their kernel spots it and requests one. Most vulnerabilities in recent kernels especially don't get CVEs requested, because distros aren't shipping them.
What's your opinion on SMACK? Any other reference implementation except Tizen? Haven't used it myself, so no opinion one way or another, sorry Doesn't seem bad at least in terms of number of security fixes backported to it compared to other access control LSMs.
If you disable as many CONFIG_* options in your kernel config have you actually reduced your attack surface or is most of the vulnerable code not in modules? Yes, this is a good approach particularly for upstream kernels. I would definitely recommend compiling your own kernel instead of using default distro configs (from a security perspective). Under grsecurity, we have a feature that makes it actually a good idea to put as much functionality in modules as possible, as they can't be auto-loaded by unprivileged users. So the functionality is there if it's needed across a fleet of systems, without the downsides. TARA analysis performed in Linux Kernel ? I'm not familiar with this, sorry!
Is the poor state of LTS and XLTS security backports found in PPC and ARM as well as (presumably) what you report for x86? It's somewhat of an across-the-board problem
Actually I hoped that you will tell about new cool features that appeared in grsecury. Can you share anything about your new kernel heap hardening? It's called AUTOSLAB, and it's useful both for security (particularly against AEG and UAFs), but also for debugging. Minimal performance impact, we've had one person mention their system feels faster now, and we actually had a bug in one of our routine benchmarks where the feature got enabled in the "minimal" config, yet still reported better benchmark results in all tests than an upstream kernel. So a really nice performance profile, with some additional memory wastage in the MEMCG case, but nothing terrible. Also non-invasive, as it's done through a GCC plugin. Thanks for your talk, Brad! What would make you work for upstream? We offered that already years ago, and none of the companies involved seemed to be interested. So we're funded directly now by people that benefit from our work.
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-028-Shlomi Oberman, RIPPLE20, supply chain security discussion, software bill of materials | 24 Jul 2020 | 01:00:51 | |
Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What's the RIPPLE about? Communications with Treck (and it's Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don't know what's in their own tech stack?
Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible "Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com." BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected?
What's the initial email look like when you tell a company "you're vulnerable to X"? Who are you dealing with initially? What is your delivery when you're routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: Any additional tooling that you'd have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?
https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-027-RIPPLE20 Report, supply chain security, responsible disclosure, software development, and vendor care. | 16 Jul 2020 | 00:48:34 | |
Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing Agenda: Part 1: Background on the report Why is it called RIPPLE20? What's the RIPPLE about? Communications with Treck (and it's Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines? What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes? What did JSOF gain by doing this? What were the initial benefits of using the TCP/IP stack? Speed? Size? Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits? Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don't know what's in their own tech stack?
Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible "Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com." BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities? Are some devices and systems more vulnerable than others? How many are you still investigating to see if they are affected?
What's the initial email look like when you tell a company "you're vulnerable to X"? Who are you dealing with initially? What is your delivery when you're routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: Any additional tooling that you'd have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org?
https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
| |||
| 2020-026- WISP PSA, PAN-OS vuln redux, F5 has a bad weekend, vuln scoring, Twitter advice, and more! | 08 Jul 2020 | 00:58:22 | |
1st: WISP.org PSA from Rachel Tobac (@racheltobac) & @wisporg talking about #shareTheMicInCyber #SAML PAN-OS: https://twitter.com/RyanLNewington/status/1278074919092289537 F5 vulnerability: https://www.wired.com/story/f5-big-ip-networking-vulnerability/
F5 Mitigation (if patching is not immediately possible): https://twitter.com/TeamAresSec/status/1280590730684256258
Redirect 404 /
https://twitter.com/wugeej/status/1280008779359125504 - Tweet with PoC for the LFI and RCE F5 Big-IP CVE-2020-5902 LFI and RCE LFI https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd or /etc/hosts or /config/bigip.license RCE https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami How to cope in a no-win situation: Semicolon in bash: https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm#:~:text=When%20the%20shell%20sees%20a,once%20at%20a%20single%20prompt. | |||
| 2020-025-Cognizant breach, maze ransomware, PAN-OS CVE 2020-2021, SAML authentication walkthrough | 29 Jun 2020 | 00:46:33 | |
Thank you to Marcus Carey for his excellent guidance and leadership this week.
Cognizant breach: https://www.ehackingnews.com/2020/06/cognizant-reveals-employees-data.html Maze ransomware write-up: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml PAN-OS CVE 2020-2021 - We have been made aware of a serious issue with SAML on Palo Alto Networks PAN-OS We strongly encourage our customers to upgrade to one of the following versions : PAN-OS 8.1.15 PAN-OS 9.0.9 PAN-OS 9.1.3 and greater This is a critical vulnerability with the only mitigation being to either turn OFF SAML or to upgrade the PAN-OS. A CVE will be released on Monday :: CVE-2020-2021
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language | |||
| 2020-024-Bit of news, Ripple20 vulns, IoT Security, windows error codes, captchas used for evil, Marine Momma | 24 Jun 2020 | 00:49:51 | |
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657 https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/
How would we map this against the MITRE matrix? Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?
https://www.us-cert.gov/ics/advisories/icsa-20-168-01
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-023-James Nelson from Illumio, cyber resilence, business continuity | 17 Jun 2020 | 00:48:43 | |
James Nelson, VP of Infosec, Illumio How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency? The best way for organizations to keep their 'crown jewels' secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant. Most CISOs don't talk to the board all the time so they don't understand that's the conversation they want to have. By making sure that the security team's spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk. Cyber-Resilence- https://en.wikipedia.org/wiki/Cyber_resilience
https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience
Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3 Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3 https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/ Key concepts: Visibility into your environment Controls necessary to repel attackers Architecture of the network to create chokepoints (east/west, north/south isolation) Threat modeling and regular threat assessment Mechanisms to allow for rapid response How long will current security controls hold a determined attacker at bay?
Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.
Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)
What does "cyber resiliency" mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support? Which cyber resiliency objectives are most important to a given stakeholder? To what degree can each cyber resiliency objective be achieved? How quickly and cost-effectively can each cyber resiliency objective be achieved? With what degree of confidence or trust can each cyber resiliency objective be achieved?
(What do we as security people do to ensure that all of these are properly answered? --brbr)
Architecture of systems: Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten. We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)
Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
| |||
| 2020-022-Andrew Shikiar, FIDO Alliance, removing password from IoT, and discussing FIDO implementation | 10 Jun 2020 | 00:43:12 | |
Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.
What is FIDO? " open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world's over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords." Did any one event precipitate creation of the FIDO alliance?
UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html
U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)
https://landing.google.com/advancedprotection/
FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess
FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/
IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ --
Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework
NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
https://fidoalliance.org/certification/authenticator-certification-levels/
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/content/case-study/
https://loginwithfido.com/provider/
From a threat modeling perspective, how does '2fa' occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/
IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/
For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics
NTT DOCOMO introduces passwordless authentication for d ACCOUNT
https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev | |||
| 2020-021- Derek Rook, redteam tactics, blue/redteam comms, and detection of testing | 01 Jun 2020 | 01:17:03 | |
**If Derek told you about us at SANS, send a DM to @brakeSec or email bds.podcast@gmail.com for an invite to our slack** OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. Far different in the 'real' world.
Privilege escalation in Windows: *as of June 2020, many of these items still work, may not work completely in the future* *even so, many of these may not work if other mitigating controls are in place*
PENTEST METHODOLOGY : PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines OSSTMM - https://www.isecom.org/OSSTMM.3.pdf
Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html
https://www.fuzzysecurity.com/tutorials/16.html
https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78
Enumerate the machine Services Network connections Users Logins Domains Files Software installed (putty, git, MSO, etc) *older software may install with improper permissions* Service paths (along with users services are ran as) Windows Features (WSL, SSH, etc) Patch level (Build 1703, etc) Wifi networks and passwords (netsh wlan show profile <SSID> key=clear) Powershell history Bash History (if WSL is used) Incognito tokens Stored credentials (cmdkey /list) Powershell transcripts (search text files for "Windows PowerShell transcript start")
Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore
Linux EoP:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Enumeration Mostly the same as above Bash history or profile files Writable scripts (tampering with paths or environment variables) Setuid/Setgid binaries Sticky bit directories Crontabs Email spools World writable/readable files .ssh config files (keys, active sessions) Tmux/screen sessions Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc) VPN profiles GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings
Ways to defend against those kinds of EoP.
Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist -- high Rollers
Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020
Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/
| |||
| 25Oct - okta breached (again), Energy company hit by supply chain attack, and you can help hire the best people | 26 Oct 2023 | 00:45:53 | |
Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd
News: https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach https://www.documentcloud.org/documents/24075435-bhi-notice https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns
| |||
| 2020-020-Andrew Shikiar - FIDO Alliance - making Cybersecurity more secure | 27 May 2020 | 00:42:18 | |
Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.
What is FIDO? " open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world's over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords."
Did any one event precipitate creation of the FIDO alliance?
UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html
U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)
https://landing.google.com/advancedprotection/
FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess
FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/
IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/ --
Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework
NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
https://fidoalliance.org/certification/authenticator-certification-levels/
https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/content/case-study/
https://loginwithfido.com/provider/
From a threat modeling perspective, how does '2fa' occur when the authenticating method and the browser are on the same device?
Consumer education initiative https://loginwithfido.com/
IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/
For Developers: https://fidoalliance.org/developers/ or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn
https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics
NTT DOCOMO introduces passwordless authentication for d ACCOUNT
https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev
Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-019-Masha Sedova, customized training, phishing, ransomware, and privacy implications | 20 May 2020 | 00:39:22 | |
Masha Sedova - Founder, Elevate Security
Topic ideas from the PR company:
The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.
Technology like vuln scanners or something more?
Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles
X&Y https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y
Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi
Masha's suggested topics:
Why do security teams have difficulty in understanding their human risk today? What are the blockers?
What should security teams be measuring to get a holistic view of human risk?
What's the difference between security culture, security behavior change, and security awareness?
Is security culture a core capability in security defense? Why or why not?
Quantifying risk…
Is investing in human training a waste of time?
Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an 'intervention'
Gotta move away from training The 'security team' will save them…
https://www.ncsc.gov.uk/guidance/phishing
Books:
https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X
Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611
People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1
Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/
@modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||
| 2020-018- Masha Sedova, bespoke security training, useful metrics to tailor training | 13 May 2020 | 00:44:31 | |
Masha Sedova - Founder, Elevate Security Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we've accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge.
Study after study shows that the reason why people don't do things is not always because they don't understand, it's because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles X&Y: https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi
Why do security teams have difficulty in understanding their human risk today? What are the blockers? What should security teams be measuring to get a holistic view of human risk? What's the difference between security culture, security behavior change, and security awareness? Is security culture a core capability in security defense? Why or why not? Quantifying risk… Is investing in human training a waste of time? Phishing - mock phish or real phishing Pull data to see who is clicking on links Send an 'intervention'
Gotta move away from training The 'security team' will save them…
https://www.ncsc.gov.uk/guidance/phishing
Books: https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611 People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1 Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/ @modmasha Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec | |||