Brakeing Down Security Podcast

Follow Brakeing Down Security Podcast
Share on
Copy link to clipboard

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veter…

Bryan Brake - CISSP | Information Security | Vuln Management


    • Nov 21, 2021 LATEST EPISODE
    • weekly NEW EPISODES
    • 51m AVG DURATION
    • 399 EPISODES

    Listeners of Brakeing Down Security Podcast that love the show mention: infosec podcasts, bds, slack channel, brake, great security, security podcast, bryan, brian, join, tools, information, community, team, nice, keep up the good work, topics, guys, favorite, excellent, job.



    Search for episodes from Brakeing Down Security Podcast with a specific topic:

    Latest episodes from Brakeing Down Security Podcast

    2021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1

    Play Episode Listen Later Nov 21, 2021 36:03

    https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465   Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?”   Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process   Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter   Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/  (creates a caste system of ‘haves and not-haves'... important vs. not important) bad guys will target people not on the inside.   0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/   Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020   VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.   In a perfect world, what does disclosure look like?   Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - ‘lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a ‘cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?

    Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more

    Play Episode Listen Later Nov 21, 2021 53:23

    In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges. ADDITIONAL RESOURCES   OUR REDDIT AMA https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/    MFA https://attack.mitre.org/mitigations/M1032/  https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984  https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/    INCIDENT RESPONSE https://www.nist.gov/cyberframework/respond  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf    POWERSHELL BEST PRACTICES https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/  https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security  https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/  https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/    RISK: A lack of MFA where available or using SMS based MFA for critical applications. Please do not use SMS based MFA for critical applications. [6] [7] This is an easy layer of defense that has historically been very effective [5] One-Time Passwords (OTP) good but [8] FIDO U2F better Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key). MITIGATION:  Blumira requires use of MFA MFA related detections (e.g. AWS, Duo) BLUMIRA HELPS:   Incident Response Procedures   RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes. A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.  If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4] The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.  Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi)) MITIGATION: Workflows Blumira helps with this by providing built-in guidance with workflows. Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion. provides additional details to help operators make informed decisions in response to new findings. Finding analysis  BLUMIRA HELPS:   Recent or Frequent IT Staff Turnover   RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it is needed because they'll already be tapped out of energy, and may be more likely to consider opportunities elsewhere. You want to limit keystone employees, meaning that if an employee leaves for whatever reason you do not want that employee's absence to cause a breakdown in processes for others. Redundancy is best here in most cases IMO. MITIGATION: Blumira works hard to create fewer, more actionable findings.  We strive to keep our alerts simple to provide the information that operators need to make informed decisions. We try to focus on findings that require action and provide workflows to provide additional guidance to help share recommendations on what to investigate next to evaluate the impact of a security event BLUMIRA HELPS:    PowerShell Scripting Best Practices   RISK: Detections will be less helpful if staff are frequently dismissing events in response to approved administrative behavior like maintenance scripts. Follow the PowerShell recommendations shared by Microsoft [1] including: Sign your scripts (lol Microsoft has this bolded by the way hint hint wink wink) “another method for keeping scripts security is vetting and signing your scripts Do not store secrets in PoSH scripts; if you are doing this you're gonna want to google “secrets management” [2] and learn more about how to secure store and access secrets across an enterprise environment  Briefly, there is a powershell module for vault secret extensions [3] some vault extensions include KeePass, LastPass, Hashicorp Vault, Azure KeyVault, KeyChain, and CredMan Use a recent version of Powershell (we are on version 7, but this article recommends 5+) Enable and collect powershell logs MITIGATION: Blumira detects on malicious powershell usage. BLUMIRA HELPS:     ADDITIONAL LINKS AND SOURCES:  [1] https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security  [2] https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/  [3] https://github.com/PowerShell/SecretManagement  [3] https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/  [4] https://www.nist.gov/cyberframework/respond  [5] https://attack.mitre.org/mitigations/M1032/  [6] https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984  [7] https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/ [8] https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/  https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/

    2021-041-0day disclosure, Randori, FBI email server pwnage

    Play Episode Listen Later Nov 16, 2021 36:55

    https://www.bleepingcomputer.com/news/security/us-education-dept-urged-to-boost-k-12-schools-ransomware-defenses/ https://securityaffairs.co/wordpress/124570/cyber-crime/fbi-hacked-email-server.html https://www.zdnet.com/article/security-company-faces-backlash-for-waiting-12-months-to-disclose-palo-alto-0-day/   https://www.randori.com/blog/why-zero-days-are-essential-to-security/ https://twitter.com/_MG_/status/1459024603263557633 “Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?    Guess it wasn't easy to notice under all the loud opinions about ethics.”   https://twitter.com/_MG_/status/1459038747807285253/photo/1

    2021-040-Sweden's parents rebel over poor App design, US government forcing patching of systems, and Vuln chaining

    Play Episode Listen Later Nov 8, 2021 36:55

    News stories covered this week, as well as links of note: https://www.wired.co.uk/article/sweden-stockholm-school-app-open-source https://curtbraz.medium.com/a-konami-code-for-vuln-chaining-combos-1a29d0a27c2a    https://docs.google.com/presentation/d/17gISafUZzEyjV7wkdHaTQZmtxstBqECa/edit#slide=id.p4   https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices   https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html   https://searchsecurity.techtarget.com/news/252509040/CISA-cracks-the-whip-on-patching-vulnerabilities https://cyber.dhs.gov/bod/22-01/   https://www.cisa.gov/known-exploited-vulnerabilities-catalog  

    2021-039-Minimum Viable vendor security sheet, Federal logging requirements, and more!

    Play Episode Listen Later Nov 2, 2021 55:01

    https://securityaffairs.co/wordpress/123948/security/2021-list-of-most-common-hardware-weaknesses.html?   https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf   https://www.darkreading.com/application-security/tech-companies-create-security-baseline-for-enterprise-software   https://security.googleblog.com/2021/10/launching-collaborative-minimum.html   https://mvsp.dev/mvsp.en/index.html https://www.standardfusion.com/blog/assessing-vendor-risk-with-questionnaires/

    SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,

    Play Episode Listen Later Nov 1, 2021 44:09

     From Nato's email:Hi Bryan,   Discussing the challenges that come with not having good logging in place could be a great topic!  We could make it partly about how security maturity works, in the idea that security generally starts with awareness and visibility.   The topic sort of gets into the idea that knowing is half the battle, so logging can be transformative for helping a company properly secure themselves from online risks!   What do you think of this topic idea?   https://www.blumira.com/careers/ https://thenewstack.io/logging-and-monitoring-why-you-need-both/   https://prometheus.io/ https://www.sentinelone.com/blog/the-10-commandments-of-logging/   https://towardsdatascience.com/why-should-you-care-about-logging-442a195b80a1   https://www.g2.com/products/blumira-automated-detection-response/reviews#survey-response-4908309   (wouldn't you know it… a couple additional google searches, and I find this -brbr)https://www.executivegov.com/2021/08/omb-creates-maturity-framework-for-event-log-management/) https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2021/may/cs2021_0089c.pdf   Logging maturity in the US gov (OMB policy doc): https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf   Are there examples of devices that don't give out logs? What if your vendor does not allow you to have logs? Can you create logs based on the activity of the device? What would that look like? Types of logs: Application logs Network logs Endpoint security logs OS logs IDS/IPS logs Vuln scanner logs  

    2021-038-Liz Saling, 5 pillars of building a good team

    Play Episode Listen Later Oct 25, 2021 67:18

    Blog post that inspired this episode: https://lizsaling.com/SWE-team-five-pillars/   Liz Saling  (@lizsaling) https://www.mindtools.com/pages/article/newLDR_86.htm http://www.mspguide.org/tool/tuckman-forming-norming-storming-performing https://michaelhyatt.com/3-roadblocks-to-avoid-for-optimal-team-performance Erin meyer is the one who did the netflix study! https://bigthink.com/the-present/high-performing-teams/ https://alicedartnell.com/blog/why-smart-goals-are-stupid/   NEWS: Unlocking ‘god' mode on windows 11: https://www.bleepingcomputer.com/news/microsoft/how-to-unlock-windows-11s-god-mode-to-access-advanced-settings/ https://www.reddit.com/r/netsec/comments/q9f63y/creating_a_basic_python_reverse_shell_listener/ NFT malware (NFTs that empty wallets): https://www.theregister.com/2021/10/17/in_brief_security/

    2021-037-Tony Robinson, leveraging your home lab for job success - Part2

    Play Episode Listen Later Oct 17, 2021 57:47


    Tony Robinson (@da_667) Thought we'd put in a little news to round out the show https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/ https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch https://nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/ https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks https://securityaffairs.co/wordpress/123182/breaking-news/medtronic-recalled-insulin-pumps-controllers.html Similar device on ebay: https://www.ebay.com/itm/324762812721   https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/   https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html   https://0xdf.gitlab.io/ www.leanpub.com/avatar2  MSRP = $30 USD Book changes   What is the end goal?  Upskill? Independent consultant? Promotion? Bug bounties? Lab setup -    Lab setup types   Cloud based -  Desktop/laptop/NUC -  Server -    Good VMs to   https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines   What other home lab equipment have would be helpful?Testing IoT/embedded devices? Car hacking? Malware analysis? https://bazaar.abuse.ch/ Virus Total Intelligence Honeypots @malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877 Analyzing binaries? Patch analysis (patch tuesday, print nightmare, etc)? https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html https://www.netresec.com/?page=networkminer   Soldering? Oscillators for voltage checks? Wireless? Old cellphones (mobile apps, don't need cellular) Personal assistant devices (used IoT devices?) Accessing data stored on devices   Specific software licenses?  Burp? If I'm trying to break into infosec, how do I use my lab to sell myself to an employer? Does the employer care?  How can someone show what they've learned in a way that shows the value?


    2021-036-Tony Robinson, twtich breach, @da_667 lab setup new book edition! -part1

    Play Episode Listen Later Oct 14, 2021 53:33


    Tony Robinson (@da_667) Thought we'd put in a little news to round out the show https://www.bbc.com/news/world-us-canada-58863678 - nuclear secrets hidden in a peanut butter sandwich https://www.theregister.com/2018/04/20/rsa_security_conference_insecure_mobile_app/ https://www.vice.com/en/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch https://nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/ https://www.securityweek.com/fontonlake-linux-malware-used-targeted-attacks https://securityaffairs.co/wordpress/123182/breaking-news/medtronic-recalled-insulin-pumps-controllers.html Similar device on ebay: https://www.ebay.com/itm/324762812721 https://www.zdnet.com/article/brewdog-exposed-data-of-200000-shareholders-for-over-a-year/ https://tpetersonkth.github.io/cve/2021/10/02/Analysis-of-CVE-2019-9053.html https://0xdf.gitlab.io/   www.leanpub.com/avatar2  MSRP = $30 USD Book changes   What is the end goal?  Upskill? Independent consultant? Promotion? Bug bounties? Lab setup -  Lab setup types Cloud based -  Desktop/laptop/NUC -  Server -    Good VMs to   https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ - 90 day WIndows machines   What other home lab equipment have would be helpful?Testing IoT/embedded devices? Car hacking? Malware analysis? https://bazaar.abuse.ch/ Virus Total Intelligence Honeypots @malware_traffic - https://twitter.com/malware_traffic/status/1446627364147023877 Analyzing binaries? Patch analysis (patch tuesday, print nightmare, etc)? https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html https://www.netresec.com/?page=networkminer   Soldering? Oscillators for voltage checks? Wireless? Old cellphones (mobile apps, don't need cellular) Personal assistant devices (used IoT devices?) Accessing data stored on devices   Specific software licenses?  Burp? If I'm trying to break into infosec, how do I use my lab to sell myself to an employer? Does the employer care?  How can someone show what they've learned in a way that shows the value?


    2021-035-GRC selection discussion, TechSecChix, and the 'job description problem'

    Play Episode Listen Later Sep 29, 2021 66:57

    GRC tools  (Governance Risk and Compliance)   @ki_twyce_   @TechSecChix   INfosec unplugged   Security Happy Hour   Eric's cyberpoppa show   Cyber Insight show - cohost   Blumira is hiring https://www.blumira.com/careers/  https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html   https://www.pwc.ch/en/insights/fs/10-pitfalls-when-implementing-grc-technology-and-how-to-avoid-them.html   https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/   Why do we need a GRC tool? https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register   What are our business goals? (to make money... :D ) Are we mature enough to be measuring ourselves? How can we use this to be more efficient?   https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/   Centralized Controls. ... Support for Future Standards. ... Automation Integrations (my add… helpdesk integrations,  3rd party) Scalability. ... Customizable Reporting. ... Flexibility. ... Task Delegation   GRC tool use in other areas   IT - makes more informed budget decisions, determines directions in business goals, asset mgmt Finance - Make better financial decisions, profitability Infosec-  vuln mgmt,  Compliance HR - determine hiring requirements Legal - ensures ethical management of the organization, reduces breach,    How do you implement GRC? https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation Step 0: everyone's input and use cases  Determine the total value gained by using a centralized GRC platform Missing data  Duplicate processes Duplicate data Manual steps that can be removed or automated Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting Identify operational gaps to prioritize the areas you need to improve. Get your team on board with an effectively communicated plan. Build a strong foundation to support your GRC program Deploy a standardized GRC implementation across the board. Let the GRC framework evolve and grow after it's implemented.  

    2021-034-Khalilah Scott, good GRC tool practices - part1

    Play Episode Listen Later Sep 29, 2021 43:59

    GRC tools  (Governance Risk and Compliance)   @ki_twyce_   @TechSecChix   INfosec unplugged   Security Happy Hour   Eric's cyberpoppa show   Cyber Insight show - cohost   Blumira is hiring https://www.blumira.com/careers/  https://www.cio.com/article/3206607/what-is-grc-and-why-do-you-need-it.html   https://www.pwc.ch/en/insights/fs/10-pitfalls-when-implementing-grc-technology-and-how-to-avoid-them.html   https://www.oxial.com/all/how-to-go-about-choosing-your-grc-solution/   Why do we need a GRC tool? https://resilience.acoss.org.au/the-six-steps/managing-your-risks/risk-register   What are our business goals? (to make money... :D ) Are we mature enough to be measuring ourselves? How can we use this to be more efficient?   https://www.standardfusion.com/blog/the-future-of-grc-7-things-to-look-out-for/   Centralized Controls. ... Support for Future Standards. ... Automation Integrations (my add… helpdesk integrations,  3rd party) Scalability. ... Customizable Reporting. ... Flexibility. ... Task Delegation   GRC tool use in other areas   IT - makes more informed budget decisions, determines directions in business goals, asset mgmt Finance - Make better financial decisions, profitability Infosec-  vuln mgmt,  Compliance HR - determine hiring requirements Legal - ensures ethical management of the organization, reduces breach,    How do you implement GRC? https://www.crowe.com/insights/6-steps-for-a-successful-grc-implementation Step 0: everyone's input and use cases  Determine the total value gained by using a centralized GRC platform Missing data  Duplicate processes Duplicate data Manual steps that can be removed or automated Workflows to assist heavily manual areas such as communications, emails, approvals, and reporting Identify operational gaps to prioritize the areas you need to improve. Get your team on board with an effectively communicated plan. Build a strong foundation to support your GRC program Deploy a standardized GRC implementation across the board. Let the GRC framework evolve and grow after it's implemented.      

    2021-033-Kim_Crawley, 8 steps to better security-Part2

    Play Episode Listen Later Sep 20, 2021 41:49

      8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th.    Pre-orders are available now via Amazon, Barnes & Noble, and other retailers.   Sponsored Link: https://amzn.to/3k3pDAN   Amazon teaser: “Harden your business against internal and external cybersecurity threats with a single accessible resource.  In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.   Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:  Foster a strong security culture that extends from the custodial team to the C-suite  Build an effective security team, regardless of the size or nature of your business  Comply with regulatory requirements, including general data privacy rules and industry-specific legislation  Test your cybersecurity, including third-party penetration testing and internal red team specialists  Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.  “

    SPONSOR: Blumira's Patrick Garrity

    Play Episode Listen Later Sep 16, 2021 48:10

    Blumira-  Per crunchbase:“Blumira's end-to-end platform offers both automated threat detection and response, enabling organizations of any size to more efficiently defend against cybersecurity threats in near real-time. It eases the burden of alert fatigue, complexity of log management and lack of IT visibility. Blumira's cloud SIEM can be deployed in hours with broad integration coverage across cloud, endpoint protection, firewall and identity providers including Office 365, G Suite, Crowdstrike, Okta, Palo Alto, Cisco FTD and many others.” Contact sales@blumira.com   Patrick Garrity, VP of Operations. Patrick has years of experience in the security industry building and scaling usable security products. He currently leads Blumira's product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security. Twitter = @Thisisnottap   https://www.ibm.com/cloud/blog/top-5-advantages-of-software-as-a-service https://www.outsource2india.com/software/articles/software-as-a-service.asp   5 Advantages of SaaS Reduced time to benefit. Software as a service (SaaS) differs from the traditional model because the software (application) is already installed and configured. ... Lower costs. ... Scalability and integration. ... New releases (upgrades) ... Easy to use and perform proof-of-concepts. 5 Disadvantages of SaaS Insufficient Data Security. SaaS-based application model. Difficulty with Regulations Compliance.  Cumbersome Data Mobility.  Low Performance.  Troublesome Software Integration.   Limit Attack Surface https://www.wallix.com/blog/top-10-ways-to-limit-attack-surface https://www.okta.com/identity-101/what-is-an-attack-surface/ https://securityscorecard.com/blog/what-is-cyber-attack-surface-management

    2021-032--Author_Kim_crawley-8-Simple_Rules_for_Cybersecurity

    Play Episode Listen Later Sep 14, 2021 42:10

      8 Steps to Better Security: A Simple Cyber Resilience Guide to Business is done all final editing and will be published by @WileyTech on October 5th.  It is available now via Kindle.  Pre-orders are available now via Amazon, Barnes & Noble, and other retailers.   Sponsored Link: https://amzn.to/3k3pDAN   Amazon teaser: “Harden your business against internal and external cybersecurity threats with a single accessible resource.  In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.   Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:  Foster a strong security culture that extends from the custodial team to the C-suite  Build an effective security team, regardless of the size or nature of your business  Comply with regulatory requirements, including general data privacy rules and industry-specific legislation  Test your cybersecurity, including third-party penetration testing and internal red team specialists  Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries. 

    2021-031- back in the saddle, conference discussion, company privacy

    Play Episode Listen Later Sep 3, 2021 62:07

    "bel paese, ma più caldo del buco del culo di Satana" https://www.theverge.com/22648265/apple-employee-privacy-icloud-id https://mysudo.com/ https://arstechnica.com/information-technology/2021/09/npm-package-with-3-million-weekly-downloads-had-a-severe-vulnerability/ https://www.bleepingcomputer.com/news/security/bluetooth-braktooth-bugs-could-affect-billions-of-devices/ www.infoseccampout.com www.log-md.com @infosystir @bryanbrake @brakesec @hackershealth @boettcherpwned  

    2021-030-incident response, business goal alignment, showing value in IR -p2

    Play Episode Listen Later Aug 22, 2021 45:58

    https://blog.teamascend.com/6-phases-of-incident-response https://www.securitymetrics.com/blog/6-phases-incident-response-plan Recent vulnerabilities got Bryan thinking about incident response.  Are organizations speedy enough to keep up? If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues? How do we communicate those issues to management? How should we handle the workload? Testing of your IR costs money, do you have budget for that? (verodin, red-team) Restoring backups, extra VPC or azure environment   Incidents occur You have to minimize issues, right? But is there a good way of doing that? Simplify your environment?  Spend time working on the CIS 20? You gotta plan for that and show value vs effort.   Incident response is an ever changing landscape.    What is the goal of IR? Minimize damage Identify affected systems Recover gracefully and quickly? Does your environment allow for quick recovery? What does ‘return to normal' look like? The goal of business Make money Incidents should just be considered part of doing business (risks) The more popular, the more likely the attack   Incident timeframe = criteria for getting back to normal.   PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done'. 

    2021-029- incident response, PICERL cycle, showing value in IR, aligning with business goals -p1

    Play Episode Listen Later Aug 15, 2021 40:08

    https://blog.teamascend.com/6-phases-of-incident-response https://www.securitymetrics.com/blog/6-phases-incident-response-plan Recent vulnerabilities got Bryan thinking about incident response.  Are organizations speedy enough to keep up? If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues? How do we communicate those issues to management? How should we handle the workload? Testing of your IR costs money, do you have budget for that? (verodin, red-team) Restoring backups, extra VPC or azure environment Incidents occur You have to minimize issues, right? But is there a good way of doing that? Simplify your environment?  Spend time working on the CIS 20? You gotta plan for that and show value vs effort.   Incident response is an ever changing landscape.    What is the goal of IR? Minimize damage Identify affected systems Recover gracefully and quickly? Does your environment allow for quick recovery? What does ‘return to normal' look like? The goal of business Make money Incidents should just be considered part of doing business (risks) The more popular, the more likely the attack Incident timeframe = criteria for getting back to normal. PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done'. 

    2021-028-Rebekah Skeete - social engineering techniques and influences

    Play Episode Listen Later Aug 8, 2021 53:30

    BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites.  Rebekah Skeete CyberBec @rebekahskeete   Tennisha Martin ~@misstennish https://blackgirlshack.org/   https://www.twitter.com/blackgirlshack - black girls hack    https://www.twitter.com/thefluffy007 - jasmine jackson    Background   https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ   Vegas conference - Blacks in Cyber Village https://forum.defcon.org/node/236946 https://www.blacksincyberconf.com/bic-village https://www.youtube.com/c/BlacksInCybersecurity https://www.blacksincyberconf.com/ctf   https://www.marketwatch.com/story/retired-black-nfl-players-and-their-families-call-for-race-norming-practice-to-end-01621018741   https://en.wikipedia.org/wiki/Blind_men_and_an_elephant   https://fuzzcon.forallsecure.com/   https://www.dianainitiative.org/ Social Engineering topics   Misophonia - or phonophobic https://www.washingtonpost.com/national/health-science/misophonia-is-a-newly-identified-condition-for-people-hypersensitive-to-sound/2014/12/01/7c392782-69ba-11e4-a31c-77759fc1eacc_story.html   https://thecyberwire.com/podcasts/8th-layer-insights https://terranovasecurity.com/examples-of-social-engineering-attacks/   How all either are directly influenced by. News, and cool links to read.   https://chubk.com/youtuber-who-specializes-in-unmasking-scammers-ended-up-being-tricked-even-deleting-his-own-youtube-channel/ -LOL SE write-up of a legitimate company (archive.org)  https://web.archive.org/web/20190124114926/https://medium.com/@0xf3d/dissecting-arbitraging-co-in-depth-youve-been-scammed-again-21306de00fe5 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-027-Black Girls Hack COO Rebekah Skeete!

    Play Episode Listen Later Aug 2, 2021 68:57

    BlackGirlsHack was created to share knowledge and resources to help black girls and women breakthrough barriers to careers in information security and cyber security. The vision for Black Girls Hack (BGH) is to provide resources, training, mentoring, and access to black girls and women and increase representation and diversity in the cyber security field and in the executive suites.  Rebekah Skeete CyberBec @rebekahskeete Tennisha Martin ~@misstennish https://blackgirlshack.org/ https://www.twitter.com/blackgirlshack - black girls hack  https://www.twitter.com/thefluffy007 - jasmine jackson  Background https://hitz.com.my/trending/trending-on-hitz/people-that-walk-fast-are-reported-to-be-less-happ Vegas conference - Blacks in Cyber Village https://forum.defcon.org/node/236946 https://www.blacksincyberconf.com/bic-village https://www.youtube.com/c/BlacksInCybersecurity https://www.blacksincyberconf.com/ctf https://www.marketwatch.com/story/retired-black-nfl-players-and-their-families-call-for-race-norming-practice-to-end-01621018741 https://en.wikipedia.org/wiki/Blind_men_and_an_elephant https://fuzzcon.forallsecure.com/ https://www.dianainitiative.org/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

    2021-026-Triaging threat research, Jira vulns, Serious Sam vuln, Systemd vulns, and HiveNightmare

    Play Episode Listen Later Jul 28, 2021 56:38

    https://www.mindtools.com/pages/article/newHTE_95.htm https://www.infoq.com/news/2021/07/microsoft-linux-builder-mariner/ https://www.productplan.com/glossary/action-priority-matrix/   More PrintNightmare issues: https://www.bleepingcomputer.com/news/microsoft/windows-10-july-security-updates-break-printing-on-some-systems/ “"After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication," Microsoft explained.”   https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/  “Shlayer, discovered in 2018, is constantly maintained and also evolving. The graph below is representative of Shlayer continually being a go-to piece of malware that attackers use to compromise the victim's machine. We observed an uptick in Shlayer detections occurring before the release of CVE-2021-30657 (the Gatekeeper bypass) that was being exploited by Shlayer. This vulnerability was subsequently patched on April 26, 2021.”   https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/ https://access.redhat.com/security/cve/cve-2021-33910   “It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash.”  There's no way to remedy this problem. While it's not present in all current Linux distros, you'll find it in most distros such as the Debian 10 (Buster) and its relatives like Ubuntu and Mint. Therefore, you must, if you value keeping your computers working, patch your version of systemd as soon as possible. You'll be glad you did. https://www.bleepingcomputer.com/news/security/atlassian-asks-customers-to-patch-critical-jira-vulnerability/ https://redmondmag.com/articles/2021/07/21/serioussam-windows-flaw.aspx https://securityaffairs.co/wordpress/120576/security/apple-cve-2021-30807-zero-day.html?  https://github.com/GossiTheDog/HiveNightmare Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-025-Dan Borges, Author of Adversarial Techniques from Packt Publishing

    Play Episode Listen Later Jul 19, 2021 48:17

    Dan Borges - Author @1njection   Buy the book on Amazon: https://www.amazon.com/Adversarial-Tradecraft-Cybersecurity-real-time-computer-ebook-dp-B0957LV496/dp/B0957LV496?_encoding=UTF8&me=&qid=&linkCode=ll1&tag=bdspod-20&linkId=8f2daf0b3563cbbc2cee6a2d2138149d&language=en_US&ref_=as_li_ss_tl   https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/amp/   Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident https://twitter.com/DAlperovitch/status/1412033278081708034 https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/   https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128 https://en.wikipedia.org/wiki/Best_response https://labs.bishopfox.com/tech-blog/sliver https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164   Www.Globalcptc.org   Virtual CCDC:  How easy was the process working with Packt?  Did they approach you or vice versa? 5 D's of Physical Security The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend. https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-024-Dan Borges, Author of Adversarial Techniques from Packt Publishing

    Play Episode Listen Later Jul 10, 2021 35:08

    Dan Borges - Author @1njection   Buy the book on Amazon: https://www.amazon.com/Adversarial-Tradecraft-Cybersecurity-real-time-computer-ebook-dp-B0957LV496/dp/B0957LV496?_encoding=UTF8&me=&qid=&linkCode=ll1&tag=bdspod-20&linkId=8f2daf0b3563cbbc2cee6a2d2138149d&language=en_US&ref_=as_li_ss_tl   https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/amp/   Cool near real time updates on the hack: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident https://twitter.com/DAlperovitch/status/1412033278081708034 https://github.com/ahhh/Cybersecurity-Tradecraft/tree/main/   https://www.amazon.com/Network-Attacks-Exploitation-Matthew-Monte/dp/1118987128   https://en.wikipedia.org/wiki/Best_response   https://labs.bishopfox.com/tech-blog/sliver   https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164   Www.Globalcptc.org   Virtual CCDC:  How easy was the process working with Packt?  Did they approach you or vice versa? 5 D's of Physical Security The five D's of security seek to do one or more of the following: Deter, Detect, Delay, Deny and Defend. https://www.securitymagazine.com/articles/82833-the-5-ds-of-outdoor-perimeter-security Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

    2021-023-d3fend framework, DLL injection types, more solarwinds infections

    Play Episode Listen Later Jun 30, 2021 57:39

    Pihole setup Conference talk https://www.reuters.com/technology/microsoft-says-new-breach-discovered-probe-suspected-solarwinds-hackers-2021-06-25/ https://securityaffairs.co/wordpress/119425/apt/solarwinds-nobelium-ongoing-campaign.html https://www.ehackingnews.com/2021/06/attackers-pummelled-gaming-industry.html https://www.bleepingcomputer.com/news/microsoft/windows-11-wont-work-without-a-tpm-what-you-need-to-know/ https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows https://d3fend.mitre.org/ https://www.theregister.com/2021/06/15/zoll_defibrillator_dashboard_vulnerabilities/ https://twitter.com/Hexacorn https://www.ionos.com/digitalguide/server/configuration/winsxs-cleanup/ https://www.customink.com/fundraising/mental-health-hackers-7816 Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-022-github policy updates targeting harmful software, Ms. Berlin discusses WWHF, CVSS discussion

    Play Episode Listen Later Jun 22, 2021 48:25

    Ms. Berlin's conference report WWFH (reno, NV) Her next appearances will be at Defcon 2021 and BlueTeam Con 2021! https://www.infosecurity-magazine.com/news/amazon-prime-day-phishing-deluge/ https://www.ehackingnews.com/2021/06/threat-actors-use-google-drives-and.html https://www.kennasecurity.com/blog/vulnerability-score-on-its-own-is-useless/ https://portswigger.net/daily-swig/nist-charts-course-towards-more-secure-supply-chains-for-government-software https://github.blog/2021-04-29-call-for-feedback-policies-exploits-malware/ https://github.com/github/site-policy/pull/397 https://twitter.com/vm_call/status/1405937492642123782?s=20  https://thenewstack.io/cvss-struggles-to-remain-viable-in-the-era-of-cloud-native-computing/ ZOMG BUY SHIRTS HERE https://www.customink.com/fundraising/mental-health-hackers-7816 Buy @infoseccampout tickets: https://www.eventbrite.com/e/infosec-campout-2021-tickets-157561790557   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-021-Security Sphynx, ZeroTrust, implementation prep- part2

    Play Episode Listen Later Jun 16, 2021 54:26

    EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May) https://twitter.com/SecuritySphynx/status/1390475868032618496 @securitySphynx “CIO: Zero Trust is the way…” What is the optimal configuration (read: easiest) zero trust config? Are there different ways to implement Zero Trust?` https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/ https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/ https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf What is ZTA? Who are your users? What Devices in use? Device attestation/health checks Applications exist? Connections exist? Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows? Where is the data/traffic? coming from? Going to? When is this activity occurring and what is expected? WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters. Mobile workforce - how much work can you get done without ever getting on the VPN? Blockers Technical Debt IT Hygiene Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality. Policy should exist to drive what the specifications of a baseline system, server, application, etc will be. Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level). Legacy Systems: Not designed with this approach in mind, and often costly to modernize. Asset Management Where are your assets and how are they used? A “rough estimate” of endpoints is never good enough. What are you logging? What AREN'T you logging? User rights auditing Stale accounts, service accounts, HR Workflows for onboarding/offboarding Limitations of admin rights Local admin/password expiration issues for sales/travelling employees Human resources/talent Politics: Getting support/$$$/Buy-in for retrofitting applications that are “working just fine” is a huge political/business hurdle. Where to go from here: SaaS/PaaS/etc offerings What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities) AAA requirements MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy. Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away. Resist the idea that the easy button of broad stroke permissions is always the right choice. Identify data owners, make them responsible for RBAC development with technical departments. Quantify risk associated with mishandled resources for crown jewels (see previous section on politics). Change control around permissions, access Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later.. What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM. Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional “control”. Real time, actionable data and capabilities are critical to remediation and progress. Asset Inventory (again)... Then… HIDS/Firewall Patch Applocker/Application Controls Lather, rinse, repeat. DLP Classification It's hard, it's time-consuming, and it requires a LOT of support for business unit owners. Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD Would you like to know more? https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model

    2021-020: Security Sphynx, Preparing for ZeroTrust implementation - Part1

    Play Episode Listen Later Jun 6, 2021 42:39

    Full show notes are available here: https://docs.google.com/document/d/14dCpXeQ520IcZC3m007zVPhlIPXKgfv0LkqVnbDx0fc/edit?usp=sharing   EO from President Biden asked for a plan to create Zerotrust implementation in the next 90 days (well, 70ish days now… as of 23 May)https://twitter.com/SecuritySphynx/status/1390475868032618496   @securitySphynx   “CIO: Zero Trust is the way…”   What is the optimal configuration (read: easiest) zero trust config?   Are there different ways to implement Zero Trust?`   https://solutions.pyramidci.com/blog/posts/2021/february/the-swiss-cheese-approach/   https://tulsaworld.com/opinion/columnists/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get/article_f6bdbfad-1aae-5063-8ac0-6a1faf5a244c.html   https://www.reddit.com/r/devops/comments/bqo6kp/open_source_or_cheap_zero_trust_beyondcorp/   https://opensource.com/article/17/6/4-easy-ways-work-toward-zero-trust-security-model   https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf   What is ZTA Who are your users? Devices in use?  Device attestation/health checks Applications exist? Not just into/out of the traditional LAN network - do you understand dependencies of applications and databases and how the traffic flows? Connections exist? What  Where is the data/traffic? coming from? Going to? When is this activity occurring and what is expected? WHY: Need to balance the access to technical resources in a rapidly evolving and dynamic business landscape that ceases to exist within the confines of normal security perimeters. Mobile workforce - how much work can you get done without ever getting on the VPN?  Blockers   Technical Debt   IT Hygiene Zero Trust REQUIRES the pre-work of establishing baselines. You cannot detect abnormality in the absence of normality. Policy should exist to drive what the specifications of a baseline system, server, application, etc will be. Network traffic, endpoint performance, SIEM tuning, endpoint agent/software accountability ZTA is less useful if you're not doing basic patching, application updates, and allowing local admin on the system level). Not designed with this approach in mind, and often costly to modernize. Legacy Systems:  Where are your assets and how are they used? A “rough estimate” of endpoints is never good enough. What are you logging? What AREN'T you logging? Asset Management Stale accounts, service accounts, HR Workflows for onboarding/offboarding Limitations of admin rights Local admin/password expiration issues for sales/travelling employees User rights auditing Human resources/talent Politics: Getting support/$$$/Buy-in for retrofitting applications that are “working just fine” is a huge political/business hurdle. SaaS/PaaS/etc offerings What can you move from traditional off-prem solutions to cloud-based services (more up to date, regularly reviewed for security vulnerabilities, offloading responsibility of maintenance, SSO capabilities) Where to go from here:   AAA requirements   MFA is a MUST. No, it's not perfect, but it is one more layer in efficacy. Identify data owners, make them responsible for RBAC development with technical departments. Quantify risk associated with mishandled resources for crown jewels (see previous section on politics). Change control around permissions, access Security as an active participant in the development/acquisition of new products, software, services, or organizations Like remodeling a house, it is much easier to build security into the process than hire someone to retrofit it later.. Have discussions around REAL RBAC needs BEFORE implementing a solution. It is easier to expand permissions than it is to take them away.  Resist the idea that the easy button of broad stroke permissions is always the right choice. What auditing are you doing? Have you baselined behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR REVIEWING THEM.  Asset Inventory (again)... Then… HIDS/Firewall Patch Applocker/Application Controls Lather, rinse, repeat.  It's hard, it's time-consuming, and it requires a LOT of support for business unit owners. DLP Classification Capture metrics, then set KPIs and regular check ins to reduce MTTP/MTTR/MTTD Manage the Endpoint: Stop thinking about the perimeter as your weakest point. The endpoint is critical and increasingly vulnerable, mobile, out of traditional “control”.  Real time, actionable data and capabilities are critical to remediation and progress.   Would you like to know more? https://www.beyondtrust.com/blog/entry/why-zero-trust-is-an-unrealistic-security-model     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-019-Joe Gray, OSINT CTFs, gamifying and motivating to do the right thing

    Play Episode Listen Later May 28, 2021 47:13

    part 2: CTF OSINT discussion How people will give additional information, even if they aren't receiving points for it. Gamifying and motivating people to 'do the right thing', like offering a chance to win a lottery for a covid vaccine, or free sports tickets to get a shot, or gift cards when reporting phishes.   Joe Gray @C_3PJoe   OSINTION https://theosintion.com  New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering    "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews   Story (Bryan: found my shipmate from the Navy)   Gathering OSINT (what is ethically too far?)   OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/   The OSINTion Discord: https://discord.gg/p78TTGa  stick/carrot interactions https://www.aamc.org/news-insights/dollars-doughnuts-will-incentives-motivate-covid-19-vaccination  How do we motivate or create the desire?    Ohio Covid lottery - https://www.dispatch.com/story/news/2021/05/13/ohio-covid-vaccine-lottery-heres-how-you-can-win/5071370001/ Art sessions with Ms. Berlin     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-018-LawyerLiz, Pres. Biden's EO, and the clueless professor

    Play Episode Listen Later May 22, 2021 64:03

    Elizabeth Wharton: @lawyerliz on Twitter Executive Order: (https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/) “An executive order is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. Other presidential documents are sometimes similar to executive orders in their format, formality, and issue, but have different purposes. Proclamations, which are also signed and numbered consecutively, communicate information on holidays, commemorations, federal observances, and trade. Administrative orders—e.g. memos, notices, letters, messages—are not numbered, but are still signed, and are used to manage administrative matters of the federal government. All three types of presidential documents—executive orders, proclamations, and certain administrative orders—are published in the Federal Register, the daily journal of the federal government that is published to inform the public about federal regulations and actions. They are also catalogued by the National Archives as official documents produced by the federal government. Both executive orders and proclamations have the force of law, much like regulations issued by federal agencies, so they are codified under Title 3 of the Code of Federal Regulations, which is the formal collection of all of the rules and regulations issued by the executive branch and other federal agencies. Executive orders are not legislation; they require no approval from Congress, and Congress cannot simply overturn them. Congress may pass legislation that might make it difficult, or even impossible, to carry out the order, such as removing funding. Only a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect.” https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Another Review: https://www.atlanticcouncil.org/blogs/new-atlanticist/markup-our-experts-annotate-bidens-new-executive-order-on-cybersecurity/ https://www.insurancejournal.com/news/national/2021/05/21/615373.htm     Within 60 days of the date of this order, the head of each agency shall:        (i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance;        (ii)   develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.  Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs. SBOM!  Dr. Allan Friedman on BrakeSec https://brakeingsecurity.com/2020-031-allan-friedman-sbom-software-transparency-and-knowing-how-the-sausage-is-made http://brakeingsecurity.com/2020-032-dr-allan-friedman-sbom-software-transparency-and-how-the-sausage-is-made-part-2   providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;        (viii)  participating in a vulnerability disclosure program that includes a reporting and disclosure process;        (ix) attesting to conformity with secure software development practicesWithin 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law.  The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products.  The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices.  This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation. https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?rl=1 Rebuttal to “The Hill article”: https://soatok.blog/2021/05/19/a-balanced-response-to-allen-gwinn/  thank you Brian Harden (@_noid) Author’s ‘apology’: https://twitter.com/2wiredSecurity/status/1395531110436704258     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-017-Joe Gray on his future book, the OSINT loop, motivators, and gamification - part1

    Play Episode Listen Later May 18, 2021 46:46

    Joe Gray @C_3PJoe   OSINTION https://theosintion.com  New book… ship date? How to get it? https://www.amazon.com/Practical-Social-Engineering-Joe-Gray/dp/171850098X/ https://nostarch.com/practical-social-engineering    "Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." — Ian Barker, BetaNews   Story (Bryan: found my shipmate from the Navy)   Gathering OSINT (what is ethically too far?)   OSINT heartbeat https://matrix.berkeley.edu/research-article/berkeley-protocol-open-source-investigations/ https://hunter.io/ https://halalgoogling.com/ The OSINTion Discord: https://discord.gg/p78TTGa   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-016-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part2

    Play Episode Listen Later May 5, 2021 45:19

    Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/   @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness   https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers   Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/   https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”   https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false    NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?   Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs.   Revert: https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)   Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

    2021-015-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part1

    Play Episode Listen Later Apr 27, 2021 47:26

    @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.” https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false  NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127   Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454  Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

    2021-014-Slipstreaming blocked by Chrome, Slack being used for malware, plus dork and deskjockeys!

    Play Episode Listen Later Apr 13, 2021 51:59

    Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks - E Hacking News - Latest Hacker News and IT Security News https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/   Samy Kamkar - NAT Slipstreaming v2.0 Slack and Discord are Being Hijacked by Hackers to Distribute Malware - E Hacking News - Latest Hacker News and IT Security News   Texan's alleged Amazon bombing effort fizzles: Militia man wanted to take out 'about 70 per cent of the internet' • The Register   Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com   https://twitter.com/k8em0/status/1381258155485585409 https://twitter.com/alisaesage/status/1380797761801445376?s=20 infosecCampout 2021   Hackers Who Paint WWHF  Way west https://pastebin.com/2eYY6trD (for training students) @lintile @infosecroleplay

    2021-013-Liana_McCrea-Garrison_Yap-cecil_hotel, Elisa_Lam-physical_security-part2

    Play Episode Listen Later Apr 7, 2021 58:34

    Reparations.tech *Public Safety Coordinators-Field Operations (Road Incidents)-Specialized Buildings (The Library, Medical Facilities, CCR)*Public Safety OfficersA. Discuss Training-SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards. [IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness(?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues -Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedIn Garrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-012-physical security discussion with @geecheethreat and @garrisony75 -pt1

    Play Episode Listen Later Mar 30, 2021 33:10

    Bios for guests   Reparations.tech *Public Safety Coordinators -Field Operations (Road Incidents) -Specialized Buildings (The Library, Medical Facilities, CCR) *Public Safety Officers A. Discuss Training -SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards.[IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness (?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues-Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedInGarrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)

    2021-010- Dr. Catherine J Ullman, the art of communication in an Incident - Part 2

    Play Episode Listen Later Mar 21, 2021 45:37

    In this episode: knowing your audience - discussing the IR impact how did this happen? how deep do you want to tailor your potential discussion? Every level must be asking "what, when, why, how?", not just those in the trenches does the level of incident mean that communication scales accordingly? And much more!   Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester   Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA)   It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?  How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-010- Dr. Catherine J Ullman, the art of communication in an Incident - Part 1

    Play Episode Listen Later Mar 17, 2021 34:07

    Dr. Catherine J. Ullman (@investigatorchi)   Incident Response communications   Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester   Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog   Security Advisory | SolarWinds   Family Educational Rights and Privacy Act (FERPA) It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?  How do you toe the line between oversharing and nothing at all?   In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-009-Jasmine_Jackson-TheFluffy007-analyzing_android_apps-FRida-Part2

    Play Episode Listen Later Mar 7, 2021 50:01

    @thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn’t for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works. Link to YouTube Channel → thefluffy007 - YouTube thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud The Mobile App Security Company | NowSecure owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub Rana Android Malware (reversinglabs.com) These 21 Android Apps Contain Malware | PCMag Android Tamer  -Android Tamer The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd Android Debug Bridge (adb)  |  Android Developers Goal: discussing best practices and methods to reverse engineer Android applications Introduction to Java (w3schools.com) JavaScript Introduction (w3schools.com) Introduction to Python (w3schools.com) Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages) GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida) Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub Reverse-Engineering - YobiWiki Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io) GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator Background: **consider this a primer for any class you might teach, a teaser, if you will**   Why do we want to be able to reverse engineer APKs and IPKs?  Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code. What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application. When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?  Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively. Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?  When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?   Lab setup IntroToAndroidSecurity VM Android Emulator Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks Methodology Decompile the application - can use a tool titled - Apktool (free) Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located. Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning -  Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit.  Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-008-Jasmine jackson - TheFluffy007, Bio and background, Android App analysis - part 1

    Play Episode Listen Later Mar 2, 2021 52:33

    @thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn’t for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works.   Link to YouTube Channel → thefluffy007 - YouTube   thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud   The Mobile App Security Company | NowSecure   owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub   Rana Android Malware (reversinglabs.com)   These 21 Android Apps Contain Malware | PCMag   Android Tamer  -Android Tamer   The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd   Android Debug Bridge (adb)  |  Android Developers   Goal: discussing best practices and methods to reverse engineer Android applications   Introduction to Java (w3schools.com)   JavaScript Introduction (w3schools.com)   Introduction to Python (w3schools.com)   Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages)   GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)   Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub   Reverse-Engineering - YobiWiki   Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io)   GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.   IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator   Background: **consider this a primer for any class you might teach, a teaser, if you will**   Why do we want to be able to reverse engineer APKs and IPKs?  Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code.   What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application.   When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?  Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively.   Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?    When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?   Lab setup IntroToAndroidSecurity VM Android Emulator   Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks Methodology Decompile the application - can use a tool titled - Apktool (free) Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located.   Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning -  Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit.      Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-007-News-Google asking for OSS to embrace standards, insider threat at Yandex, Vectr Discussion

    Play Episode Listen Later Feb 21, 2021 57:01

    Links to discussed items: Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com) Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com)   Google’s approach to secure software development and supply chain risk management | Google Cloud Blog https://vectr.io/ https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html https://www.blumira.com/careers/?gh_jid=4000142004 sec evangelist @blumira Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-006-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh - part2

    Play Episode Listen Later Feb 14, 2021 39:21

    Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub   Feel free to add anything you like Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)   GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:  Number of Successful Logons – from security audits.  Number of Unsuccessful Logons – from security audits.  Number of Virus Infections during a given period.  Number of incidents reported.  Number of security policy violations during a given period.  Number of policy exceptions during a given period.  Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords.  Number of incidents.  Cost of monitoring during a given period – use your time tracking system if you have one. 6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com) Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?” The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.    DNS over HTTPs  DNS over HTTPS - Wikipedia

    2021-005-Ronnie Watson (@secopsgeek), building a security monitoring system with ELK, and Wazuh

    Play Episode Listen Later Feb 9, 2021 35:43

    Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)   GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:  Number of Successful Logons – from security audits.  Number of Unsuccessful Logons – from security audits.  Number of Virus Infections during a given period.  Number of incidents reported.  Number of security policy violations during a given period.  Number of policy exceptions during a given period.  Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords.  Number of incidents.  Cost of monitoring during a given period – use your time tracking system if you have one.   6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com)   Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?” The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.    DNS over HTTPs  DNS over HTTPS - Wikipedia Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-004-Danny Akacki talks about Mergers and Acquisitions - Part 2

    Play Episode Listen Later Feb 3, 2021 47:45

    Discussion on Mergers and acquisitions processes On being acquired, but also if you’re acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com) Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org) The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com) Security Considerations in the Merger/Acquisition Process (sans.org) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) “We’ve been acquired by X!” First thing people think “oh no, what’s gonna happen to me.” Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

    2021-003- Danny Akacki, open communications, mergers&acquistions

    Play Episode Listen Later Jan 26, 2021 46:09

    Discussion on Mergers and acquisitions processes On being acquired, but also if you’re acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com)   Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org)   The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com)   Security Considerations in the Merger/Acquisition Process (sans.org) Women Unite Over CTF 3.0 (ittakesahuman.com) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) “We’ve been acquired by X!” First thing people think “what’s gonna happen to me.”   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2020-002-Elastic Search license changes, Secure RPC patching for windows, ironkey traps man's $270 million in Bitcoin

    Play Episode Listen Later Jan 19, 2021 46:50

      Secure RPC issue -  Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (microsoft.com) Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center Elastic Search  https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks “There are those who will point to the FAQ for the SSPL and claim that the license isn’t interpreted in that way because the FAQ says so. Unfortunately, when you agree to a license you are agreeing to the text of that license document and not to a FAQ. If the text of that license document is ambiguous, then so are your rights and responsibilities under that license. Should your compliance to that license come before a judge, it’s their interpretation of those rights and responsibilities that will hold sway. This ambiguity puts your organisation at risk.” Doubling down on open, Part II | Elastic Blog  - license change affecting Elastic Search and Kibana MongoDB did something similar in 2018: mjg59 | Initial thoughts on MongoDB's new Server Side Public License (dreamwidth.org)   Hacker News Discussion: MongoDB switches up its open source license | Hacker News (ycombinator.com) @vmbrasseur:  (1) VM (Vicky) Brasseur on Twitter: "With today's relicensing to #SSPL, Elasticsearch & Kibana are no longer #OpenSource but are instead business risks: https://t.co/XNx2EMLNfH" / Twitter (1) Adam Jacob on Twitter: "Yeah, come on - how can this be "doubling down on open"? Some true duplicity here. https://t.co/rlJVnLxYwP - we're taking two widely used, widely distributed, widely incorporated open source projects and making them no longer open source. But we're doubling down on open!" / Twitter [License-review] Approval: Server Side Public License, Version 2 (SSPL v2) (opensource.org) “We continue to believe that the SSPL complies with the Open Source Definition and the four essential software freedoms.  However, based on its reception by the members of this list and the greater open source community, the community consensus required to support OSI approval does not currently appear to exist regarding the copyleft provision of SSPL. Thus, in order to be respectful of the time and efforts of the OSI board and this list’s members, we are hereby withdrawing the SSPL from OSI consideration.” (could be ‘open-source’, but negative feedback on mailing lists and elsewhere made the remove it from consideration from OSI) Open Source license requirements: The Open Source Definition | Open Source Initiative What does this mean?  If you have products that utilize ElasticSearch/MongoDB/Kibana in some way, talk to your legal teams to find out if you need to divest your org from them. These are not ‘opensource’ licenses… they are ‘source available’ It might not affect your organization and moving to SSPL might be feasible. If your product makes any changes internally to ElasticSearch,  Notable links JTNYDV  - specifically the CIS docker hardening  Twitter: @jtnydv Bug Detected in Linux Mint Virtual Keyboard by Two Kids - E Hacking News - Latest Hacker News and IT Security News https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ https://www.coindesk.com/anchorage-becomes-first-occ-approved-national-crypto-bank https://www.cnn.com/2021/01/15/uk/bitcoin-trash-landfill-gbr-scli-intl/index.html https://www.techradar.com/news/man-has-two-attempts-left-to-unlock-bitcoin-wallet-worth-dollar270-million https://www.linkedin.com/posts/amandaberlin_podcast-mentalhealth-neurodiversity-activity-6755910847148691456-Lms5 https://www.linkedin.com/posts/amandaberlin_swag-securitybreach-infosecurity-activity-6755884694501498880-yAck   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2021-001-news, youtuber 'dream' doxxed, solarwind passwords bruteforced, malware attacks

    Play Episode Listen Later Jan 12, 2021 46:57

    Dream Doxxed: Minecraft YouTuber Dream Doxxed Following Speedrun Controversy (screenrant.com) Def Noodles on Twitter: "STANS TAKING IT TOO FAR: Dream doxed after posting a picture of his kitchen on his 2nd Twitter account. Dream has not published statement about situation yet in his public accounts. https://t.co/QuKpIYRODQ" / Twitter Osint issues… found him by breadcrumbs and using zillow internal pics of his house. Craziness Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets - E Hacking News - Latest Hacker News and IT Security News How to Use APIs (explained from scratch) (secjuice.com)   Hackers target cryptocurrency users with new ElectroRAT malware | ZDNet   Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 | ZDNet   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    2020-046-solarwinds-fireeye-breaches-GE-medical-device-issues-and-2021_predictions

    Play Episode Listen Later Dec 17, 2020 52:02

    End of year podcast   Blumeria sponsorship NEWS:   IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters   FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News     https://krypt3ia.wordpress.com/ - 16 december 2020   Microsoft flexing muscle to shutdown c2: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach - GeekWire   Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com)   FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs   US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com)   Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc   Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds?   Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News   System oriented programming - Cloud-Sliver (cloud-sliver.com)  Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight • The Register   G’bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com) IT workers worried about AI making them obsolete…  IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com)   Vulnerabilities Found in Multiple GE Imaging Systems - Infosecurity Magazine (infosecurity-magazine.com)   Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com) https://www.atlasobscura.com/places/encryption-lava-lamps - “The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. “   It’s been the year of the business continuity program this year… and how agile yours is. --thoughts?   Future? Bryan: Companies that are ‘all in’ on remote work will back track. Amanda: I think we’ll see way more keep the wfh now that they realize it saves $$   heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

    SPONSORED- Nathanael Iversen from Illumio, future of microsegmentation,

    Play Episode Listen Later Dec 7, 2020 42:40

    BrakeSec Sponsored Interview with Nathanael Iversen   Questions, comments, and other content goes here:   Illumio Nathanael Iversen BDS Podcast Messaging   Topic: Overview of development and deployment of micro-segmentation   Where does segmentation fit into your security strategy?  Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions. Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment. Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one.    The keys to a successful micro-segmentation deployment: As with any security control, it’s important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly: Visibility with application context Scalable architecture  Abstracted security policies Granular controls  Consistent policy framework across your compute estate Integration with security ecosystem   Preventative Cybersecurity There are three broad preventive security actions: First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team. The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key. The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more.   Potential questions: What is micro-segmentation? How long has it been around? Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls?  How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem? What does a successful micro-segmentation deployment look like?  Tell us about the common challenges people face in their micro-segmentation projects. What misconceptions do people have about micro-segmentation? What is the difference between having a proactive vs. reactive security strategy? Can you explore the ‘cost’ of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach? What does micro-segmentation adoption look like as we head into the new year? What is the future of micro-segmentation?  Segmentation of database areas? Logs?

    2020-045-Marco Salvati, supporting open source devs, incentivizing leeching companies who don't give back- part2

    Play Episode Listen Later Dec 7, 2020 44:33

    https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

    2020-044-Marcello Salvati (@byt3bl33d3r), porchetta industries, supporting opensource tool creators, sponsorship model

    Play Episode Listen Later Dec 2, 2020 29:18

    https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

    2020-043-Software_Defined_Radio-Sebastien_dudek-RF-attacks- IoT and car RF attacks

    Play Episode Listen Later Nov 24, 2020 31:42

    Sébastien Dudek -  @FlUxIuS @penthertz Why we are here today? Software Defined Radio (sdr-radio.com) What kind of hardware or software do you need? Why would a security professional want to know how to use SDR tools and attacks? What other kinds of attacks can be launched? (I mean, other than replay type attacks) Door systems (badge systems) NFC? Contactless credit card attacks  Smart building/home control systems Bluetooth attacks Point Of Sale systems Cellular radio 3g/4g/5g Industrial control systems Home appliances Medical telemetry systems Drones! LoRa - Wikipedia DASH7 - Wikipedia - custom TCP stack for LoRa Vehicle-to-grid - Wikipedia (V2G) Automatic Wireless Protocol Reverse Engineering | USENIX   Hunting mobile devices endpoints - the RF and the Hard way | Synacktiv - Sébastien Dudek   How Can Drones Be Hacked? The updated list of vulnerable drones & attack tools | by Sander Walters | Medium Carrier Aggregation explained (3gpp.org)  Mobile phone jammer - Wikipedia World’s top hackers meet at the first 5G Cyber Security Hackathon - Security Boulevard Supply chain attacks - systems tend to use wireless chipsets or protocols   LTE-torpedo-NDSS19.pdf (uiowa.edu)  -privacy attacks on 4g/5g networks using side channel information How does someone make a faraday cage on the cheap? (mentioned in one of your class agendas) Lots of IoT devices use your typical home wifi connection, can’t you just sniff packets to get what you need? Replay attacks on car fobs: Jam and Replay Attacks on Vehicular Keyless Entry Systems (s34s0n.github.io) Attacks on Tesla wireless entry: Tesla’s keyless entry vulnerable to spoofing attack, researchers find - The Verge Garage door opener attacks: How to Hack a Garage Door in Under 10 Seconds and What You Can Do About It - ITS Tactical   Kid’s toy opens garage doors: This Hacked Kids' Toy Opens Garage Doors in Seconds | WIRED   What are the current limitations to testing wireless and RF related systems? What about custom wireless implementations? Cellular? Zigbee? I’m a wireless manufacturer of some kind of device. I’m freaked now by hearing you talk about how easy it is to attack wireless systems. What are some things I could do to ensure that the types of attacks we discussed here cannot affect me? Wireless defense system? https://www.researchgate.net/publication/321491751_Security_Mechanisms_to_Defend_against_New_Attacks_on_Software-Defined_Radio List of SDR software: The BIG List of RTL-SDR Supported Software (rtl-sdr.com)

    SPONSORED Podcast: Katey Wood from Illumio on deployment and using WIndows Filtering Platform

    Play Episode Listen Later Nov 17, 2020 42:53

    **Apologies on the Zoom issues** This is the 2nd of 3 sponsored podcast interviews with Illumio about Their zero trust product.  Katey Wood is the Director of Product Marketing at Illumio. https://www.linkedin.com/in/kateywood/ Topic: Conversation on segmentation and ransomware Topic Background:  The attack surface and vulnerabilities are on the rise, along with cyber attacks Why? Remote everything - cloud collaboration (including processing PII) is the new normal and that means the attack surface is heightened. This requires appropriate network, cloud, and endpoint security. Double ransom with #data #exfiltration -- more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin - often in the headlines. Privacy is a chief security concern now more than ever before, as remote everything continues and #cyberattacks and #ransomware attacks skyrocket. For businesses, Covid and the new WFH normal means even more vulnerabilities and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation. Enter Segmentation. Perimeter security is important, but unfortunately, we all know that alone it’s not enough (i.e. breach, after breach, after high-profile breach). #ZeroTrust the assume breach mentality/default deny are philosophies that take security deeper to protect organizations from a threat moving laterally within their environment. This is helpful because it’s often not the initial point of breach that causes so much damage – it’s the breach spreading to more critical data and assets that’s so destructive. #Network #segmentation is a crucial control to secure critical data and PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to only allowed parties with a legitimate business purpose and stops the attacker from moving freely across the network to the most valuable data. #Illumio helps #healthcare, academic, and other critical industries keep their crown jewels safe through better, more scalable micro-segmentation that decouples Zero Trust from the constraints of the network by implementing it on the workload.   Vertical ‘Brakedown’ - Healthcare and Education Businesses in the healthcare and education industry often have large numbers of customers and employees, and handle large volumes of PII, are especially at risk. Both have already been under scrutiny for privacy concerns around PII for years, through regulations like #HIPAA in healthcare and #FERPA in education (and now #CCPA). Now that distance learning is the norm and medical records have gone largely electronic, it’s even easier for attackers to move between systems if there are no network segmentation access policies in place to prevent it.   Potential Questions:  Customer data cases:   ‘Dead data’   With today’s workforce largely remote, tell me what that means from a security standpoint. What challenges are businesses facing to protect important data/PII? What is that data “worth” and what are the consequences of falling victim to a ransomware attack or similar event from a bad actor? Talk to me about the “assume breach mentality.” What does that mean and how can you/why should you use this philosophy in your approach to security? How does segmentation relate to compliance? How do the two go hand in hand? How does segmentation protect organizations against large scale breaches? In terms of cost, is segmentation a sizable investment for SMBs? Is it a worthwhile investment, in terms of dollars saved from ransomware attacks? #Segmentation is often thought of as a big (perhaps cumbersome) project – how do you suggest organizations make it more scalable? How does segmentation protect end users?  

    Claim Brakeing Down Security Podcast

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel