15th and 16th-century Bishop of Bath and Wells, Exeter, Durham, and Winchester
POPULARITY
This week, we are joined by Nick Cerne, Security Consultant from Bishop Fox, to discuss "Rust for Malware Development." In pursuit of simulating real adversarial tactics, this blog explores the use of Rust for malware development, contrasting it with C in terms of binary complexity, detection evasion, and reverse engineering challenges. The author demonstrates how Rust's inherent anti-analysis traits and memory safety features can create more evasive malware tooling, including a simple dropper that injects shellcode using lesser-known Windows APIs. Through hands-on comparisons and decompiled output analysis, the post highlights Rust's growing appeal in offensive security while noting key OPSEC considerations and tooling limitations. The research can be found here: Rust for Malware Development Learn more about your ad choices. Visit megaphone.fm/adchoices
This week, we are joined by Nick Cerne, Security Consultant from Bishop Fox, to discuss "Rust for Malware Development." In pursuit of simulating real adversarial tactics, this blog explores the use of Rust for malware development, contrasting it with C in terms of binary complexity, detection evasion, and reverse engineering challenges. The author demonstrates how Rust's inherent anti-analysis traits and memory safety features can create more evasive malware tooling, including a simple dropper that injects shellcode using lesser-known Windows APIs. Through hands-on comparisons and decompiled output analysis, the post highlights Rust's growing appeal in offensive security while noting key OPSEC considerations and tooling limitations. The research can be found here: Rust for Malware Development Learn more about your ad choices. Visit megaphone.fm/adchoices
This week, we are joined by Jon Williams, Vulnerability Researcher from Bishop Fox, discussing "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." Bishop Fox researchers reverse-engineered the encryption protecting SonicWall SonicOSX firmware, enabling them to access its underlying file system for security research. They presented their process and findings at DistrictCon Year 0 and released a tool called Sonicrack to extract keys from VMware virtual machine bundles, facilitating the decryption of VMware NSv firmware images. This research builds upon previous work, including techniques to decrypt static NSv images and reverse-engineer other encryption formats used by SonicWall. The research can be found here: Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware Learn more about your ad choices. Visit megaphone.fm/adchoices
This week, we are joined by Jon Williams, Vulnerability Researcher from Bishop Fox, discussing "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." Bishop Fox researchers reverse-engineered the encryption protecting SonicWall SonicOSX firmware, enabling them to access its underlying file system for security research. They presented their process and findings at DistrictCon Year 0 and released a tool called Sonicrack to extract keys from VMware virtual machine bundles, facilitating the decryption of VMware NSv firmware images. This research builds upon previous work, including techniques to decrypt static NSv images and reverse-engineer other encryption formats used by SonicWall. The research can be found here: Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware Learn more about your ad choices. Visit megaphone.fm/adchoices
Offensive penetration testing, or offensive pentesting, involves actively probing a system, network, or application to identify and exploit vulnerabilities, mimicking the tactics of real-world attackers. The goal is to assess security weaknesses and provide actionable insights to strengthen defenses before malicious actors can exploit them. Bishop Fox is a private professional services firm focused on The post The Future of Offensive Pentesting with Mark Goodwin appeared first on Software Engineering Daily.
Offensive penetration testing, or offensive pentesting, involves actively probing a system, network, or application to identify and exploit vulnerabilities, mimicking the tactics of real-world attackers. The goal is to assess security weaknesses and provide actionable insights to strengthen defenses before malicious actors can exploit them. Bishop Fox is a private professional services firm focused on The post The Future of Offensive Pentesting with Mark Goodwin appeared first on Software Engineering Daily.
Enjoy this special encore episode, where we are joined by Jon Williams from Bishop Fox, as he is sharing their research on "It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
Enjoy this special encore episode, where we are joined by Jon Williams from Bishop Fox, as he is sharing their research on "It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
Alethe Denis, Senior Security Consultant at Bishop Fox, is a red team hacker, physical pen tester, and social engineer. In this episode, she joins host Heather Engel to discuss her work, including how she prepares for social engineering engagements, common vulnerabilities encountered, and how the cybersecurity threat landscape continues to evolve. For more information about Alethe, visit https://linktr.ee/alethedenis. • For more on cybersecurity, visit https://cybersecurityventures.com/
This is the second part of a two-part podcast episode with Alethe Denis. If you missed the first part, you'll want to go back and listen to that first as this episode picks up, mid-story where Alethe has just caught the eye of a security guard during a social engineering engagement. Can she evade the guard or will the job come to an end? Alethe is a senior security consultant with Bishop Fox, has given presentations to multiple conferences, including a keynote on redteaming. Alethe was also the featured guest on one of the most popular episodes of Darknet Diaries.
Bishop Fox senior security consultant Alethe Denis joins the Claroty Nexus podcast to discuss social engineering in cybersecurity and how it has become part of red-team engagements, especially inside critical infrastructure organizations. She explains the value of open source intelligence and data stolen in breaches to scammers and extortionists in creating pretexts for their schemes. She also explains how to best defend against these tactics that aid threat actors in weaponizing personal information against victims and organizations. For more, visit nexusconnect.io/podcasts.
In today's episode, we discuss the top 10 questions boards should ask to ensure comprehensive cybersecurity oversight. We're joined by Justin Greis, a partner in our Chicago office who leads McKinsey's cybersecurity work in North America; Daniel Wallance, a senior expert in our New York office who focuses on cybersecurity and technology resilience in financial institutions, critical infrastructure companies, and public sector organizations; and Vinnie Liu, who is the CEO and co-founder of the cybersecurity firm Bishop Fox. Related reading Risk and Resilience insights McKinsey technology insights What is cybersecurity? Want to know more about cybersecurity? Talk to us. Discover our latest insights and join more than 90,000 influential professionals who are part of our LinkedIn community.: https://www.linkedin.com/showcase/mckinsey-strategy-&-corporate-finance/See www.mckinsey.com/privacy-policy for privacy information
LockBit claims to have hit the Federal Reserve. CDK Global negotiates with BlackSuit to unlock car dealerships across the U.S. Treasury proposes a rule to restrict tech investments in China. An LA school district confirms a Snowflake related data breach. Rafel RAT hits outdated Android devices. The UK's largest plutonium stockpiler pleads guilty to criminal charges of inadequate cybersecurity. Clearview AI settles privacy violations in a deal that could exceed fifty million dollars. North Korean hackers target aerospace and defense firms. Rick Howard previews CSOP Live. Our guest is Christie Terrill, CISO at Bishop Fox, discussing how organizations can best leverage offensive security tactics. Bug hunting gets a little too real. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Christie Terrill, CISO at Bishop Fox, joins to discuss how organizations can leverage offensive security tactics not just as strategies to prevent cyber incidents, but as a critical component of a cyberattack recovery process. Rick Howard sits down with Dave to share a preview of what's to come at our upcoming CSOP Live event this Thursday, going beyond the headlines with our panel of Hash Table experts for an insightful discussion on emerging industry trends, recent threats and events, and the evolving role of executives in our field. Selected Reading LockBit claims the hack of the US Federal Reserve (securityaffairs) Why are threat actors faking data breaches? (Help Net Security) CDK Global outage caused by BlackSuit ransomware attack (bleepingcomputer) US proposes rules to stop Americans from investing in Chinese technology with military uses (AP News) Los Angeles Unified confirms student data stolen in Snowflake account hack (bleepingcomputer) Ratel RAT targets outdated Android phones in ransomware attacks (bleepingcomputer) Sellafield Pleads Guilty to Historic Cybersecurity Offenses (Infosecurity Magazine) Sellafield nuclear waste site pleads guilty to IT security breaches (Financial Times) Facial Recognition Startup Clearview AI Settles Privacy Suit (SecurityWeek) New North Korean Hackers Attack Aerospace and Defense Companies (cybersecuritynews) Spatial Computing Hack (Ryan Pickren) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Brandon Kovacs, a Senior Red Team Consultant at Bishop Fox, is talking about how Artificial Intelligence is shaping the future of social engineering. Listener Adina wrote in to share their thoughts on an earlier episode on Google. Dave share's listener Tony's write in for his story this week. Joe and Dave discuss some questions Tony shared about preparing for an overseas trip when his bank account was locked due to security measures triggered by setting up a backup phone and using a VPN. Joe has two stories for this week, one from Blair Young at WBAL, where Maryland Lottery is warning the public about a phone scam claiming Powerball winnings. The second comes from listener Don who shares a story on people who hold posters up saying they need money for children's funerals. Our catch of the day comes from a listener that found a "task scam" on Reddit. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Maryland Lottery warns public about phone scam claiming Powerball winnings ‘It's a scam': Poster-holders aren't really raising money for a child's funeral Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
In this episode, Richard talks to Stuart Ashenbrenner and Wes Hutcherson of Huntress. They share their advice on managing Macs for clients to prevent and manage hacks.Stuard is a staff macOS researcher, focusing on macOS security and development, with a ton of experience working as a macOS detections engineer and software engineer.He's spoken at various conferences about macOS security, and he is the coauthor and core developer of the open source macOS incident response tool called Aftermath. Wes is the director of product marketing for Huntress, where he oversees market intelligence and go-to-marketing strategies. His multifaceted technology and cybersecurity experience spans over a decade.He's worked with market leaders such as Bishop Fox, eSentire, Hewlett Packard, and Dell SecureWorks covering managed detection and response, governance, risk and compliance, continuous threat exposure management, offensive security and other topics. Richard asks them to explain how Huntress help MSPs, how to deploy the tool and their typical partners, before digging in to threats specifically targeting Macs. Wes explains the Huntress MacOS support and why they decided to put it together. Stuart talks about the most common attack vectors on macOS and security best practice that MSPs should follow. Wes explains a number of acronyms that MSPs might come across when dealing with Macs and what they mean to users.Richard, Stuart and Wes look at Mac-specific attacks, third-party breaches and how to protect clients, particularly those who believe that Macs are more secure than PCs.They explore tools and resources, touch management, staying ahead of the curve and how MSPs can take advantage of the threats to Macs to find a business opportunity.Mentioned in This EpisodeOpen source macOS incident response tool: AftermathPodcast: Interview with Dray AghaMalware: Atomic macOS Stealer (AMOS)Trojan: Info StealerShell programme: BashScripting language: AppleScriptKnowledge base: MITRE ATT&CK macOS threat: CuckooXM Cyber study into breach and attack simulationsSlack community: MacAdminsBlog series: Ask the Mac Guy: macOS Security Mythsbunch of resources you can find on our website. It's very easy to find on, under resourcesOn-demand webinar: Dealing with Mac threatsMSP...
Host Karl Palachuk interviews Wes Hutcherson and Stuart Ashenbrenner from Huntress on the challenges and (and victories) of securing macOS endpoints. As you know, MacOS represents a growing percentage of the business device operating system market, outperforming both Linux and ChromeOS. Since this is going to be a growing portion of the endpoints you support, it's good to know how you're doing to do that. And with so many "home" and personal devices now being used for company purposes, quick response is important as well. The panel addresses the challenges of the MacOS users - including their persistent reluctance to believe that their devices need protection at all! There is a false sense of security around MacOS, driven by old-school understandings of Mac security and the realities of well-funded adversaries on the dark web. MacOS malware now accounts for 6.2% of all endpoint OS malware. Half of all MacOS users have been affected by malware, hacking, or scams. You can expect that to grow as well. ----- Thanks to Huntress for sponsoring the SMB Community Podcast. Partners can learn more at https://www.huntress.com/karl Wes Hutcherson is the Director of Product Marketing for Huntress where he oversees market intelligence and go-to-market strategies. His multi-faceted technology and cyber security experience spans over a decade with market leaders such as Bishop Fox, eSentire, Hewlett-Packard, and Dell SecureWorks, covering Managed Detection and Response, Governance, Risk, and Compliance, Continuous Threat Exposure Management, Offensive Security, and other topics. Stuart Ashenbrenner works at Huntress as a Staff macOS Researcher, focusing on macOS security and development. He has spoken at various conferences about macOS security, including Objective by the Sea. He is co-author and core developer on the open source, macOS incident response tool called Aftermath. He has perviously worked as a macOS detections engineer and a software engineer. :-) — Our upcoming events and more: Register for James's class at ITSPU! 5W22 – MSP Professional Sales is live. Enroll today: https://www.itspu.com/all-classes/classes/msp-professional-sales-program/ MASTERMIND LIVE – Tampa, FL – June 27-28th http://bit.ly/kernanmastermind Use “EARLYBIRD” as the coupon code to save $200! Check out Amy's weekly newsletter! Sign up now: https://mailchi.mp/thirdtier/small-business-tech-news Kernan Consulting “Weekly Tips”! Sign up now: https://kernanconsulting.com/ Our Social Links: https://www.linkedin.com/in/james-kernan-varcoach/ https://www.facebook.com/james.kernan https://www.facebook.com/karlpalachuk/ https://www.linkedin.com/in/karlpalachuk/ https://www.linkedin.com/in/amybabinchak/ https://www.facebook.com/amy.babinchak/ https://thirdtier.net https://www.youtube.com/@ThirdTierIT --- Sponsor Memo: Huntress Today's SMB Community Podcast is brought to you by Huntress Managed Security. Cybersecurity is more than software—it's also the expertise needed to effectively fight against today's evolving threat landscape. Huntress Managed Security is custom-built to provide human expertise and save your clients from cyber threats. Huntress' suite of fully managed cybersecurity solutions is powered by a 24/7, human-led SOC dedicated to around-the-clock monitoring, expert investigation, and rapid response. While you focus on growing your business, we provide first response to hackers. Huntress has the #1 rated EDR for SMBs on G2 and a partner support Satisfaction score average of 99%. To start a trial today, visit https://huntress.com/karl
Trevin Edgeworth, Red Team Practice Director at Bishop Fox, is discussing how change, like M&A, staff, tech, lack of clarity or even self-promotion within and around security environments presents windows of opportunity for attackers. Joe and Dave share some listener follow up, the first one comes from Erin, who writes in from Northern Ireland, shares an interesting new find about scammers now keeping up with the news. The second one comes from listener Johnathan who shared thoughts on reconsidering his view on defining Apple's non-rate-limited MFA notifications as a "vulnerability." Lastly, we have follow up from listener Anders who shares an article on AI. Joe shares a story from Amazon sellers, and how they are being plagued in scam returns. Dave brings us the story of how to save yourself and your loved ones from AI robocalls. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Theory Is All You Need: AI, Human Cognition, and Decision Making Amazon Sellers Plagued by Surge in Scam Returns How to Protect Yourself (and Your Loved Ones) From AI Scam Calls News Insights: Does X Mark a Target? with Trevin Edgeworth, Director of Red Team Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
Jon Williams from Bishop Fox is sharing their research on "It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
Jon Williams from Bishop Fox is sharing their research on "It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It's 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
Ivanti products are under active zero-day exploitation. Phemedrone is a new open-source info-stealer. Bishop Fox finds exposed SonicWall firewalls. GitLab and VMware patch critical vulnerabilities. The Secret Service foils a phishing scam. Europol shuts down a cryptojacking campaign. Ransomware hits a Majorca municipality. RUSI looks at ransomware. Ben Yelin explains the New York Times going after OpenAI over the data scraping. And the sad case of an Ohio lottery winner. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest and partner Ben Yelin joins us today to discuss “The Most Critical Elements of the FTC's Health Breach Rulemaking.” Ben is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security and Co-Host of N2K's Caveat Podcast. Selected Reading Ivanti Connect Secure zero-days now under mass exploitation (Bleeping Computer) Windows SmartScreen flaw exploited to drop Phemedrone malware (Bleeping Computer) Over 178,000 SonicWall next-generation firewalls (NGFW) online exposed to hack (Security Affairs) GitLab Fixes Password Reset Bug That Allows Account Takeover (Security Boulevard) Patches Available for a Critical Vulnerability in VMware Aria Automation: CVE-2023-34063 (Malware News) US court docs expose fake antivirus renewal phishing tactics (Bleeping Computer) Hacker spins up 1 million virtual servers to illegally mine crypto (Bleeping Computer) Ransomware gang demands €10 million after attacking Spanish council (The Record) Ransomware: Victim Insights on Harms to Individuals, Organisations and Society (Royal United Services Institute) Cybersecurity incident delays payouts for big Ohio Lottery winners (Beacon Journal) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.
Alethe Denis from Bishop Fox is talking with Dave and Joe with her take on the 23AndMe breach. Dave and Joe share some follow up from listener Michael, who writes in to share thoughts on our catch of the day from last episode, regarding the voice mail from Spectrum. Dave shares a story on email security, and how human factors have a heavy influence on it, especially with people's vulnerability to phishing and social engineering. Joe has two stories this week, his first story is a good wrap on the holiday's and gift card scams. Joe's second story is a jump on tax season quickly approaching, and how the IRS is helping taxpayers by providing penalty relief. Our catch of the day is a good example of what not to do when phishing/scamming people, luckily the receiver was smarter than the sender. Links to the stories: How Human Elements Impact Email Security "Vanilla Gift" card issuer faces lawsuit over card-draining scam risk IRS helps taxpayers by providing penalty relief on nearly 5 million 2020 and 2021 tax returns; restart of collection notices in 2024 marks end of pandemic-related pause News Insights: 23AndMe with Alethe Denis, Security Expert - Red Team Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
This two-part series dives into the issue within cybersecurity PR and Communications, focusing on the widespread use of ineffective mass email strategies by PR professionals. Featuring special guest Kevin Kosh, Senior Director of Communications at Bishop Fox
Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the potential of AI models and their impact on various aspects of technology and society and digs into the importance of improving model interaction by allowing more thoughtful and refined responses. We also discuss how AI can be a superpower, enabling rapid prototyping and idea generation. The discussion concludes with considerations for safeguarding AI models, including transparency, explainability, and potential regulations. Takeaways: Scaling pen testing can be challenging, and maintaining quality becomes difficult as the team grows. Bug bounty programs have been a net positive for businesses, providing valuable insights and incentivizing innovative research. Attack surface management plays a crucial role in identifying vulnerabilities and continuously monitoring an organization's security posture. Social engineering attacks, such as SIM swapping and phishing, require a multi-faceted defense strategy that includes technical controls, policies, and user education. AI has the potential to augment human intelligence and improve efficiency and effectiveness in cybersecurity. Improving model interaction by allowing more thoughtful and refined responses can enhance the user experience. Algorithms can be used to delegate tasks and improve performance, leading to better results in complex tasks. AI is an inflection point in technology, comparable to the internet and the industrial revolution. Can be game-changing to automate time-consuming tasks, freeing up human resources for more strategic work. Autocomplete and code generation tools like Copilot can significantly speed up coding and reduce errors. AI can be a superpower, enabling rapid prototyping, idea generation, and creative tasks. Safeguarding AI models requires transparency, explainability, and consideration of potential biases. Regulations may be necessary to ensure responsible use of AI, but they should not stifle innovation. Global adoption of AI should be encouraged to prevent technological disparities between countries.
This two-part series dives into the issue within cybersecurity PR and Communications, focusing on the widespread use of ineffective mass email strategies by PR professionals. Featuring special guest Kevin Kosh, Senior Director of Communications at Bishop Fox.
Ryan from Bishop Fox joins to describe their work on "Building an Exploit for FortiGate Vulnerability CVE-2023-27997." After Lexfo published details of a pre-authentication remote code injection vulnerability in the Fortinet SSL VPN, Bishop Fox worked up a proof of concept demo. This research share how they were able to create that proof-of-concept exploit, step by step. The researchers state "Our debugging environment consisted of a FortiGate 7.2.4 virtual machine which we modified to disable some self-verification functionality. After bypassing these integrity checks, we were able to install an SSH server, BusyBox, and debugging tools such as GDB." The research can be found here: Building an Exploit for FortiGate Vulnerability CVE-2023-27997
Ryan from Bishop Fox joins to describe their work on "Building an Exploit for FortiGate Vulnerability CVE-2023-27997." After Lexfo published details of a pre-authentication remote code injection vulnerability in the Fortinet SSL VPN, Bishop Fox worked up a proof of concept demo. This research share how they were able to create that proof-of-concept exploit, step by step. The researchers state "Our debugging environment consisted of a FortiGate 7.2.4 virtual machine which we modified to disable some self-verification functionality. After bypassing these integrity checks, we were able to install an SSH server, BusyBox, and debugging tools such as GDB." The research can be found here: Building an Exploit for FortiGate Vulnerability CVE-2023-27997 Learn more about your ad choices. Visit megaphone.fm/adchoices
Cloud Security Pentest is not just a Cloud configuration review ! Blackhat 2023 & Defcon 31 conversations included Cloud Security Podcast asking traditional and experienced pentesters about their opinion on cloud security pentesting and the divide was between it being a config review or a product pentest. For this episode we have Seth Art from Bishop Fox to clarify the myth. Episode YouTube: Video Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Seth Art's Linkedin (Seth Art Linkedin) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Spotify TimeStamp for Interview Question (00:00) Introduction (05:17) A bit about Seth Art (06:44) Network vs Infrastructure Security Pentest (08:00) Internal vs External Network Security Pentest (10:26) Assumed vs Objective Based Pentest (12:51) Is network pentest dead? (14:04) How to approach network and cloud pentests? (20:12) Cloud pentest is more than config review (24:04) Examples of cloud pentest findings (30:07) Scaling pentests in cloud (32:25) Traditional skillsets to cloud pentest (36:58) A bit about cloudfoxable (39:31) Cloud pentest and Zero Trust (40:54) Staying ahead of CSP releases (44:31) Third party shared responsibility (47:35) 1 fun question (48:36) Boundary for cloud pentest (52:21) Last 2 fun questions These are some of the resources that Seth shared during the episode along with the tools he has created CloudFox CloudFoxable flAWS flAWS 2 iamvulnerable Cloud Goat See you at the next episode!
Podcast: Nexus: A Claroty Podcast (LS 28 · TOP 10% what is this?)Episode: Bishop Fox on OSDP Weaknesses Putting Secure Facilities at RiskPub date: 2023-08-13In this episode of the Nexus podcast, Bishop Fox researchers Dan Petro and David Vargas explain their research into the Open Supervised Device Protocol (OSDP), meant to bring encryption to badge readers and controllers providing physical access controls at secure facilities. Petro and Vargas explain a number of protocol weaknesses and vulnerabilities that defeat OSDP's promise of encryption and security. Through the attacks they describe, they're able carry out—among others—replay or downgrade attacks, which are enabled by severe key exchange vulnerabilities or weakened crypto keys as described in the protocol.Petro and Vargas unveiled this research during a presentation at Black Hat USA in Las Vegas. The podcast and artwork embedded on this page are from Claroty, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
In this episode of the Nexus podcast, Bishop Fox researchers Dan Petro and David Vargas explain their research into the Open Supervised Device Protocol (OSDP), meant to bring encryption to badge readers and controllers providing physical access controls at secure facilities. Petro and Vargas explain a number of protocol weaknesses and vulnerabilities that defeat OSDP's promise of encryption and security. Through the attacks they describe, they're able carry out—among others—replay or downgrade attacks, which are enabled by severe key exchange vulnerabilities or weakened crypto keys as described in the protocol.Petro and Vargas unveiled this research during a presentation at Black Hat USA in Las Vegas.
In this episode, host Raghu Nandakumara sits down with Rob Ragan, Principal Researcher at Bishop Fox – live at RSAC 2023! – to discuss the different types of threats, offensive security trends, and how to continuously find new opportunities to improve cyber resilience.--------"I'm seeing a lot more folks that are security engineers and are on blue teams that are also then wanting to participate in those red team exercises and in those tests, and be involved and actually understand how they can learn and apply those techniques while they're building into their threat models.And I see that the folks that are doing that on a more regular basis are maturing more rapidly. And if they're not factoring in that testing to what they've implemented, then there may be long periods and long gaps where there's a susceptibility that remains unknown." - Rob Ragan--------Time Stamps* (2:23) Learning the wrong ways to build applications* (6:31) Securing IoT/OT and national critical infrastructure* (15:36) Zero Trust and offensive security* (19:27) Maturing faster with more testing* (24:32) TCO and ROI--------SponsorAssume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company. Learn more at illumio.com.--------LinksConnect with Rob on LinkedIn
Guest: Tom Eston, VP of Consulting & Cosmos at Bishop Fox [@bishopfox]On LinkedIn | https://www.linkedin.com/in/tomeston/On Twitter | https://twitter.com/agent0x0On Mastodon | https://infosec.exchange/@agent0x0____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsPentera | https://itspm.ag/penteri67aCrowdSec | https://itspm.ag/crowdsec-b1vp___________________________Episode NotesIn this new Redefining CyberSecurity podcast episode, Tom Eston and Sean Martin debate the value of certifications such as the CISSP. Tom emphasizes that, in his area of offensive security, experience, cultural fit, and ability to learn are more important than certifications or formal education. The two also discuss the role of internships in providing real-world experience and hands-on learning opportunities for aspiring professionals.The conversation also touches on the importance of finding a niche within the cybersecurity field. Tom highlights the need for specialization and encourages listeners to explore different areas and technologies to find what excites them the most. He also stresses the importance of learning the fundamentals before diving deep into a specific subject. Sean and Tom consider how job descriptions may evolve to embrace specialization and the need for experts in different aspects of cybersecurity.Tom and Sean also discuss the role of AI in cybersecurity, both as a tool to assist in detection and response, and as a potential risk itself. Tom believes that learning how to interface with AI and understanding its capabilities is crucial for professionals in the industry. While AI can be an efficient assistant, it is essential not to rely solely on its output, as human analysis and verification remain vital in ensuring accuracy and security.Listen to this episode and you might begin to determine what your cyber chameleon might look like.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
Guest: Tom Eston, VP of Consulting & Cosmos at Bishop Fox [@bishopfox]On LinkedIn | https://www.linkedin.com/in/tomeston/On Twitter | https://twitter.com/agent0x0On Mastodon | https://infosec.exchange/@agent0x0____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsPentera | https://itspm.ag/penteri67aCrowdSec | https://itspm.ag/crowdsec-b1vp___________________________Episode NotesIn this new Redefining CyberSecurity podcast episode, Tom Eston and Sean Martin debate the value of certifications such as the CISSP. Tom emphasizes that, in his area of offensive security, experience, cultural fit, and ability to learn are more important than certifications or formal education. The two also discuss the role of internships in providing real-world experience and hands-on learning opportunities for aspiring professionals.The conversation also touches on the importance of finding a niche within the cybersecurity field. Tom highlights the need for specialization and encourages listeners to explore different areas and technologies to find what excites them the most. He also stresses the importance of learning the fundamentals before diving deep into a specific subject. Sean and Tom consider how job descriptions may evolve to embrace specialization and the need for experts in different aspects of cybersecurity.Tom and Sean also discuss the role of AI in cybersecurity, both as a tool to assist in detection and response, and as a potential risk itself. Tom believes that learning how to interface with AI and understanding its capabilities is crucial for professionals in the industry. While AI can be an efficient assistant, it is essential not to rely solely on its output, as human analysis and verification remain vital in ensuring accuracy and security.Listen to this episode and you might begin to determine what your cyber chameleon might look like.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
Guest: Britt Kemp, Community Manager at Bishop Fox [@bishopfox]On LinkedIn | https://www.linkedin.com/in/kempbritt/On Twitter | https://twitter.com/brittnikHost: Phillip WylieOn ITSPmagazine
Guest: Britt Kemp, Community Manager at Bishop Fox [@bishopfox]On LinkedIn | https://www.linkedin.com/in/kempbritt/On Twitter | https://twitter.com/brittnikHost: Phillip WylieOn ITSPmagazine
New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/47 Selected reading. IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne) DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct) Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop) Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading). Iran threat group going after female activists, analyst warns (Cybernews) Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant) Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant) Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire) Biden's budget proposal underscores cybersecurity priorities (Washington Post) Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk) Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security) Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense) In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense) Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine) February 2023's Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software) Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA)
Cloud Security Podcast - This month we are talking about "Breaking the AWS Cloud" and next up on this series, we spoke to Seth Art (Seth's Linkedin) Cloud Penetration Testing Lead (Principal) at Bishop Fox. AWS cloud project to pentest AWS cloud architecture are not spoken about much - this stops today. We have Seth who works in the Cloud Penetration testing space to talk about open source tools and what Cloud pentesting is all about. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Seth Art (Seth's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (04:24) A bit about Seth (06:10) Web App Pentesting vs Cloud Pentesting (08:11) Working with scale of multiple AWS accounts (10:20) What can you expect to find with Cloud Pentesting? (12:14) Foundational pieces about approaching pentesting in Cloud (15:19) How to start a Cloud Pentest? (18:25) The importance of IAM (23:43) Common services in AWS to look at (25:58) Mistakes people make for scoping (29:18) The role of shared responsibility in Cloud Pentesting (32:38) Boundaries for AWS pentesting (35:13) Nmap between 2 EC2 instances (36:37) How do you explain the findings? (40:26) Skillsets required to transition to Cloud Pentesting (45:41) Transitioning from Kubernetes to Cloud Pentesting (48:55) Resources for learning about Cloud Pentesting. (49:47) The Fun Section See you at the next episode!
Has LockBit 3.0 been reverse engineered? A COVID lure contains a Punisher hook. A Chinese cyberespionage campaign uses compromised USB drives. Lilac Wolverine exploits personal connections for BEC. Killnet claims to have counted coup against the White House. Tim Starks from the Washington Post has the FCC's Huawei restrictions and ponders what congress might get done before the year end. Our guest is Tom Eston from Bishop Fox with a look Inside the Minds & Methods of Modern Adversaries. And, of course, scams, hacks, and other badness surrounding the World Cup. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/228 Selected reading. LockBit 3.0 ‘Black' attacks and leaks reveal wormable capabilities and tooling (Sophos News) Punisher Ransomware Spreading Through Fake COVID Site (Cyble) Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia (Mandiant) BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks (Abnormal Security) Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites (Trustwave) Scammers on the pitch: Group-IB identifies online threats to fans at FIFA World Cup 2022 in Qatar (Group-IB)
Today's episode is hosted by Karl and James. They talk to Alethe Denis, Senior Security Consultant at Bishop Fox, about how children learn how to utilize social engineering at a young age, some common misconceptions about making a career out of social engineering, and why HR departments are a force to be reckoned with.
Host FalconSpy returns this week joined by Rob Ragan, Principal Researcher at Bishop Fox! They begin by diving into tips for organizations beginning to build out their continuous security testing and why it's so important. Regan also shares bugs he's discovered deploying your tools to assist with continuous security testing. Next, he gives advice based on his own experience in the InfoSec field to those aspiring to break into the industry. Lastly, he discloses whether degrees or certifications are necessary for a career in InfoSec and how to become more specialized in continuous security testing and automation. Enjoy the episode! Make sure to check out Bishop Fox: https://bishopfox.com/blog/introducing-cloudfox https://github.com/BishopFox/smogcloud
A recent survey of ethical hackers by Bishop Fox and SANS shows that once a vulnerability or weakness is found about 58% of ethical hackers can break into an environment in less than five hours, SMS phishing and text message scams appear to be changing tactics taking a more “urgent” tone, and a discussion about […] The post Hackers Need 5 Hours or Less to Break In, SMS Phishing Tactics, Strange Ways Employees Expose Data appeared first on The Shared Security Show.
A CISO's Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand. What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What's changing on this going forward First of all, let's talk about what a pentest is NOT. It is not a simple vulnerability scan. That's something you can do yourself with any number of publicly available tools. However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest. Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte? Now let's start with providing a definition of a penetration test. According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system. It's really designed to show weaknesses in a system that can be exploited. Let's think of things we want to test. It can be a website, an API, a mobile application, an endpoint, a firewall, etc. There's really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm. You need to focus on high likelihood and impact because professional penetration tests are not cheap. Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it's not unheard of to go up to $100,000. As a CISO you need to be able to defend this expenditure of resources. So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year. My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest. Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better. He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies." Please do not confuse a penetration test with a Red Team exercise. A red team exercise just wants to accomplish an objective like steal data from an application. A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate. It's a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities. Now, is a pentest about finding ALL vulnerabilities? I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like. Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided. There really is a “good enough” standard of risk, and that is called “acceptable risk.” So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate. Let's take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them. The first question you should consider is do you want an internal or an external penetration test. Well, the classic answer of "it depends" is appropriate. If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test. In this case your company would be expected to document a pentest performed by an external provider. Now if your company has a website that is selling direct to a consumer, then chances are you don't have the same level of requirement for an external pentest. So, you may be able to just perform an internal penetration test performed by your company's employees. I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20. The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting. What is the priority of pentesting, you may ask? #18 of 18 -- dead last. Now, that doesn't mean pentests are not valuable, or not useful, or even not important. What it does mean is that pentests come at the end of building your security framework and implementing controls. Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should. That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort. Think of a pentest as a final exam if you will. Otherwise, it's an expensive way to populate your security to-do list. OK let's say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor. Remember this, a penetration test is only as good as the conductor of the penetration test. Cyber is a very unregulated industry which means it can be tricky to know who is qualified. Compare this to the medical industry. If you go to a hospital, you will generally get referred to a Medical Doctor or Physician. This is usually someone who has a degree such as a MD or DO which proves their competency. They will also have a license from the state to practice medicine legally. Contrast this to the cyber security industry. There is no requirement for a degree to practice Cyber in the workforce. Also, there is no license issued by the state to practice cyber or develop software applications. Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test. There's a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP. We strongly recommend anyone performing an actual penetration test have an OSCP. This certification is difficult to pass. A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification. This is exactly what you want in a pentester, which is why we are big fans of this certification. This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test. Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification. It may mean your penetration tests cost more, but it's a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company. Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP. What companies should you look at? Usually, we see three types of penetration testing companies. Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2). This is expensive but it's easy to get them approved since most large companies already have contracts with at least one of these companies. The second type of company that we see are large penetration testing companies. Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing. They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies. Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client. Finally, there are boutique shops that specialize in particular areas. For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs. This is a more specialized skill and a bit harder to find so you have to find a relevant vendor. Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing. Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting. This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding. Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect. It's common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect. Don't let this happen to your company and review the labor and contract requirements in a recurring fashion. Alright, let's imagine you have a highly skilled vendor who meets these requirements. How should they perform a penetration test? Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google. Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes. It's a great read so please take a look. Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment. Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual. These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out. They can also standardize the documentation of findings. Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding. This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks. If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future? The answer is automation. Now we have had automated vulnerability management tools for decades. But please don't think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test. A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan. As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling. Examples of this include Bishop Fox's Cosmos, Pentera's Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling. Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams. This means that companies can perform more tests on more applications. The other major advantage with these tools is repeatability. Usually, a penetration test is a point in time assessment. For example, once a year you schedule a penetration test on your application. That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test. So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors. Here's one final tip. Don't rely on a single penetration testing company. Remember we discussed that a penetration testing company is only as good as the tester and the toolbox. So, try changing out the company who tests the same application each year. For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year. You can alternate which company scans which application. Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024. Every penetration tester looks for something different and they will bring different skills to the test. If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk. It allows you to know if a penetration testing vendor's pricing is out of the norm. You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices. And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report. Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey. As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show. This is your host, G. Mark Hardy, and until next time, stay safe.
A conversation with Bishop Fox chief executive Vinnie Liu on the origins and evolution of the pentest services business, the emerging continuous attack surface management space, raising $75m as a 'growth mode' investment, cybersecurity's people problem, and much more...
Rob's interest in hacking started with 2600 Magazine and 2600 Groups. This fueled his curiosity and passion for technology and security.Rob started his career as a software developer but more he learned about security and pentesting, he was drawn to that passion and became a consulting providing pentesting services for clients._______________________GuestRob RaganPrincipal Security Researcher at Bishop Fox [@bishopfox]On Twitter | https://twitter.com/sweepthatlegOn LinkedIn | https://www.linkedin.com/in/robragan/______________________HostPhillip WylieOn ITSPmagazine
Rob's interest in hacking started with 2600 Magazine and 2600 Groups. This fueled his curiosity and passion for technology and security.Rob started his career as a software developer but more he learned about security and pentesting, he was drawn to that passion and became a consulting providing pentesting services for clients._______________________GuestRob RaganPrincipal Security Researcher at Bishop Fox [@bishopfox]On Twitter | https://twitter.com/sweepthatlegOn LinkedIn | https://www.linkedin.com/in/robragan/______________________HostPhillip WylieOn ITSPmagazine
In the Enterprise Security News, Cyber insurance joins the Unicorn club, Bishop Fox raises a $75M Series B, A dozen more funding rounds, XM Cyber acquires Cyber Observer, Zendesk gets bought by private equity, 5 more rounds of cybersecurity layoffs, Some very interesting new products - both open source and commercial, Survival of the Quickest, And a ransom victim earning money from its payment?? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw280
In the Enterprise Security News, Cyber insurance joins the Unicorn club, Bishop Fox raises a $75M Series B, A dozen more funding rounds, XM Cyber acquires Cyber Observer, Zendesk gets bought by private equity, 5 more rounds of cybersecurity layoffs, Some very interesting new products - both open source and commercial, Survival of the Quickest, And a ransom victim earning money from its payment?? How surreal it is for the industry to return to RSA event in person... what changed or transformed fundamentally ... etc. Specific impacts around the areas of ZTNA, SOC, and OT security. This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Merritt Maxim discusses the latest trends on identity access and how organizations should tackle the ever expanding user security challenges. Connected devices outnumber us humans two to one, a ratio that is on an accelerating growth curve. Risks associated with device counterfeiting and cyberattacks is also growing rapidly and now represent very real real risks to economies, national security, our critical infrastructure, and our very lives. One necessary component for addressing this threat is establishing a verifiable and immutable device identification and lifecycle reporting system. Segment Resources: Number of mobile devices worldwide 2020-2025: https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/ UCID Website - https://www.ucidentifier.io/ Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw280
In the Enterprise Security News, Cyber insurance joins the Unicorn club, Bishop Fox raises a $75M Series B, A dozen more funding rounds, XM Cyber acquires Cyber Observer, Zendesk gets bought by private equity, 5 more rounds of cybersecurity layoffs, Some very interesting new products - both open source and commercial, Survival of the Quickest, And a ransom victim earning money from its payment?? How surreal it is for the industry to return to RSA event in person... what changed or transformed fundamentally ... etc. Specific impacts around the areas of ZTNA, SOC, and OT security. This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Merritt Maxim discusses the latest trends on identity access and how organizations should tackle the ever expanding user security challenges. Connected devices outnumber us humans two to one, a ratio that is on an accelerating growth curve. Risks associated with device counterfeiting and cyberattacks is also growing rapidly and now represent very real real risks to economies, national security, our critical infrastructure, and our very lives. One necessary component for addressing this threat is establishing a verifiable and immutable device identification and lifecycle reporting system. Segment Resources: Number of mobile devices worldwide 2020-2025: https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/ UCID Website - https://www.ucidentifier.io/ Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw280
In the Enterprise Security News, Cyber insurance joins the Unicorn club, Bishop Fox raises a $75M Series B, A dozen more funding rounds, XM Cyber acquires Cyber Observer, Zendesk gets bought by private equity, 5 more rounds of cybersecurity layoffs, Some very interesting new products - both open source and commercial, Survival of the Quickest, And a ransom victim earning money from its payment?? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw280
Russian disinformation in its war against Ukraine. Overhead imagery and electronic intercepts suggest that Russian atrocities are matters of policy and strategy. Microsoft disrupts GRU cyber operations. Facebook takes down Iranian coordinated inauthenticity. India's Power Ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. Grid security and the value of exercises. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/68 Selected reading. Putin's ‘probably given up' on Kyiv as Ukraine war enters new phase (Defense News) Ukraine says 39 killed in rocket strike on rail evacuation hub (Reuters) Russian rocket attack on Kramatorsk train station kills dozens—Ukraine (Newsweek) Possible Evidence of Russian Atrocities: German Intelligence Intercepts Radio Traffic Discussing the Murder of Civilians in Bucha (Der Spiegel) Germany intercepts Russian talk of indiscriminate killings in Ukraine (Washington Post) Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West (The Hill) Disrupting cyberattacks targeting Ukraine - Microsoft On the Issues (Microsoft On the Issues) GridEx VI Lessons Learned Report (NERC) Power Grid Stress Test Finds Low-Tech Needs for High-Tech Problems (Wall Street Journal) Dire grid hacking scenario sparked “shields up” approach to Russian threat (Medium)
CISA, the FBI, the ACSC, and the NCSC issue a joint advisory warning of an Iranian cyber campaign exploiting known vulnerabilities in Fortinet and Microsoft Exchange. A Belarusian connection to Ghostwriter. Candiru tools reported in watering holes. SideCopy's interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the CONTI playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked Robinhood data. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/221
Hosts TJNull and FalconSpy catch up with Seth Art, Sr. Security Consultant at Bishop Fox, who also holds his OSCP. They discuss how Seth got into security and his varied background. He also reveals his favorite aspects of working for Bishop Fox, as well as what a junior pentester should know in order to join an offensive security-focused firm like Bishop Fox. They talk about Seth's OSCP journey and the challenges he overcame to earn his OSCP, including juggling parenting and studying. They then turn to cloud pentesting and Kubernetes security and Seth spills the details on interesting findings from his recent research. Specifically, they discuss potential vulnerabilities in Kubernetes and AWS. Finally, they chat about the crucial skills Seth recommends budding penetration testers develop. Enjoy the episode!
Bishop Fox Questions Part 1 by Deepak Shukla
Dan Petro, Lead Researcher, and Allan Cecil, Security Consultant, from Bishop Fox join Dave to share their research "You're Doing IoT RNG," that they presented at DefCon 29. There's a crack in the foundation of Internet of Things (IoT) security, one that affects 35 billion devices worldwide. Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use. In order to perform most security-relevant operations, computers need to generate secrets via an RNG. These secrets then form the basis of cryptography, access controls, authentication, and more. The details of exactly how and why these secrets are generated varies for each use. The research can be found here: You're Doing IoT RNG
Dan Petro, Lead Researcher, and Allan Cecil, Security Consultant, from Bishop Fox join Dave to share their research "You're Doing IoT RNG," that they presented at DefCon 29. There's a crack in the foundation of Internet of Things (IoT) security, one that affects 35 billion devices worldwide. Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use. In order to perform most security-relevant operations, computers need to generate secrets via an RNG. These secrets then form the basis of cryptography, access controls, authentication, and more. The details of exactly how and why these secrets are generated varies for each use. The research can be found here: You're Doing IoT RNG
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
T-Mobile's recently revealed hack affects incredibly sensitive data of more than 40 million customers. IoT is bad at Random Number Generation according to researchers from Bishop Fox. But what does it mean? Facebook's 'widely viewed content' report is out and it might not be the content you expect. Virtual Reality is here to save remote meetings with Facebook's newly unveiled Horizon Workrooms. Hosts: Jason Howell and Mikah Sargent Guests: Dan Petro, Allan Cecil, and Karissa Bell Download or subscribe to this show at https://twit.tv/shows/tech-news-weekly. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: Compiler - TNW hover.com/twit CrowdStrike.com/twit
The News: A joint advisory was published on Friday, May 7, 2021 by the Cybersecurity & Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre, the FBI, and the NSA focused on Russian Foreign Intelligence Service (SVR) and their tactics, techniques and procedures used to target victims. These reports focus on threats posted by APT29, how its methods have evolved, and provides best practices to defend against the threat actor. Read the Joint Advisory here. The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity Analyst Take: This past Friday was a big day for cybersecurity advisories related to Russian Foreign Service (SVR) threat actors. The threat group APT29 has been attributed to Russia's SVR and have operated since about 2008, largely targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 is also known by the names Dark Halo, StellarParticle, NOBELLIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, and Cozy Duke. In the recently issued joint advisory, the US and UK governments outlined tactics and techniques that the Russians are using in their hacking efforts and outlined how they are targeting their victims. In an earlier alert issued the week prior, SVR operations were outlined, along with trends and some recommended best practices for network defenders. These reports also provide more details on the SolarWinds attack spearheaded by those same Russian SVR threat actors. The SolarWinds attack saw malicious updates from compromised SolarWinds systems breaching hundreds of organizations – and we don't yet know the full scope of the damage. Last year we also saw that same SVR group targeting vaccine R&D operations, which involved malware tracked as WellMesshttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c and WellMail. What caught my eye here and what is highlighted in the report is that threat actors embrace best practices for digital transformation. They are agile and adaptable. Once they are detected, they pivot. For instance, once the WellMess/WellMail breach was detected, APT29 pivoted. And this pivot was a really pretty brilliant. The threat actors began using Sliver, which is a security testing tool developed by Bishop Fox, an offensive security assessment firm. Sliver is a legitimate tool used for adversary simulation. This new report focuses on helping threat hunters detect Sliver, but here's the rub: just because it's detected doesn't necessarily mean it's malicious. Have a headache yet? I do. My colleague Fred McClimans and I covered this jointly issued report in our Cybersecurity Shorts series on the Futurum Tech Webcast this past week. Threat Actors Make It Their Job to Know When Servers Are Vulnerable The newly published warning report said that threat actors are actively scanning the internet for vulnerable servers, including vulnerabilities affecting VMware's vCenter Server product and Microsoft Exchange servers, which have already been exploited by many. There are five vulnerabilities the government warns that need immediate attention in addition to the newest Microsoft Exchange Server updates just made available in mid-April. These five are: CVE-2018-13379 Fortinet FortiGate VPN CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here) CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN CVE-2019-19781 Citrix Application Delivery Controller and Gateway CVE-2020-4006 VMware Workspace ONE Access A final note that organizations have been slow to apply the available fixes, leaving organizations massively at risk. Access the full Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian CyberSecurity here: Advisory: Further TTPs Associated with SVR Cyber Actors The government also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that they recommend all security personnel familiarize themselves with.
Employees of the Information Security company known as Bishop Fox that performs penetration tests answered questions from members of the InfoSec Prep Discord server
https://www.linkedin.com/in/danielewood/ (Daniel Wood )is the Associate Vice President of Consulting at https://www.bishopfox.com/ (Bishop Fox), where he leads all service lines, develops strategic initiatives, and has established the Applied Research and Development program. Daniel has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and counterintelligence. Daniel was previously the manager of security engineering and technology at Bridgewater Associates, where he shaped the strategic direction of technology for the firm and oversaw technical security assessments of Bridgewater’s international office expansions. Daniel has also served in roles supporting the U.S. government in security architecture, engineering, and offensive operations as a Security Engineer and Red Team Leader. He supported the U.S. Special Operations Command (USSOCOM) on red teaming and digital warfare operations, and the U.S. Army on the Wargaming Cyber Effects on Soldiers’ Decision-Making project. In this episode, we discuss adapting to COVID-19, focusing on red teaming, cloud security architecture, responsible vulnerability disclosure, ICS security, compliance versus security, his work with the US military and cybersecurity, diversity in information security, and so much more! Where you can find Daniel: https://www.linkedin.com/in/danielewood/ (LinkedIn) https://labs.bishopfox.com/industry-blog (Bishop Fox Blog)
Amamos a Amazon. Torrente sobrevive. 30 reais um bauru... Explicando o que é um bauru. Cheese gaveta. Cheese porrada. Fazer as pazes. A culpa. Tastic RFID Thief do Bishop Fox. RFeed. Tramandaí é uma merda. O cassino tb. todas são merdas. Dois amadores falando de viagem no tempo. About Time (filme). @valvuladopodcasts @theduda_ferreira @sohrenato contato@valvulado.net
This week, we welcome Ankur Chowdhary, Security Consultant at Bishop Fox, to talk about Artificial Intelligence and Machine Learning in Cybersecurity! In our second segment, we welcome John Snyder, CEO of Agnes Intelligence, and Security and Compliance Weekly's New Co-Host, for an Introduction to John Snyder himself! In the Security News, Microsoft fixes critical wormable RCE SigRed in Windows DNS servers, Zoom Addresses Vanity URL Zero-Day, Docker attackers devise clever technique to avoid detection, a massive DDoS Attack Launched Against Cloudflare in Late June, Critical Vulnerabilities Can Be Exploited to Hack Cisco Small Business Routers, and what you need to know about the Twitter Mega Hack! Show Notes: https://wiki.securityweekly.com/psw658 Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Ankur Chowdhary, Security Consultant at Bishop Fox, to talk about Artificial Intelligence and Machine Learning in Cybersecurity! In our second segment, we welcome John Snyder, CEO of Agnes Intelligence, and Security and Compliance Weekly's New Co-Host, for an Introduction to John Snyder himself! In the Security News, Microsoft fixes critical wormable RCE SigRed in Windows DNS servers, Zoom Addresses Vanity URL Zero-Day, Docker attackers devise clever technique to avoid detection, a massive DDoS Attack Launched Against Cloudflare in Late June, Critical Vulnerabilities Can Be Exploited to Hack Cisco Small Business Routers, and what you need to know about the Twitter Mega Hack! Show Notes: https://wiki.securityweekly.com/psw658 Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Don’t fear numbers, people. They’re good for you. Security holes in remote control and RMM systems, on the other hand, are less good for you, as Matt, Rich, and guest host Dave Seibert discuss on this week’s show. While they’re at it, they also chew over Kaseya’s forthcoming security vendor acquisitions and IPO, Pulseway’s new patch management upgrade, and the future of Chromebook Enterprise. All of that comes before the truly can’t-miss part of the show: our exclusive interview with Christoph Schell, HP’s chief commercial officer, who shares his thoughts on the company’s new sales organization, what partners can look forward to this year, and (because this is ChannelPro Weekly, after all) The Mandalorian and mustard. Oh, and about that 3 versus 5 thing: Let’s split the difference and say 4. Subscribe to ChannelPro Weekly! Look for us in your favorite podcast app. If you don't see us (yet) then you can subscribe via RSS in almost any podcast app using this link: http://www.channelpronetwork.com/rss/cpw Show Information: Episode #: 131Title: 3 Versus 5Duration: 2:11:14File size: 60.5MBRegulars: Rich Freeman - Executive Editor, Matt Whitlock - Technology EditorGuest Host: Dave Seibert Video of ChannelPro Weekly #131 - 3 Versus 5 Topics and Related Links Mentioned: Information about guest host Dave Seibert: www.daveseibert.com and www.smbtechfest.com Huntress Labs on the ConnectWise Control vulnerabilities reported by Bishop Fox Kaseya Has Automation, Security, and an IPO in Store for 2020 Pulseway Rolls Out Patch Management for Custom and Niche Applications Chromebook Enterprise: Breakthrough or Bust? Matt's Museum Pick: Presto Printing Mailbox Matt's Tech Pick: HP Tango X Rich's ICYMI plug and quickie preview of the week ahead
How does your company think about security? Have you adopted basic security hygiene practices like running off-the-shelf software to scan your code for vulnerabilities, or have you moved beyond that and begun to explore bug bounties and penetration testing? In this episode, Jon Prial talks with Christie Terrill, a partner the security consulting firm Bishop Fox and a widely recognized expert on cyber security. Get expert advice on how your company should approach security so that it doesn't wind up making headlines for getting breached. You'll hear about: - The two approaches to security - Security hygiene best practices - The evolution of bug bounties and penetration testing and their respective pros and cons - Social engineering as an attack service - How to attract and retain women in cyber security Show notes: http://bit.ly/IP-Episode69 More episodes | Subscribe: http://bit.ly/TheImpactPodcast
Andrew Wilson (@azwilsong) , a friend and partner at Bishop Fox joins Seth and Ken to discuss OWASP, running a consultancy, organizing CactusCon, and training new AppSec resources.
Andrew Wilson (@azwilsong) , a friend and partner at Bishop Fox joins Seth and Ken to discuss OWASP, running a consultancy, organizing CactusCon, and training new AppSec resources.
This week an old friend, Vinnie Liu of Bishop Fox, joins Raf and James to talk about the history of App Sec. We started trying to test ourselves secure, and we continue to come back to it - so this episode is a walk down memory lane and a glimpse into the future of application security. Don't forget to like us on iTunes and share with your colleagues! Guest Vinnie Liu ( @VinnieLiu ) - Vincent Liu (CISSP) is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. With nearly two decades of experience, Vincent is an expert in security strategy, red teaming, and product security; and at Bishop Fox, he oversees firm strategy and client relationships.
The O’Reilly Security Podcast: Aligning security objectives with business objectives, and how to approach evaluation and development of a security program.In this episode of the Security Podcast, I talk with Christie Terrill, partner at Bishop Fox. We discuss the importance of educating businesses on the complexities of “being secure,” how to approach building a strong security program, and aligning security goals with the larger processes and goals of the business.Here are some highlights: Educating businesses on the complexities of “being secure” This is a challenge that any CISO or director of security faces, whether they're new to an organization or building out an existing team. Building a security program is not just about the technology and the technical threats. It's how you're going to execute—finding the right people, having the right skill sets on the team, integrating efficiently with the other teams and the organization, and of course the technical aspects. There's a lot of things that have to come together, and one of the challenges about security is that companies like to look at security as its own little bubble. They’ll say, ‘we'll invest in security, we'll find people who are experts in security.’ But once you're in that bubble, you realize there's such a broad range of experience and expertise needed for so many different roles, that it's not just one size fits all. You can't use the word ‘security’ so simplistically. So, it can be challenging to educate businesses on everything that's involved when they just say a sentence like, ‘We want to be secure or more secure.’ Security can’t (and shouldn’t) interrupt the progress of other teams The biggest constraint for implementing a better security program for most companies is finding a way to have security co-exist with other teams and processes within the organization. Security can’t interrupt the mission of the company or stop the progress and projects other IT teams already have in progress. You can’t just halt everything because security teams are coming in with their own agendas. Realistically, you have to rely on other teams and be able to work with them to make sure the security team could make progress either without them or alongside them. Being able to work collaboratively and to support the teams with your security goals is absolutely critical. Typically, teams have their own projects and agendas, and if you can explain how security will actually help those in the end—they want to participate in your work as well but it's also integrated. You have to rely on each other. How to approach security program strategy and planning The assessment of a security program usually starts with a common triad of people, process, and technology. On the people side, there’s reevaluating the organizational structure—how many people should there be? What titles should they have? What should the reporting structure be? What should security take on itself versus what responsibility should we ask IT to do or let them keep doing? Then, for processes, there can be a lot of pain points. When we develop processes, including the foundational security practices, we start with the ones that would solve immediate problems to show value and illustrate what a process can achieve. A process is not just a piece of paper or a checklist intended to make people's lives more difficult—a process should actually help people understand where something is at in the flow, and when something will get done. So, defining processes is really important to win over the business and the IT teams. Then finally on the technology side, we try to emphasize that you should first evaluate the tools you already have. There may be nothing wrong with them. Look at how they're being used and if they're being optimized. Because investing, not just the upfront investment in security technology but the cost to replace that, perhaps consulting cost or churn cost of having to rip and replace, can be very high and can derail some of your other progress. To start, you should make sure you’re using every tool to its fullest capacity and fullest advantage before going down the path of considering buying new products.
The O’Reilly Security Podcast: Aligning security objectives with business objectives, and how to approach evaluation and development of a security program.In this episode of the Security Podcast, I talk with Christie Terrill, partner at Bishop Fox. We discuss the importance of educating businesses on the complexities of “being secure,” how to approach building a strong security program, and aligning security goals with the larger processes and goals of the business.Here are some highlights: Educating businesses on the complexities of “being secure” This is a challenge that any CISO or director of security faces, whether they're new to an organization or building out an existing team. Building a security program is not just about the technology and the technical threats. It's how you're going to execute—finding the right people, having the right skill sets on the team, integrating efficiently with the other teams and the organization, and of course the technical aspects. There's a lot of things that have to come together, and one of the challenges about security is that companies like to look at security as its own little bubble. They’ll say, ‘we'll invest in security, we'll find people who are experts in security.’ But once you're in that bubble, you realize there's such a broad range of experience and expertise needed for so many different roles, that it's not just one size fits all. You can't use the word ‘security’ so simplistically. So, it can be challenging to educate businesses on everything that's involved when they just say a sentence like, ‘We want to be secure or more secure.’ Security can’t (and shouldn’t) interrupt the progress of other teams The biggest constraint for implementing a better security program for most companies is finding a way to have security co-exist with other teams and processes within the organization. Security can’t interrupt the mission of the company or stop the progress and projects other IT teams already have in progress. You can’t just halt everything because security teams are coming in with their own agendas. Realistically, you have to rely on other teams and be able to work with them to make sure the security team could make progress either without them or alongside them. Being able to work collaboratively and to support the teams with your security goals is absolutely critical. Typically, teams have their own projects and agendas, and if you can explain how security will actually help those in the end—they want to participate in your work as well but it's also integrated. You have to rely on each other. How to approach security program strategy and planning The assessment of a security program usually starts with a common triad of people, process, and technology. On the people side, there’s reevaluating the organizational structure—how many people should there be? What titles should they have? What should the reporting structure be? What should security take on itself versus what responsibility should we ask IT to do or let them keep doing? Then, for processes, there can be a lot of pain points. When we develop processes, including the foundational security practices, we start with the ones that would solve immediate problems to show value and illustrate what a process can achieve. A process is not just a piece of paper or a checklist intended to make people's lives more difficult—a process should actually help people understand where something is at in the flow, and when something will get done. So, defining processes is really important to win over the business and the IT teams. Then finally on the technology side, we try to emphasize that you should first evaluate the tools you already have. There may be nothing wrong with them. Look at how they're being used and if they're being optimized. Because investing, not just the upfront investment in security technology but the cost to replace that, perhaps consulting cost or churn cost of having to rip and replace, can be very high and can derail some of your other progress. To start, you should make sure you’re using every tool to its fullest capacity and fullest advantage before going down the path of considering buying new products.
RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID Francis Brown Partner - Bishop Fox Shubham Shah Security Analyst at Bishop Fox Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance for penetration testers on hacking High Frequency (HF - 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz). This includes Near Field Communication (NFC), which also operates at 13.56 MHz and can be found in things like mobile payment technologies, e.g., Apple Pay and Google Wallet. We'll also be releasing a slew of new and free RFID hacking tools using Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing. This presentation will NOT weigh you down with theoretical details or discussions of radio frequencies and modulation schemes. It WILL serve as a practical guide for penetration testers to better understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware and software that you'll need to build an RFID penetration toolkit. Our goal is to eliminate pervasive myths and accurately illustrate RFID risks via live attack DEMOS: High Frequency / NFC – Attack Demos: HF physical access control systems (e.g., iCLASS and MIFARE DESFire 'contactless smart card' product families) Credit cards, public transit cards, passports (book), mobile payment systems (e.g., Apple Pay, Google Wallet), NFC loyalty cards (e.g., MyCoke Rewards), new hotel room keys, smart home door locks, and more Ultra-High Frequency – Attack Demos: Ski passes, enhanced driver's licenses, passports (card), U.S. Permanent Resident Card ('green card'), trusted traveler cards Schematics and Arduino code will be released, and 100 lucky audience members will receive one of a handful of new flavors of our Tastic RFID Thief custom PCB, which they can insert into almost any commercial RFID reader to steal badge info or use as a MITM backdoor device capable of card replay attacks. New versions include extended control capabilities via Arduino add-on modules such as Bluetooth low energy (BLE) and GSM/GPRS (SMS messaging) modules. This DEMO-rich presentation will benefit both newcomers to RFID penetration testing as well as seasoned professionals. Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients. Francis has presented his research at leading conferences such as Black Hat USA, DEF CON, RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications. Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques. Shubham Shah is a Security Analyst at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Shubham's primary areas of expertise are application security assessment, source code review, and mobile application security. Shubham is a former bug bounty hunter who has submitted medium-high risk bugs to the bug bounties of large corporations such as PayPal, Facebook, and Microsoft. He regularly conducts web application security research and frequently contributes to the security of open-source projects. He has presented at Ruxcon and is known in Australia for his identification of high-profile vulnerabilities in the infrastructures of major mobile telecommunication companies. Prior to joining Bishop Fox, Shubham worked at EY. At EY, he performed web application security assessments and application penetration tests. Additionally, Shubham has been a contractor for companies such as Atlassian. As a contractor, he conducted external web application security penetration tests. Shubham also develops and maintains open-source projects such as Websec Weekly that assist the web application security industry. Twitter: @bishopfox Facebook: https://www.facebook.com/BishopFoxConsulting LinkedIn: https://www.linkedin.com/company/bishop-fox
Hacking Smart Safes: On the "Brink" of a Robbery Dan “AltF4” Petro Security Associate, Bishop Fox Oscar Salazar Senior Security Associate at Bishop Fox Have you ever wanted to crack open a safe full of cash with nothing but a USB stick? Now you can! The Brink’s CompuSafe cash management product line provides a “smart safe as a service” solution to major retailers and fast food franchises. They offer end-to-end management of your cash, transporting it safely from your storefront safe to your bank via armored car. During this talk, we’ll uncover a major flaw in the Brink’s CompuSafe and demonstrate how to crack one open in seconds flat. All you need is a USB stick and a large bag to hold all of the cash. We’ll discuss how to remotely takeover the safe with full administrator privileges, and show how to enumerate a target list of other major Brink’s CompuSafe customers (exposed via configuration files stored right on the safe). At any given time, up to $240,000 can be sitting in each of the 14,000 Brink’s CompuSafe smart safes currently deployed across the United States - potentially billions of dollars just waiting to be stolen. So come ready to engage us as we explore these tools and more in this DEMO-rich presentation. And don’t forget to call Kenny Loggins… because this presentation is your highway to the Danger Zone… Note - This presentation is about exposing flaws in the Brinks’s Compusafe to improve security and allow pentesters to demonstrate these flaws to their customers. Please use this information responsibly. Dan Petro is a Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure development. Dan has presented at numerous conferences, including DEF CON, BlackHat, HOPE, and BSides, and is the founding member of the Pi Backwards CTF team. Prior to joining Bishop Fox, Dan served as Lead Software Engineer for a security contracting firm. Dan holds a Bachelor of Science from Arizona State University with a major in Computer Science, as well as a Master’s Degree in Computer Science from Arizona State University. Oscar Salazar is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, source code review, and secure software design. Oscar has presented at RSA, Bsides, and Adobe’s annual private Security Summit conference. Prior to joining Bishop Fox, Oscar served as a web security research engineer at Hewlett-Packard’s Application Security Center where he designed and developed security checks for the WebInspect web application security scanner. In addition, his research involved developing more effective methods of scanning Web 2.0 applications. Oscar holds a Bachelor of Science from the Georgia Institute of Technology with a major in Computer Science and a focus on Networking and Security. https://www.facebook.com/BishopFoxConsulting https://twitter.com/bishopfox https://www.linkedin.com/company/bishop-fox