POPULARITY
In this episode, Javvad gives hjs report on BlackHat Europe and tells of his upcoming trip to BSides London, a story about scammers scamming each other out of millions of dollars, and an interesting andriod malware that parasites on legit apps. All this and more!
Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package. Grant's experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), [...] The post Grant Ongers — Gamification of threat modeling appeared first on Security Journey Podcasts.
It was a bright, cold day in June, and the clocks were striking thirty past nine in the morning. On this last day on the Olympia show floor in London, after a few unsuccessful attempts, Sean and I were finally able to say hi, sit down, and have a good ole chat with Troy Hunt while we sipped on a cup of hot coffee. Yes, a podcast with Mr. Troy Hunt! Australian, security researcher, software developer, founder of Have I Been Pwned, blogger, public speaker, keynote and overall 'very busy guy.' Especially this week in London, where the opportunities to talk CyberSecurity are plenty: Infosecurity Europe, Bsides London, and the many satellite events taking place around the main event such as cybersecurity Rants, company events, and even some industry awards. We actually met Troy on the first day of our adventures at one of those extracurricular industry events where he won a top bloggers award (and we did not). It indeed was one of those De Coubertin situations where the most important thing for us was not to win but to take part; it sure was great to be nominated and be there with everyone to celebrate our global community. But let's get back to the podcast. As an Australian that travels the world speaking at all sorts of conferences and winning European awards for his contributions to the InfoSec community, the first part of the conversation was naturally dedicated to discussing and appreciating the concept of cybersecurity as a global phenomenon which allows for dialogue to happen between and within InfoSec communities without any geographic boundaries. Clearly, the exchange of information is a strong driving force for the future of this industry and society. On this topic, being in Europe, Sean and I took the opportunity to carry on our mission to explore the different ways that cybersecurity is perceived, promoted, and practiced in different parts of the world. We invited Troy to share his point of view on the subject, and we found ourselves talking about the perception of privacy and its consequent regulations and application in Europe vs. the USA. Troy rightfully suggest that one of the key differences is the attribution of ownership of private data and retention. By the way, do companies really need data from 19 years ago - especially sensitive data? Do they just see those — any data actually — as an asset that increases the value of their users' "experience" and never consider the fact that they could quickly become a liability? Have I Been Pwned? Have you? I am sure you have asked yourself this question, utilized this service, or at least heard about it. How could we have a conversation with Troy and not ask him about his creation and how he sees society leveraging such a unique and valuable service? Interestingly enough, it was built as an experiment that has become exceptionally popular, truly appreciated, and used in the most diverse of individual, commercial, and even public sector case studies all over the world. ___________________ We'd like to thank our conference coverage sponsors for their support. Visit their directory pages on ITSPmagazine. Bugcrowd: https://www.itspmagazine.com/company-directory/bugcrowd CyberCyte: https://www.itspmagazine.com/company-directory/cybercyte Devo: https://www.itspmagazine.com/company-directory/devo Nintex: https://www.itspmagazine.com/company-directory/nintex STEALTHbits: https://www.itspmagazine.com/company-directory/stealthbits ________ Want more from InfoSec Europe in London? https://www.itspmagazine.com/infosec-europe-2019-event-coverage-london-uk-cybersecurity-news-coverage-and-podcasts
European Blogger Awards; BSides London; Infosecurity EU and Hall of Fame; Wespac PayID; ANU Data Breach; Scott’s Mystery Cert; Varonis Sponsoring https://www.troyhunt.com/weekly-update-142/
Thomas has been organising BSides London since 2013, Jenny asks the veteran for what he hopes people get from the conference, how he deals with everything that needs doing and any advice he has for the BSides Liverpool Team. Click here for the BSides London website Click here for the BSides London Twitter handle For the Calls for Papers, Calls for Workshops, Calls for Rookies and Calls for Mentors visit the front page of their website! To follow what we are doing and get the latest news try Twitter, where we are @BsidesLivrpool and the website by clicking this link here.
This week's podcast finds Chet and John both enjoying some well deserved time in their respective homes. Topics include an overview of InfoSec Europe and BSides London, the dangers of not providing password management tools, how small mistakes lead to bigger vulnerabilities, the state of cryptojacking and the latest FBI cybercrime bust.
Get some in-depth information on GDPR from Thomas Fischer, a Global Security Advocate at Digital Guardian and Director of BSides London! Full Show Notes: https://wiki.securityweekly.com/ES_Episode54 Visit http://securityweekly.com/esw for all the latest episodes!
Get some in-depth information on GDPR from Thomas Fischer, a Global Security Advocate at Digital Guardian and Director of BSides London! Full Show Notes: https://wiki.securityweekly.com/ES_Episode54 Visit http://securityweekly.com/esw for all the latest episodes!
Welcome to Episode 07 of the DG Podcast! We were fortunate to have Duo Principal Security Strategist Wendy Nather take a break from the hustle and bustle of InfoSec 2017 and BSides London to join Thomas Fischer and Tim Bandos for an episode focused on the evolving disciplines of authentication and identity management.
Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook" We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you. The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link) Hope you enjoy! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 Previous Lee Brotherston episodes: Threat Modeling w/ Lee Brotherston Is your ISP MiTM-ing you Lee fills in for Mr. Boettcher, along with Jarrod Frates TLS fingerprinting application #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA). This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers. To help us, we asked Mr. Dave Kennedy (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC. Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2. We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved. We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3 Youtube: https://www.youtube.com/watch?v=lqXGGg7-BlM iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2 #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --show notes-- http://www.bbc.com/news/world-us-canada-10758578 WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’ Should they not have tools that allow them to infiltrate systems of ‘bad’ people? Promises to share information with manufacturers BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’ Shit code, poor software design/architecture Security wonks aren’t without blame here either http://www.bbc.com/news/technology-39218393 -RAND report Report suggested stockpiling is ‘good’ “On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.” Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems… http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668 (somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1) Wikileaks - more harm than good? Guess that depends on what side you’re on What side is Assange on? (his own side?) Media creates FUD because they don’t understand Secure messaging apps busted (fud inferred by WL) In fact, data is circumvented before encryption is applied. Some of the docs make you wonder about the need for ‘over-classification’ Vulnerabilities uncovered Samsung Smart TVs “Fake-Off” Tools to exfil data off of iDevices BrBr- Cellbrite has sold that for years to the FBI CIA appears to only have up to iOS 9 (according to docs released) Car hacking tech Sandbox detection (notices mouse clicks or the lack of them) Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html Not new: https://attack.mitre.org/wiki/Technique/T1093 **anything Mr. Kennedy feels is important to mention** What can blue teamers do to protect themselves? Take an accounting of ‘smart devices’ in your workplace Educate users on not bringing smart devices to work And at home (if they are remote) Alexa, Restrict smart devices in sensitive areas SCIFs, conference rooms, even in ‘open workplace’ areas Segment possibly affected systems from the internet Keep proper inventories of software used in your environment Modify IR exercises to allow for this type of scenario? Reduce ‘smart’ devices Grab that drill and modify the TV in the conference room Cover the cameras on TV Is that too paranoid? Don’t setup networking on smart devices or use cloud services on ‘smart’ devices Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)
If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah? "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?' We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links) Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk. What do we mean? Listen to our show and find out. #AIDE - https://appyide.org/events/ $60 more info: https://appyide.org/1313-2/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3 #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---show notes--- AWS S3 outage (hopefully more information by the end of the week) Massive outages - many sites down IoT devices borked https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/ https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/ TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Brian: Water sprinkler story… Do we put too much stock in Amazon? Email Story time: Recent IR exercise Mostly AWS shop “If we suspend reality” drinking game World War Z “the 10th man” Not the 1st time AWS was involved in an outage: http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle Realistic IR exercises need to examine the ‘ultimate’ bad… Even if you’re in ‘suspend reality’ mode https://theoutline.com/post/1166/programmers-are-confessing-their-coding-sins-to-protest-a-broken-job-interview-process http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/ No problem with copy/paste, hunting up functions, etc Problem comes when failure to understand the code you’re using, and the integration of that code therein Programming Interviews Exposed LOVED this idea…. https://letsjusthackshit.org/platypuscon2016.html “In the spirit of what brought this community together, we’re aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we’re putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new.” Patreon - just pop a dollar CTF Club - Tuesdays 9am Pacific / 6pm Pacific Book club - Defensive Security Handbook - Starting 15 March
Rory (@raesene) gave a talk over the summer at BSides London 2016 on the myths of Docker. Docker is a technology being used by more and more development teams. We're even starting to see security tools run on Docker, such as OWASP ZAP. With more teams using Docker we need to have an understanding of how to secure it.
Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion. We have 3 interviews here this week: Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not. Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles. Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets... If you are looking for some great content, a Bsides is nearby, just look around... Other Twitter handles mentioned on the show... @ben_ra @firewater_devs (both phone hackers) Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3 YouTube: iTunes: Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible. Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series. We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO. From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/): "Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office. Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy." Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3 iTunes (generic link, subscribe for podcast): https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ------- Show Notes: Joel Scambray In a bio: “Joel’s words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional’s challenge is to bring the most evidence possible to support those decisions, both technical and non.” Building and maintaining a security program Which is better? starting with a few quick wins Or having an overarching project to head where you want to go Starting companies (buyouts / stock options / lessons learned) Hacking Exposed Will you stop at ‘7’? Will there be a “hacking exposed: IoT”? Medical devices What leadership style works best for you? Things we couldn’t cover due to time: Security Shift from network layer to app layer Software defined networking, for example How to set policies to keep your devs from running amok ------
Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors. But this week, we have a different Mr. Douglas. This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering. Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge. Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Mick's document: https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0 Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it: http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3 https://attack.mitre.org/wiki/ATT%26CK_Matrix Mick's last appearances on BrakeSec: http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3 http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3 http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3 http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3 iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4 Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/ ---------- HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Episode 0x3A We Can Do Better Before we get too far into things this week, I want to draw special attention to Rich Mogull's $500 Cloud Security Screwup posting. Truly awe inspiring and an example of Doing Infosec Right - admitting that you screwed up and getting on with the solution rather than the very common response which would include hiding what happened and hoping no one finds out that it was you who were the screwup. We should all act more like this. Moving along... Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag (or Deep Dive) And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Five Product Security Questions Nobody At CES Wants You To Ask. Because, you know, internets. Mandiant gets bought by FireEye Infographic: New ISO 27001:2013 - What Has Changed? Find security flaw, go to jail? Breaches Former TIAA-CREF Worker Gets 6 Years for Selling IDs OpenSSL Defacement - Not a Hypervisor Thing Riverside Health System 4-year-long HIPAA Breach Thank Goodness for the NSA! - a fable Yahoo infects people with Malware and makes the bitcoin SCADA / Cyber, cyber... etc Several European manufacturers spawn NSA-proof Android “cryptophones” NSA denials DERP UK ‘Porn Filter’ Blocks Legitimate File-Sharing Services Mailbag We receive some of the most batcrap crazy emails here at LSD. What's the right response to people who don't just have a tinfoil hat, but are opting for the full ensemble? Dear Mailbag I'm thinking about not speaking at RSA because of the NSAs, what do you think? Hugs Mikko H. (not the other Mikko guy) Briefly -- NO ARGUING OR DISCUSSION ALLOWED Crypto Hardening guide for Sysadmins Penetration Testing Lab Contents Mindmap sigcheck now with Virus total Wordpress plugin exploit data Skipfish Scanner Used In Financial Sector Attacks Liquidmatrix Staff Projects -- gratuitous self-promotion The Security Conference Library Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: -- more gratuitous self-promotion Dave: - Shmoocon, SOURCE, Infosec EU, BSides London, HITB EU, Secure360, FIRST... James: - At Shmoocon (with a cool surprise), then RSA (sad trombone) Ben: - N/A Matt: - behind the beard Wil: - Gave up, is a car dealer now Other LSD Writers: - huh? Advertising - pay the bills... Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! Or do the math and figure out if 5% off a course would be a better deal with "Liquidmatrix_5" Closing Thoughts Seacrest Says: My Voice Is My Passport, Verify Me Creative Commons license: BY-NC-SA
SecuraBit Episode 79: Back to the basics with Marcus Carey!April 6, 2011 Hosts:Christopher Mills – @thechrisamJason Mueller – @securabit_jayTony Huffman – @myne_us Guests:Marcus J Carey- @iFailhttp://hackersforcharity.org/ General topics: NEWS:Epsilon:http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.htmlhttp://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Highlights-Cloud-Computing-Security-Concerns-637161/http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511https://threatpost.com/en_us/blogs/epsilon-data-breach-expands-include-capital-one-disney-others-040411http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3 "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," the statement said. LizaMoon:http://threatpost.com/en_us/blogs/counterspin-lizamoon-web-attacks-no-big-deal-040511In a post on Cisco's security blog, senior security researcher Mary Landesman said that data from the company's ScanSafe Web security infrastructure suggests that just over 1,000 Web domains have been compromised using the SQL injection attack, not the 500,000 to 1.5 million cited in published reports. https://threatpost.com/en_us/blogs/widespread-lizamoon-web-attacks-push-rogue-antivirus-040111“Websense researchers wrote on Thursday that a Google search for Web sites hosting the malicious URLs identified over 1.5 million Web sites hosting the code” Pandora.com data leak:http://threatpost.com/en_us/blogs/pandora-mobile-app-transmits-gobs-personal-data-040611?utm_source=Home+Page&utm_medium=Top+Graphic+Bar&utm_campaign=Position+3“The data included both the owner's GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring - which would tell advertisers not just where the user accessed the application from, but also allow them to track that user's movement over time. “ RSA attack:http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111“"The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read '2011 Recruitment Plan," Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack”http://www.nsslabs.com/research/analytical-brief-rsa-breach.html ¾ Energy Firms Had Data Breach over last year:http://threatpost.com/en_us/blogs/study-three-four-energy-firms-had-data-breach-last-year-040511Long perceived to be beyond the attention of hackers, energy firms and utilities now report that they are being targeted. In the Ponemon study, 76% of the IT security staff interviewed reported that their organization had experienced "one or more data breaches" in the last 12 months. A similar number - 69% - said they felt a data breach was likely to occur in the next 12 months, Ponemon said. Comodo what really happened:https://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311http://pastebin.com/uSdKNDN5“ I found out that TrustDll.dll takes care of signing. It was coded in C#.Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account. “ FBI asks for help on cracking code:http://www.h-online.com/security/news/item/FBI-asks-for-help-cracking-a-code-in-unsolved-murder-case-1220007.html Other Stories:http://www.techdirt.com/articles/20110401/13241213732/exploit-hadopi-site-turns-it-into-pirate-bay-supporter.shtmlhttp://news.softpedia.com/news/Google-Chrome-to-Block-Malicious-Downloads-193386.shtml Use our discount code "Connect_SecuraBit" to get $150.00 off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events:ThotCon (15 Apr 2011)#BSidesChicago (16 - 17 Apr 2011)#BSides London, (20 Apr 2011)CEIC Orlando (15 – 18 May 2011)#BSidesROC Rochester, NY (21 May 2011)#BSidesDetroit (3 - 4 Jun 2011)#BSidesStJohns St. John's, NL (10 Jun 2011)#BSidesCT Meriden, CT (11 Jun 2011)FIRST Austria (12 - 17 June 2011)#BSidesVienna(18 June 2011)Toorcon (18 - 19 June 2011)#BSidesLasVegas (3-4 August 2011)BlackHat Vegas (3 - 4 August 2011)DEFCON 19 (4 - 7 August 2011)#BSidesLA Los Angeles, CA (18 - 19 August 2011)#BSidesMO(21 Oct 2011)#BSidesNewDelhi (22 - 23 October 2011)VB Barcelona October 2011 Links:http://www.securabit.comChat with us on IRC at irc.freenode.net #securabitiTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Securabit Episode 78: Comodogate and Social Penetration! March 23, 2011 Hosts: Anthony Gartner – @anthonygartner http://anthonygartner.com Chris Gerling – @chrisgerling Christopher Mills – @thechrisam Jason Mueller – @securabit_jay Andrew Borel – @andrew_secbit Tony Huffman (myne-us) – @myne_us Guests: Dave Kennedy - @dave_rel1k Carlos “Darkoperator” Perez - @Carlos_Perez General topics: Rogue SSL certificates ("case comodogate") http://www.f-secure.com/weblog/archives/00002128.html PTES - Penetration Testing Execution Standard http://www.pentest-standard.org/ Social Enginer Toolkit http://www.social-engineer.org/podcast/ http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) BackTrack http://www.backtrack-linux.org/ DerbyCon http://www.derbycon.com/ Use our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events: #BSidesChicago (16 - 17 Apr 2011) #BSides London, (20 Apr 2011) #BSidesROC Rochester, NY (21 May 2011) #BSidesDetroit (3 - 4 Jun 2011) SANS Orlando March 2011 CEIC Orlando April 2011 FIRST Austria June 2011 BlackHat Vegas August 2011 VB Barcelona October 2011 Links: http://www.securabit.com Chat with us on IRC at irc.freenode.net #securabit iTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405 iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Securabit Episode 77: Return to the Rabbit HoleMarch 9, 2011Hosts:Anthony Gartner – @anthonygartner http://anthonygartner.comChris Gerling – @chrisgerlingChristopher Mills – @thechrisamJason Mueller – @securabit_jayTony Huffman (myne-us) – @myne_usAndrew Borel – @andrew_secbitGuests:Rafal Los - @wh1t3RabbitGeneral topics:Preview the upcoming BlackHat EU talk "Defying Logic."Researchers Build Tool That Roots Out Business Logic Flaws In Web Appshttp://www.darkreading.com/database-security/167901020/security/application-security/229300667/researchers-build-tool-that-roots-out-business-logic-flaws-in-web-apps.html--News-Malware on the andoid market place. (DroidDream)List of infected app http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/-Google nukes 150,000 email accounts on accidenthttp://gmailblog.blogspot.com/2011/02/gmail-back-soon-for-everyone.htmlUse our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats.Upcoming eventsBlackHat Europe 2011 (17 - 18 Mar 2011)#BSidesChicago (16 - 17 Apr 2011)#BSides London, (20 Apr 2011)#BSidesROC Rochester, NY (21 May 2011)#BSidesDetroit (3 - 4 Jun 2011)Links:http://securabit.comChat with us on IRC at irc.freenode.net #securabitiTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
SecuraBit Episode 76: E-viting you to your demise! February 23, 2011 SecuraBit would like to apologize for the audio issues in this episode. We were not able to use the normal recording method due to a complete power failure. Thanks for understanding! Hosts: Christopher Mills – @thechrisam Jason Mueller – @securabit_jay Tony – @myne_us Dan Mitchell - @danmitchell Andrew Borel – @andrew_secbit Guests: Bill Swearingen - @hevnsnt Trent Lo - @surbo General topics: History of i-hacked [HackerRun] - @HackerRun http://hackerrun.com/doku.php Messing with evites http://www.i-hacked.com/content/view/293/2/ http://www.csoonline.com/article/661365/evite-program-easily-tampered-with-researcher-says Use our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events #BSidesHalifax (5 Mar 2011) #BSidesGSO Greensboro, NC (9 Mar 2011) CanSecWest2011 (9 - 11 Mar 2011) #BSidesAustin (11 - 12 March 2011) http://www.keepsecurityweird.org/ BlackHat Europe 2011 (17 - 18 Mar 2011) #BSidesChicago (16 - 17 Apr 2011) #BSides London, (20 Apr 2011) #BSidesROC Rochester, NY (21 May 2011) #BSidesDetroit (3 - 4 Jun 2011) Links: http://securabit.com Chat with us on IRC at irc.freenode.net #securabit iTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405 iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Securabit Episode 75: Booze over IP February 9, 2011 Hosts: Anthony Gartner – @anthonygartner http://anthonygartner.com Chris Gerling – @chrisgerling Christopher Mills – @thechrisam Jason Mueller – @securabit_jay Andrew Borel – @andrew_secbit Tony (myne-us) – @myne_us Guests: Mike Dahn twitter: @mikd Joe Gottlieb Twitter: joe_gottlieb General topics: Mike:Bsides origins and other. http://chaordicmind.com/blog/ Joe: Open Security Intelligence http://www.opensecurityintelligence.com/ On Monday, February 14th, SIEM and log management vendor SenSage will introduce the Open Security Intelligence forum to the security community to become involved in. The concept of the community is to share best practices in open security analytics to improve our collective security defenses. Specifically, Joe Gottlieb, President and CEO of SenSage would like to discuss: - Current challenges with today’s SIEM tools, which are a decade old - Why security analytics needs to be ‘open’ - Why integrating business intelligence tools (i.e. Pentaho, Microsoft Exchange, Cognos, etc.) with SIEM tools can create useful dashboards that help security analysts mine huge data stores for the ‘needle in the haystack’ information they need - Why ‘security quants’ (analysts that can look deep into the data and develop complex yet useful SQL queries) will become the next role in the SOC - The benefits of joining the community and sharing best practices The community will be hosted on a web portal – www.opensecurityintelligence.com – that is under development and will be discussed in our Feb. 14 release. Also, Joe is also giving a talk at Security BSides SF on 2/14 at 3pm PT on this very topic. --HBGary Federal http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/ --Nasdaq attack does not yet have reports of how they where attacked. The comment on the website was for the 1999 attack where someone defaced the nasdaq website. Quotes from http://www.wallstreetandtech.com/technology-risk-management/229201267 The operator of the Nasdaq Stock Exchange said it found "suspicious files" on its computer servers, in a Web application called Directors Desk which is used by members of corporations' boards of directors who want to share information and files. "What seems most likely is that the web servers were compromised in an attempt to use them to inject malicious software into their clients," commented one reader of the nakedsecurity.sophos.com blog. --Bsides http://www.securitybsides.com/w/page/12194156/FrontPage to contact: info (at) securitybsides dot org -or- call 415-742-1739 --Exploit developers corner Looking for exploit developers! If you have recently published an exploit or have a previously published exploits you would like to talk about contact us at feedback@securabit.com or can contact Tony (myne-us) directly on IRC at freenode #securabit to have a small interview about your discovery. List of common questions. -How did you find the vulnerability? -What is your goal in vulnerability research? -How did you go about disclosing the vulnerability and how did the vendor respond? -And more... !!Caution!!: No undisclosed vulnerabilities (0 day)! These vulnerabilities need to be reported to the vendor and patched or exceed a time period where vendor did not patch. If interested in releasing exploit on the show that is fine if can show proof you disclosed to vendor or see the proof of concept already posted on exploit-db or have a CVE. Us:NetWitness Spectrum at RSA http://www.netwitness.com/products/spectrum.aspx Use our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events RSA Conference 2011 (14 -18 Feb 2011) #BSidesSanFrancisco (14 - 15 Feb 2011) #BSidesCleveland (18 Feb 2011) #BSidesHalifax (5 Mar 2011) #BSidesGSO Greensboro, NC (9 Mar 2011) CanSecWest2011 (9 - 11 Mar 2011) #BSidesAustin (11 - 12 March 2011) http://www.keepsecurityweird.org/ BlackHat Europe 2011 (17 - 18 Mar 2011) #BSidesChicago (16 - 17 Apr 2011) #BSides London, (20 Apr 2011) #BSidesROC Rochester, NY (21 May 2011) #BSidesDetroit (3 - 4 Jun 2011) Links: http://securabit.com Chat with us on IRC at irc.freenode.net #securabit iTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405 iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Securabit Episode 74: Podcasting in the Dark with Brian Krebs January 26, 2011 Hosts: Anthony Gartner – @anthonygartner http://anthonygartner.com Chris Gerling – @chrisgerling Christopher Mills – @thechrisam Andrew Borel – @andrew_secbit Guests: Brian Krebs - @briankrebs - http://krebsonsecurity.com/ General topics: I recall reading about various greeting card based attacks over the years. Do you think they've all been originated by the same folks who did this one? Or at least, with the same goals in mind? How prevalent do you think ATM skimmers are? What are some ways the common person can look out for them? Do you think financial institutions are getting better at educating their customers about the protections provided/not provided under Regulation E? Do you anticipate payment processing centers becoming a bigger target for criminals vs the individual businesses? Since many financials are under pressure from new reserve requirements, do you think new security requirements will force smaller financials to merge? How can they balance the need to offer more convenient services (such as mobile banking) with the need to improve security at the same time? What do you think the top 3 stories for 2010 were? Why do you think they were the top stories? Use our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events RSA Conference 2011 (14 -18 Feb 2011) #BSidesSanFrancisco (14 - 15 Feb 2011) #BSidesCleveland (18 Feb 2011) #BSidesHalifax (5 Mar 2011) #BSidesGSO Greensboro, NC (9 Mar 2011) CanSecWest2011 (9 - 11 Mar 2011) #BSidesAustin (11 - 12 March 2011) http://www.keepsecurityweird.org/ BlackHat Europe 2011 (17 - 18 Mar 2011) #BSidesChicago (16 - 17 Apr 2011) #BSides London, (20 Apr 2011) #BSidesROC Rochester, NY (21 May 2011) #BSidesDetroit (3 - 4 Jun 2011) Links: http://securabit.com Chat with us on IRC at irc.freenode.net #securabit iTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405 iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Securabit Episode 73: Eber Kneber and botnet stuntmen January 12, 2011 Hosts: Anthony Gartner – @anthonygartner http://anthonygartner.com Chris Gerling – @chrisgerling Christopher Mills – @thechrisam Jason Mueller – @securabit_jay Andrew Borel – @andrew_secbit Guests: We discuss Kneber and other fun security topics with Alex Cox of NetWitness @perpetualsec http://www.networkforensics.com/ General topics: Kneber Botnet Mariposa Responsible disclosure Evil Virustotal http://socialmediasecurity.com/downloads/Facebook_Privacy_and_Security_Guide.pdf PROGRAMMABLE HID USB KEYSTROKE DONGLE: USING THE TEENSY AS A PEN TESTING DEVICE https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Crenshaw http://www.irongeek.com/i.php?page=videos/dojocon-2010-videos Use our discount code "Connect_SecuraBit10" to get 10% off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events ShmooCon (28 - 31 Jan 2011) RSA Conference 2011 (14 -18 Feb 2011) #BSidesSanFrancisco (14 - 15 Feb 2011) #BSidesCleveland (18 Feb 2011) #BSidesHalifax (5 Mar 2011) #BSidesGSO Greensboro, NC (9 Mar 2011) #BSidesAustin (11 - 12 March 2011) http://www.keepsecurityweird.org/ #BSidesChicago (16 - 17 Apr 2011) #BSides London, (20 Apr 2011) #BSidesROC Rochester, NY (21 May 2011) #BSidesDetroit (3 - 4 Jun 2011) Links: http://www.securabit.com Chat with us on IRC at irc.freenode.net #securabit iTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405 iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8