POPULARITY
6 episodes with lee brotherston
In this riveting episode of the Brilliance Security Magazine podcast, Steven Bowcut sits down with Bob Bregant, COO & Co-founder of OpsHelm, and Lee Brotherston, Founding Engineer at OpsHelm, to delve into the top three cloud security challenges faced by cybersecurity professionals today. Bob and Lee offer valuable insights into how OpsHelm is addressing these pressing concerns and provide expert advice on tackling them. Our guests highlight the magnitude of the problems associated with cloud misconfiguration and share best practices to mitigate these risks effectively. Listen in as they discuss real-world examples and solutions, equipping cybersecurity professionals with the knowledge they need to stay ahead of the curve in this ever-evolving industry. About our Guests Bob Bregant spent the last decade-plus growing from managing ticket queues to managing systems, organizational security initiatives, security teams, and clients. He has worked with startups, governments, non-profits, and the Fortune 50 — seeing the unique quirks and, more often, finding the common threads that seem to exist across organizations of all stripes. Lee Brotherston is a seasoned security leader with decades of experience at all levels of security and is the co-author of the hugely successful O'Reilly "Defensive Security Handbook." With a knack for security research, Lee is regularly invited to speak at security conferences like B-sides, BlackHat, and Defcon. Don't miss this enlightening conversation with industry leaders as they navigate the complex landscape of cybersecurity and empower listeners with actionable strategies to strengthen their defenses. Tune in to the Brilliance Security Magazine podcast now!
https://www.linkedin.com/in/amandaberlin/ (Amanda Berlin) is the Lead Incident Detection Engineer for https://www.blumira.com/ (Blumira) and the CEO and owner of the nonprofit corporation https://www.mentalhealthhackers.org/ (Mental Health Hackers). She is the author of a Blue Team best practices book called "https://www.amazon.com/Defensive-Security-Handbook-Practices-Infrastructure/dp/1491960388 (Defensive Security Handbook: Best Practices for Securing Infrastructure)” with Lee Brotherston through O'Reilly Media. She is a co-host on the https://www.brakeingsecurity.com (Brakeing Down Security podcast) and writes for several blogs. Amanda is an avid volunteer and mental health advocate. She has presented at a large number of conventions, meetings, and industry events such as DerbyCon, O’Reilly Security, GrrCon, and DEFCON. In this episode, we discuss her start in help desk, speaking amount mental health, depression and anxiety, men's reluctance to report health issues, neurodiversity, how organizations can encourage self-care, using medication, the Mental Health Hackers organization, and so much more. Where you can find Amanda: https://www.linkedin.com/in/amandaberlin/ (LinkedIn) https://www.mentalhealthhackers.org/ (Mental Health Hackers) https://www.brakeingsecurity.com/ (Brakeing Down Security Podcast) Episode Disclaimer: This podcast's information is not intended or implied as a substitute for professional medical advice, diagnosis, or treatment. We make no representation and assume no responsibility for the accuracy of the information contained in or available through this presentation. THIS IS NOT MEDICAL ADVICE. Please speak to your physician before embarking on any treatment plan. NEVER DISREGARD PROFESSIONAL MEDICAL ADVICE OR DELAY SEEKING MEDICAL TREATMENT BECAUSE OF SOMETHING YOU HEARD ON THIS PODCAST.
In this episode of Security Nation, we catch up with Lee Brotherston, director of security at IoT startup ecobee, to chat about what it takes to launch a security program and get buy-in from leadership.
Amanda Berlin of NetGroup and Lee Brotherston of Wealthsimple join Paul, Michael, and Larry for a discussion on the Defensive Security Handbook and its implications in the world of security! Full Show Notes: https://wiki.securityweekly.com/Episode536 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly
Amanda Berlin of NetWorks Group and Lee Brotherston of Wealthsimple join us, Sven Morgenroth of Netsparker delivers a tech segment on cross-site scripting, and we discuss the latest security news on this episode of Paul’s Security Weekly! Full Show Notes: https://wiki.securityweekly.com/Episode536 Visit https://www.securityweekly.com for all the latest episodes! →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly
Amanda Berlin of NetGroup and Lee Brotherston of Wealthsimple join Paul, Michael, and Larry for a discussion on the Defensive Security Handbook and its implications in the world of security! Full Show Notes: https://wiki.securityweekly.com/Episode536 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly
Amanda Berlin of NetWorks Group and Lee Brotherston of Wealthsimple join us, Sven Morgenroth of Netsparker delivers a tech segment on cross-site scripting, and we discuss the latest security news on this episode of Paul’s Security Weekly! Full Show Notes: https://wiki.securityweekly.com/Episode536 Visit https://www.securityweekly.com for all the latest episodes! →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly
Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share. In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint? Free videos and notes with Professor Messer! What’s more, she thrived in her first post providing tech support for Verizon Fios. With grit, discipline and volunteering at BSides, she eventually landed an entry-level position as a network security analyst. Now she works as a threat intelligence engineer and in her spare time, she writes how-tos and shares sage advice on her Medium account, @theroxyd Transcript Cindy Ng: For individuals who have had a nonlinear career path in security, Threat Intelligence Engineer Roxy Dee knows exactly what that entails. She begins by describing what it was like to learn about a new industry with limited funding, and how she studied security fundamentals in order to get her foot in the door. In our interview, she reveals three things you need to know about vulnerability management, why fraud detection is a lot like network traffic detection, and how to navigate your career with limited resources. We currently have a huge security shortage, and people are making analogies as to the kind of people we should hire. For instance, if you're able to pick up music, you might be able to pick up technology. And I've found that in security it's extremely important to be detail oriented, because the adage is the bad guys only need to be right once and security people need to be right all the time. And I had read on your Medium account the way you got into security, for practical reasons. And so let's start there, because it might help encourage others to start learning about security on their own. Tell us what aspect of security you found interesting and the circumstances that led you in this direction. – Roxy Dee: Just to comment on what you've said. Actually, that's a really good reason to make sure you have a diverse team is because everybody has their own special strengths and having a diverse team means that you'll be able to fight the bad guys a lot better because there will always be someone that has that strength where it's needed. The bad guys, they can develop their own team the way they want and so it's important to have a diverse team because every bad guy you meet is going to be different. That's a very good point, itself. Cindy Ng: Can you clarify "diverse?" You mean everybody on your team is going to have their own specialty that they're really passionate about? By knowing what they're passionate about, you know how to leverage their skill set? Is that what you mean by diversity? Roxy Dee: Yeah. That's part of it. I mean, just making sure that you don't have the same person. For example, I'll tell my story like you asked in the original question. As a single mom, I have a different experience than someone that has had less difficulties in that area, so I might think of things differently, or be resourceful in different ways. Or I'm not really that great at writing reports. I can write well, but I haven't had the practice of writing reports. Somebody that went to college, they might have that because they were kind of forced to do it, by having people from different backgrounds that have had different struggles. And I got into security because I was already into phone phreaking, which is a way of hacking the phone system. And so for me, when I went to my first 2600 Meeting and they were talking about computer security and information security, it was a new topic and I was kind of surprised. I was like, "I thought 2600 was just about phone hacking." But I realized that at the time...It was 2011, and phone hacking had become less of a thing and computer security became more of something. I got the inspiration to go that route, because I realized that it's very similar. But as a single mom, I didn't have the time or the money to go to college and study for it. So I used a lot of self-learning techniques, I went to a lot of conferences, I surrounded myself with people that were interested in the topic, and through that I was able to learn what I needed to do to start my career. Cindy Ng: People have trouble learning the vocabulary because it's like learning a new language. How did you...even though you were into phone hacking and the transition into computer security, it has its own distinct language, how did you make the connections and how long did it take you? What experiences did you surround yourself with to cultivate a security mindset? Roxy Dee: I've been on computers since I was a little kid, like four or five years old. So for me, it may not be as difficult for me as other people, because I kind grew up on computers. Having that background helped. But when it came to information security, there were a lot of times where I had no idea what people were saying. Like I did not know what "Reverse Engineering" meant, or I didn't know what "Trojan" meant. And now, it's like, "Oh, I obviously know what those things are." But I had no idea what people were talking about. So going to conferences and watching DEF CON talks, and listening to people. But by the time I had gone to DEF CON about three times, I think it was my third time I went to DEF CON, I thought, "Wow. I actually know what people are saying now." And it's just a gradual process, because I didn't have that formal education. There were a few conferences that I volunteered at. Mostly at BSides. And BSides are usually free anyway. When you volunteer, you become more visible in the community, and so people will come to you or people will trust you with things. And that was a big part of my career, was networking with people and becoming visible in the community. That way, if I wanted to apply for a job, if I already knew someone there or if I knew someone that knew someone, it was a lot easier to get my resume pushed to the hiring manager than if I just apply. Cindy Ng: How were you able to land your first security job? Roxy Dee: And as far as my first InterSec job, I was working in tech support and I was doing very well at it. I was at the top of the metrics, I was always in like the top 10 agents. Cindy Ng: What were some of the things that you were doing? Roxy Dee: It was tech support for Verizon Fios. There was a lot of, "Restart your router," "Restart your set-top box," things like that. But I was able to learn how to explain things to people in ways that they could understand. So it really helped me understand tech speak, I guess, understand how to speak technically without losing the person, like a non-technical person. Cindy Ng: And then how did you transition into your next role? Roxy Dee: It all had to do with networking, and at this point, I had volunteered for a few BSides. So actually, someone that I knew at the time told me about a position that was an entry-level network security analyst, and all I needed to do was get my Security+ certification within the first six months of working there. And so it was an opportunity for me because they accepted entry-level. And when they gave me the assessment that they give people they interview, I aced it because I had studied already about networking through a website called "Professor Messer." And that website actually helped me with Security+ as well, and I was just able to do that through YouTube videos, like his entire website is just YouTube videos. So once I got there, I took my Security plus and I ended up, actually, on the night shift. So I was able to study in quiet during my shift every day at work. I just made it a routine, "I have to spend, you know, this amount of time studying on," whatever topic I wanted to move forward with, which I knew what to study because I was going to conferences and I was taking notes from the talks, writing down things I didn't understand or words I didn't know and then later I was researching that topic so I could understand more. And then I would watch the talk again with that understanding if it was recorded, or I would go back to my notes with that understanding. The fact that I was working overnight and I was not interrupted really helped, and then from there...and that was like a very entry-level position. And from there, I went to a cloud hosting company, secure cloud hosting company with a focus on security and the great thing about that was that it was a startup. They didn't have a huge staff, and they had a ton of things that they had to do and a bunch of unrealistic deadlines. So they would constantly be throwing me into situations I was not prepared for. Cindy Ng: Can you give us an example? Roxy Dee: Yeah. That was really like the best training for me, is just being able to do it. So when they started a Vulnerability Management Program, I have no experience in vulnerability management before this and they wanted me to be one of the two people on the team. So I had a manager, and then I was the only other person. Through this position, I learned what good techniques are and I was also inspired to do more research on it. And if I hadn't been given that position, I wouldn't have been inspired to look it up. Cindy Ng: What does Vulnerability Management entail, three things that you should know? Roxy Dee: Yeah. So Vulnerability Management has a lot to do with making sure that all the systems are up to date on patching. That's one of them. The second thing I would say that's very important is inventory management, because there were some systems that nobody was using and vulnerabilities existed there, but there was actually no one to fix them. And so if you don't take proper inventory of your systems and you don't do, you know, discovery scans to discover what's out there, you could have something sitting there that an attacker, once they get in, they could use or they might have access to. And then another thing that's really important in Vulnerability Management is actually managing the data because you'll get a lot of data. But if you don't use it properly it's pretty much useless, if you don't have a system to track when you need to have this remediated by, what are your compliance requirements? And so you have to track, "When did I discover this and when is it due? And what are the vulnerabilities and what are the systems? What do the systems look like? So there's a lot of data you're going to get and you have to manage it, or you will be completely unable to use it. Cindy Ng: And then you moved on into something else? Roxy Dee: Oh, yes. Actually, it being a startup kind of wore on me, to be honest. So I got a phone call from a recruiter, actually, while I was at work. This was another situation where I had no idea how to do what I was tasked with, and the task was...So from my previous positions, I had learned how to monitor and detect, and how to set up alerts, useful alerts that can serve, you know, whatever purpose was needed. So I already had this background. So they said, "We have this application. We want you to log into it, and do whatever you need to do to detect fraud." Like it was very loosely defined what my role was, "Detect bad things happening on the website." So I find out that this application actually had been stood up four years prior and they kind of used it for a little while, but then they abandoned it. And so my job was to bring it back to life and fix some of the issues that they didn't have time for, or they didn't actually know how to fix or didn't want to spend time fixing them. That was extremely beneficial. I had been given a task, so I was motivated to learn this application and how to use it, and I didn't know anything about fraud. So I spent a lot of time with the Fraud Operations team, and through that, through that experience of being given a task and having to do it, and not knowing anything about it, I learned a lot about fraud. Cindy Ng: I'd love to hear from your experience what you've learned about fraud that most people might not know. Roxy Dee: What I didn't consider was that, actually, fraud detection is very much like network traffic detection. You look for a type of activity or a type of behavior and you set up detection for it, and then you make sure that you don't have too many false positives. And it's very similar to what network security analysts do. And when I hear security people say, "Oh, I don't even know where to start with fraud," well, just think about from a network security perspective if you're a network security analyst, how you would go about detecting and alerting. And the other aspect of it is the fraudulent activity is almost always an anomaly. It's almost always something that is not normal. If you're just looking around for things that are off or not normal, you're going to find the fraud. Cindy Ng: But how can you can tell what's normal and what's not normal? Roxy Dee: Well, first, it's good to look up all sorts of sessions and all sorts of activity and get like a baseline of, you know, "This is normal activity." But you can also talk to the Fraud team or, you know, or whatever team handles...It's not specific to fraud, but, you know, if you're detecting something else, talk to the people that handle it. And ask them, "What would make your alerts better? What is something that has not been found before or something that you were alerted to, but it was too late?" And ask just a bunch of questions, and then you'll find through asking that what you need to detect. Like for example, there was one situation where we had a rule that if a certain amount was sent in a certain way, like a wire, that it would alert. But what we didn't consider was, "What if there's smaller amounts that add up to a large amount?" And understanding...So we found out that, "Oh, this amount was sent out, but it was sent out in small pieces over a certain amount of time." So through talking to the Fraud Operations team, if we didn't discuss it with them, we never would have known that that was something that was an issue. So then we came up with a way to detect those types of fraudulent wire transfers as well. Cindy Ng: How interesting. Okay. You were talking about your latest role at another bank. Roxy Dee: I finished my contract and then I went to my current role, which focuses on a lot more than just online activity. I have more to work with now. With each new position, I just kind of layered more experience on top of what I already knew. And I know it's better to work for a company for a long time and I kind of wish these past six years, I had been with just one company. Each time that I changed positions, I got more responsibility, pay increase, and I'm hoping I don't have to change positions as much. But it kind of gave me like a new environment to work with and kind of forced me to learn new things. So I would say, in the beginning of your career, don't settle. If you get somewhere and you don't like what you're being paid, and you don't think your career is advancing, don't be afraid to move to a different position, because it's a lot harder to ask for a raise than to just go somewhere else that's going to pay you more. So I'm noticing a lot of the companies that I'm working for, will expect the employees to stay there without giving them any sort of incentive to stay. And so when a new company comes along, they say, you know, "Wow. She's working on this and that, and she's making x amount. And we can take all that knowledge that she learned over there, and we can basically buy it for $10,000 more than what she's making currently." So companies are interested in grabbing people from other companies that have already had the experience, because it's kind of a savings in training costs. So, you know, I try to look every six months or so, just to make sure there's not a better deal out there, because they do exist. And I don't know how that is in other fields, though. I know in information security, we have that. That's just the nature of the field right now. Cindy Ng: I think I got a good overview of your career trajectory. I'm wondering if there's anything else that you'd want to share with our listeners? Roxy Dee: Yeah. I guess, I pretty much have spent...So the first two or three years, I spent really working on myself, and making sure that I had all the knowledge and resources I needed to get that first job. The person that I was five or six years ago is different than who I am now. And what I mean is, my situation has changed a bit, to where I have more income and I have more capabilities than I did five years ago. One of the things that's been important to me is giving back and making sure that, you know, just because I went through struggles five years ago...You know, I understand we all have to go through our struggles. But if I can make something a little bit easier for someone that was in my situation or maybe in a different situation but still needs help, that's my way of giving back. And spending $20 to buy someone a book is a lot less of a hit on me financially than it would have been five years ago. Five years ago, I couldn't afford to drop to even $20 on a book to learn. I had to do everything online, and everything had to be free. I just want to encourage people, if you see an opportunity to help someone and, you know, for example, if you see someone that wants to speak at a conference and they just don't have the resources to do so. And you think, "Well, this $100 hotel a night, a hotel room is less of a financial hit to me than to, you know, than to that person. And that could mean the difference between them having a career-building opportunity or not having that." Just seek out ways to help people. One of the things I've been doing is the free book giveaway, where I actually have people sending me Amazon gift cards and there is actually one person that's done it consistently in large amounts. And what I do with that is, like every two weeks, I have a tweet that I send out that if you reply to it with the book that you want, then you can win that book up until I run out of money, up until I run out of Amazon dollars. Cindy Ng: Is this person an anonymous patron or benefactor? This person just sends you an Amazon gift card...with a few bucks and you share it with everyone? That's so great. Roxy Dee: And other people have sent me, you know, $20 to $50 in Amazon credits, and it's just a really good...It kind of happen accidentally, and there's the story of it on my Medium account. Cindy Ng: What were the last three books that you gave away? - Oh, the last three? Well... - Or the last one, if you... Roxy Dee: ...the most popular one right now, this is just based on the last one that I did, is the Defensive Security Handbook. That was the most popular one. But I also get a lot of requests for Practical Packet Analysis by Chris Sanders and Practical Malware Analysis. And so this one, actually, this is a very recent book that came out called the Defensive Security Handbook. That's by Amanda Berlin and Lee Brotherston. And that's about...it says, "Best practices for securing infrastructure." So it's a blue team-themed book. That's actually sold over 1,000 copies already and it just came out recently. It came out about a month ago. Yeah. So I think that's going to be a very popular book for my giveaways. Cindy Ng: How are you growing yourself these days? Roxy Dee: Well, I wanted to spend more time writing guides. I just want to write things that can help beginners. I have set up my Medium account, and I posted something on setting up a honeypot network, which is a very...it sounds very complicated, but I broke it down step by step. So my goal in this was to make one article where you could set it up. Because a lot of the issues I was having was, yeah, I might find a guide on how to do something, but it didn't include every single step. Like they assumed that you knew certain things before you started on that guide. So I want to write things that are easy for people to follow without having to go look up other sources. Or if they do have to look up another source, I have it listed right there. I want to make things that are not assuming that there's already prior knowledge. Cindy Ng: Thank you so much for sharing with me, with our listeners. Roxy Dee: Thank you for letting me tell my story, and I hope that it's helpful to people. I hope that people get some sort of inspiration, because I had a lot of struggles and, you know, there's plenty of times I could have quit. And I just want to let people know that there are other ways of doing things and you don't have to do something a certain way. You can do it the way that works for you.
Enregistré le 2017/06/07
Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook" We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you. The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link) Hope you enjoy! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3 Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 Previous Lee Brotherston episodes: Threat Modeling w/ Lee Brotherston Is your ISP MiTM-ing you Lee fills in for Mr. Boettcher, along with Jarrod Frates TLS fingerprinting application #Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/ CFP closes 27 march 2017 ------ HITB announcement: “Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
"Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters. A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince Oog that his wheel would revolutionize work... We asked Ms. Amanda Berlin (@infosystir) to join us this week, for her expertise at working at an security company, as well as someone who sells products, to discuss how and why sales and sales engineers do what they do. I posit that there must be 'decision tree' or script that most follow in an effort to make a sale, and how to confront the pushy sales pitch head on, or in Amanda's way, to avoid it altogether. We discuss Amanda's book she co-wrote with Lee Brotherston, whom we've had on our show before. Their #O'Reilly #book is on pre-sale right now, so you can order "The #Defensive #Security #Handbook" here: http://shop.oreilly.com/product/0636920051671.do Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-049-amanda_berlin_the_art_of_the_sale_decision_making_trees.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-049-amanda-berlin-art/id799131292?i=1000378988303&mt=2 Youtube: https://www.youtube.com/watch?v=v0llOSXfzBg Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box (#HITB) Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions? Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. We do a bit of history about #TLS, and the versions from 1.0 to 1.2 Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint. Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action! Video demo: https://youtu.be/im6un0cB3Ns https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png http://blog.squarelemon.com/tls-fingerprinting/ https://github.com/LeeBrotherston/tls-fingerprinting http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition https://www.youtube.com/watch?v=XX0FRAy2Mec http://2015.video.sector.ca/video/144175700 Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3
Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics. We discuss the seemingly short talent pool for IT/IS positions. We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece of Internet Infrastructure, and finally, we figure out why PGP/GPG is not user-friendly, and if there are ways to make it better, or if it needs to be replaced permanently. News of the week RowHammer - http://www.darknet.org.uk/2015/03/rowhammer-ddr3-exploit-what-you-need-to-know/ Lack of hire-able people in IT/IS - per Leviathan Sec report. https://www.leviathansecurity.com/blog/scarcity-of-cybersecurity-expertise/ NTP maintained by one guy ‘Father Time’ http://www.informationweek.com/it-life/ntps-fate-hinges-on-father-time/d/d-id/1319432 Moxie Marlinspike’s GPG/PGP rant: Perfection ruined the goal http://www.thoughtcrime.org/blog/gpg-and-me/
During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited. We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research. The bad news? Other ISPs, including American ISPs are using this technology. This is one of those podcasts that you need to tell your friends about, cause it's truly surprising the lengths ISPs go to injecting content into your pages. We also have a short message about the Bsides Las Vegas Proving Grounds this year... If you've wanted to present a paper at a conference, and have a mentor guide you through the process, hit them up on the Proving Grounds page at http://www.bsideslv.com Show notes (lots of info): https://docs.google.com/document/d/1YLkiRE1SVIyWquWc-iQrESWlT10rSJmW1VcrOX3kQZ0/edit?usp=sharing "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/
Threat Modeling... ranks right up there with Risk Assessments in importance... You gotta figure out how the applications you're creating or the systems you're engineering are secure. It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs. Brakeing Down Security talked about conducting threat modeling and application reviews with Lee Brotherston (@synackpse) from Leviathan Security (@LeviathanSecurity) this week. We discuss types of risk analysis, including one named 'Binary Risk Analysis', which may simplify assessment of your computer systems. Show notes = https://docs.google.com/document/d/1K-eycek2Xud7loVC4yrHg6eHCY0oyztV_ytbY433oYk/edit?usp=sharing "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/
© 2020-2025 Ivy Podcast Discovery LLC
