Thursday, December 25, 2014

Is Compliance running or ruining Security Programs?


We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast.

We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.

 

So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year!  Happy Holidays... all of them... :)


Here is a new episode of Brakeing Down Security!

Sunday, December 21, 2014

Brakeing Down/Defensive Security Mashup!


It's a Super Deluxe sized Brakeing Down Security this week...

It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :)

I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...  

We also discussed Sony, caused it's huge news of the year, and talked about Target, because we love dissing PCI... ;)

There might be a few bad words, so if you have small ears around, be advised...

When you're done, check out the other 96 episodes of Defensive Security, and check out our 55 other episodes..

 

http://www.defensivesecurity.org/

Twitter handles:

Andrew Kalat: https://twitter.com/lerg

Jerry Bell: https://twitter.com/Maliciouslink

 

 

Icon provided by DefensiveSecurity.org... I'd imagine they'd let us use it, since they were on the podcast ;)

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, December 14, 2014

Tyler Hudak (@secshoggoth) Discusses incident respose, and DIY malware research


This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it. 

We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice...

I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :)

***NOTE: I guess now would be a good time to mention that many of the links below have unsafe software and actual malware payloads, so use with extreme caution. Especially do not download anything from these sites unless it's in a VM that is not on your companies assets.***

http://www.hopperapp.com/ - Disassemble OSA binaries

http://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers - other Disassemblers

http://vxheaven.org/ - Virus Heaven

http://www.malwaredomainlist.com/ - Find websites serving malware

http://oc.gtisc.gatech.edu:8080/ - Georgia Tech malware repository

Sandboxie - http://www.sandboxie.com/

KoreLogic - http://www.korelogic.com/ (lots of great tools here)

http://secshoggoth.blogspot.com/ - Tyler's Blog


Here is a new episode of Brakeing Down Security!

Sunday, December 7, 2014

Tyler Hudak discusses malware analysis


Tyler Hudak (@secsoggoth) came to discuss with us the process of doing analysis on malware binaries. We talk about MASTIFF, his malware framework.  We also discuss how to gain information from malware program headers, and some software that is used to safely analyze it.

Helpful Links:

Ida Pro: https://www.hex-rays.com/products/ida/

Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Mastiff White Paper: http://digital-forensics.sans.org/blog/2013/05/07/mastiff-for-auto-static-malware-analysis

Mastiff latest: http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/

cuckoo sandbox: www.cuckoosandbox.org

Anubis: https://anubis.iseclab.org/

 

PE Headers: http://en.wikipedia.org/wiki/Portable_Executable

ELF: http://fr.wikipedia.org/wiki/Executable_and_Linkable_Format

REMnux- reverse engineering linux distro:https://remnux.org/

 

Inetsim: http://www.inetsim.org/

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, November 30, 2014

Part 2 w/ Ben Donnelly -- Introducing Ball and Chain (making password breaches a thing of the past)

Last week, we talked with Ben Donnelly about ADHD (Active Defense Harbinger Distro). But Ben isn't a one trick pony, oh no... this young punk is trying to solve fundamental problems in the business industry, in particular securing passwords.  That's why he's been working with Tim Tomes (@lanmaster53)invented 'Ball and Chain', which is a large (>2TB) file that can be used to help generate passwords and entropy.

We discuss


Here is a new episode of Brakeing Down Security!

Saturday, November 29, 2014

New Tumblr Post

It's a bit meta, cause this will show up there in a few minutes, but Brakeing Down Security now has a Tumblr...

Don't know why it took so long...  We'll be posting from other Tumblr blogs, and our episodes will post there... I hope you will spread the word...

http://brakeingdownsecurity.tumblr.com/


Here is a new episode of Brakeing Down Security!

Thursday, November 27, 2014

Thank you from Brakeing Down Security

When Mr. Boettcher and I started the Brakeing Down Security Podcast, we really did it for 2 reasons:

1. We wanted to educate people and ourselves about information security topics, and do it in a way that was fun

2. Educate ourselves about some topics that we were not familar with, because infosec and compliance is such a vast range of topics and skills

 

Mr. Boettcher and I want to extend a warm and hearty THANK YOU SO MUCH for inviting us into your podcasting listening device. We realize there are a ton of infosec podcasts out there, and you allowing us to share space with them makes us so happy.

Look for more podcasts in December, and in the new year, look for more videos and excellent interviews.

 

As we've always said, we do this podcast for you, and we want to know what you want to hear or see.  If you have a topic you'd love to have us talk about, or you'd like to come on our podcast and talk about something you're working on, please let us know.  We want input, so please leave us some feedback on iTunes, or tweet our podcast to your friends

 

Happy Thanksgiving to our US fans, Happy Thursday for the rest of the world...

 

Bryan Brake

Creator, Co-Host of the Brakeing Down Security podcast

@bryanbrake

@boettcherpwned

Website: www.brakeingsecurity.com

RSS: brakeingsecurity.libsyn.com/rss

iTunes:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

EMAIL: bds.podcast@gmail.com

 


Here is a new episode of Brakeing Down Security!

Saturday, November 22, 2014

Active Defense and the ADHD Distro with Ben Donnelly


We snagged an interview with Benjamin Donnelly, a maintainer of the Active Defense Harbinger Distribution (ADHD). version 0.60

 

A thoroughly enjoyable conversation with a new up-and-coming security professional. He's the future, and he is already contributing a lot of great info to the infosec industry.

 

Part 1 is all about ADHD, next week, we discuss his talk about a project he's working on that will remove the threat of password breaches using 'Ball and Chain'.  And it's all open source...

 

 

 

ADHD ISO:  http://sourceforge.net/projects/adhd/


CryptoLocked:   https://bitbucket.org/Zaeyx/cryptolocked


Here is a new episode of Brakeing Down Security!

Thursday, November 20, 2014

WebGoat install video with Mr. Boettcher!


My man Mr. Boettcher posted up a video on how to install OWASP's WebGoat Vulnerable web application!

He walks you through WebGoat 5.4, and even gives you some tips on solving issues that he'd found.  And to make it even easier, he's given you some instructions below.

Hope you enjoy, especially if you've had issues setting up WebGoat in the past.

 

 

Webgoat 5.4 instructions
========================
1. search google and download the war file

            (From Bryan: Here's the link -- https://code.google.com/p/webgoat/downloads/list )


2. install tomcat
    sudo apt-get install tomcat7
3. move the war file to tomcat webapp directory
    sudo mv ~/Downloads/WebGoat-5.4.war /var/lib/tomcat7/webapps/WebGoat.war
4. edit tomcat-users.xml by adding the content below
    sudo vi /var/lib/tomcat7/conf/tomcat-users.xml
5. restart tomcat
        sudo /etc/init.d/tomcat7 restart
6. in your browser, type localhost:8080/WebGoat/attack

<role rolename="webgoat_basic"/>
<role rolename="webgoat_user"/>
<role rolename="webgoat_admin"/>
<user username="basic" password="basic" roles="webgoat_basic,webgoat_user"/>
<user username="guest" password="guest" roles="webgoat_user"/>
<user username="webgoat" password="webgoat" roles="webgoat_admin"/>
<user username="admin" password="admin" roles="webgoat_admin"/>


Here is a new episode of Brakeing Down Security!

Monday, November 17, 2014

Active Defense: It ain't 'hacking the hackers'


Active Defense... It conjures images of the lowly admin turning the tables on the evil black hat hackers, and giving them a dose of their own medicine by hacking their boxes and getting sweet, sweet revenge... But did you know that kind of 'revenge' is also rife with legal rammifications, even bordering on being illegal??

This week, Mr. Boettcher and I tackle this prickly subject, and discuss some software you can use to 'deter, prevent, and dissuade' potential bad guys...

 ADHD Training (courtesy of Paul's Security Weekly Podcast): http://blip.tv/securityweekly/active-defense-harbinger-distribution-release-party-7096833

Artillery - https://www.binarydefense.com/project-artillery/

DenyHosts - http://denyhosts.sourceforge.net/

Nova:  http://www.sans.org/reading-room/whitepapers/detection/implementing-active-defense-systems-private-networks-34312

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, November 9, 2014

Interview Part 2 with Paul Coggin: Horror stories


If you think Halloween was scary, Paul Coggin gives us another reason to curl up in the fetal position as he goes explains Lawful Intercept, and Route Maps. And what's worse, your 3rd party auditors are starting to get the tools that will make you address network protocol issues.

 

Lots of great material here below in our show notes, including some tools (free) that you can use to get yourself schooled on network protocols

 

http://www.zdnet.com/researcher-describes-ease-to-detect-derail-and-exploit-nsas-lawful-interception-7000025073/

 

BGPmon - http://www.bgpmon.net/Renesys (now Dyn Research) http://research.dyn.com/

BGP Play - http://bgplay.routeviews.org/

BGP Looking glass servers - http://www.bgp4.as/looking-glasses

yersinia - http://www.yersinia.net/

Fx Twitter handle - https://twitter.com/41414141

ernw - https://www.ernw.de/

Cisco Route Maps - http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/49111-route-map-bestp.html

Paul's Bsides Nashville talk - http://www.irongeek.com/i.php?page=videos/bsidesnashville2014/300-bending-and-twisting-networks-paul-coggin

Huawei ENSP - http://enterprise.huawei.com/en/products/network-management/automation-tools/tools/hw-201999.htm

NRL Core - http://www.nrl.navy.mil/itd/ncs/products/core

NRL Mgen - http://www.nrl.navy.mil/itd/ncs/products/mgen

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, November 2, 2014

Interview with Paul Coggin (part 1)


One of the talks my colleague got to see was Paul Coggin's talk about Internetworking routing and protocols.  In this interview, we dicsuss some tools of the trade, how MPLS isn't secure, and why you should be doing end-to-end encryption without allowing your VPN or circuit provider to do it for you...

If you have any interest in network security, including the higher order network protocols like BGP, MPLS, ATM, etc...  You'll want to check out his DerbyCon talk, and our interview...

 

Paul's Derbycon 2014 talk - http://www.irongeek.com/i.php?page=videos/derbycon4/t319-bending-and-twisting-networks-paul-coggins

Hacking SNMP tips and tricks: http://securityreliks.securegossip.com/2011/04/hacking-snmp-in-a-few-simple-steps/

SNMPBlow: http://www.stoptheplague.com/?p=19

ERNW: https://www.ernw.de/research-community/index.html

Fx paper on Lawful Intercept: http://phenoelit.org/stuff/CSLI.pdf

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Saturday, October 25, 2014

Learning about SNMP, and microinterview with Kevin Johnson


In an effort to educate ourselves for an upcoming interview, we sat down and talked about SNMP (Simple Network Management Protocol). We get into the basics, the ins and outs of the protocol, the different tools that use (or exploit) SNMP, and we talk about how to better secure your SNMP implementation. YOu should listen to this, because next week's interview will knock your socks off. :)

Finally, We end with a DerbyCon interview Mr. Boettcher snagged with our friend Mr. Kevin Johnson about how we need to regulate ourselves with regard to a code of ethics, before someone regulates us... When one 'white hat' can run code on a server he/she doesn't control (unpatched Shellshock) and thinks it's okay, where do we draw the line from what is right, and what violates the CFAA? Mr. Johnson looks for an answer with our Mr. Boettcher. 

Wikipedia SNMP article:http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

SNMP Primer: http://www.tcpipguide.com/free/t_SNMPProtocolOverviewHistoryandGeneralConcepts.htm

SNMP OIDS and MIBS: http://kb.paessler.com/en/topic/653-how-do-snmp-mibs-and-oids-work

SNMP vulnserabilities - http://packetstormsecurity.com/search/?q=snmp

SNMP Primer (IBM):http://pic.dhe.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtpc1%2Fpdus.html

SNMP amplification attacks: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

Securing SNMPv3: http://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051

 

 

 

Kevin Johnson/James Jardine DerbyCon Talk: http://www.irongeek.com/i.php?page=videos/derbycon4/t308-ethical-control-ethics-and-privacy-in-a-target-rich-environment-kevin-johnson-and-james-jardinehttp://www.irongeek.com/i.php?page=videos/derbycon4/t308-ethical-control-ethics-and-privacy-in-a-target-rich-environment-kevin-johnson-and-james-jardine

 

 

 Image courtesy of Wikipedia.de

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, October 19, 2014

Keep Calm and take a tcpdump! :)


Tcpdump is just one of the tools that will make troubleshooting network issues, or testing applications, or even finding out what traffic is being generated on a host.  This podcast is to help you understand the Tcpdump program, and how powerful it is...

 

http://danielmiessler.com/study/tcpdump/

http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/

http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

http://www.amazon.com/TCP-Illustrated-Vol-Addison-Wesley-Professional/dp/0201633469

http://www.computerhope.com/unix/tcpdump.htm

http://www.commandlinefu.com/commands/using/tcpdump  -- excellent examples

http://www.amazon.com/Practical-Packet-Analysis-Wireshark-Real-World/dp/1593272669/

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, October 12, 2014

Part 2 with Jarrod Frates - how pentesting is important


Part 2 of our interview with Jarrod Frates (FRAY-tes). We ask him about the value that a pentest can create, the way that that 'perfect' pentest can change culture and help create dialogue.

Also, we talk about how to take your automated testing info and then shift gears to manual testing... when to stop doing automated testing, and do the manual testing.

Hope you enjoy, have a great week!

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, October 5, 2014

DerbyCon report and Shellshock news


We went a little off the beaten path this week. I wanted to talk to Mr. Boettcher about his experience at DerbyCon, and we ended up having another friend of ours who also attended DerbyCon, Jarrod Frates, join us for a bit of discussion. We discussed several talks, and even spent a little bit of time talking about ShellShock and it's larger implications for those programs that are ubiquitious, yet are not being audited, like bash.  (The llama graphic will make more sense next week...) :)

http://www.irongeek.com/i.php?page=videos/derbycon4/t109-et-tu-kerberos-christopher-campbell

http://www.irongeek.com/i.php?page=videos/derbycon4/t217-hacking-mainframes-vulnerabilities-in-applications-exposed-over-tn3270-dominic-white

http://www.irongeek.com/i.php?page=videos/derbycon4/t210-around-the-world-in-80-cons-jayson-e-street

http://www.irongeek.com/i.php?page=videos/derbycon4/t216-once-upon-a-time-infosec-history-101-jack-daniel

http://askubuntu.com/questions/529511/explanation-of-the-command-to-check-shellshock

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, September 28, 2014

Marcus J. Carey Interview Part 2 - China, IP, coming cyber war


We finished up our odyssey with Marcus J. Carey this week.  We picked his brain about how he feel about China, the coming cyberwar, and what kinds of tools he uses in his toolbox (hint: he doesn't use Kali).

We also talk a bit about the entitlement of people, and what makes folks in poorer countries turn to hacking. We really enjoyed hearing his take on certifications and education. He's a Ruby nut, but suggests that people learn Python. He also talks about how he teaches people about security. The little everyday things that show you do security.

A thought provoking interview that will definitely inspire you to pour yourself into a Python book, or to grab a Raspberry Pi and start learning.

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Saturday, September 27, 2014

Video: Using GPG and PGP


This month, I wanted to go over a piece of software that seems to give a lot of people problems. In business, there is always a need for sending secure communications, whether because a client asked for it, or because sending sensitive information unencrypted could result in loss of profit, competitve edge, reputation, or all of the above.

 

This month's tutorial is on setting up PGP or GPG to be able to be more secure when sending emails. I show you commands that allow you to create public/private key pairs, and also discuss the software to be used on either Windows, Linux, and Mac OS.I mentioned signing and encrypting email attachments, and also explain that your headers are still unencrypted, so email metadata tracking is still possible.

 

Brakeing Security Podcast on PGP/GPG: http://brakeingsecurity.com/pgp-and-gpg-protect-your-data

Windows GPG solution: http://www.gpg4win.org

Mac GPG solution: https://gpgtools.org/

Kali/Linux RNG daemon instructions:

1. apt-get install rngd

2. rngd -r /dev/urandom (should make PGP creation on Kali much faster)

 


Here is a new episode of Brakeing Down Security!

Monday, September 22, 2014

Marcus J. Carey, FireDrillMe, and the Rockstars of Infosec


Marcus J. Carey, a security research and software developer came on to talk to us about FireDrill.me, a tool used to help people work out their Incident Response muscles.  He is also the creator of threatagent.com.

Marcus is well known in Security circles, and after we talked to him about FireDrill and ThreatAgent, we got his opinion of other subjects that interested us in the Infosec industry. Marcus is a man of his own mind, and he certainly did not disappoint. Hope you enjoy Part 1 of our conversation with him.

We also asked him about the celebrity that many in the industry face, and how it should be handled by people in the industry.

HoneyDocs - http://www.pcworld.com/article/2048881/honeydocs-lays-irresistible-bait-for-hackers.html

Malcolm Gladwell - http://en.wikipedia.org/wiki/Malcolm_Gladwell

http://www.firedrill.me

http://www.threatagent.com

 

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Monday, September 15, 2014

Mr. Boettcher interviewed Ed Skoudis!


While I'm stuck at work, Mr. Boettcher went to the Austin Hackformers and snagged an interview with Mr. Ed Skoudis, of InGuardians and of the SANS Institute, a top flight training academy.  He is to be one of the keynote speakers at DerbyCon this year. He gives us a peek about his keynote, and Mr. Boettcher asks his thoughts on the industry as a whole, SCADA security, Mr. Skoudis' opinion on Infosec as a whole.

 

Hackformers Austin: http://www.hackformers.org/

Ed Skoudis bio: http://www.sans.org/instructors/ed-skoudis

 

Bad Guys are Winning - Part 1: link

Bad Guys are Winning - Part 2: link

Bad Guys are Winning - Part 3: link

Bad Guys are Winning - Part 4: link

Bad Guys are Winning - Part 5: link

Netwars: Cybercity - http://www.sans.org/netwars/cybercity

Google Car: http://www.nbcbayarea.com/news/local/Google-to-Test-Self-Driving-Car-Without-Backup-Driver-275033691.html

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Monday, September 8, 2014

Malware, Threat Intelligence, and Blue Team talks at cons -- with Michael Gough Pt.2


We're back with part 2 of our discussion with Michael Gough.  Not only do we discuss more about malware, but we also ask Michael's opinion on how commercialized conventions like Black Hat and Defcon have gotten, how good threat intelligence feeds are, and why there aren't more defensive talks at cons.

Michael is currently slated to give a talk on logging at DerbyCon September 24th, 2014 on how logging can help to mitigate malware infections.


Here is a new episode of Brakeing Down Security!

Monday, September 1, 2014

Malware, and Malware Sentinel -- with Michael Gough Pt.1


Brian and I managed to get an interview with Michael Gough. If you remember, Michael was on to discuss Malware infections back in February, and we decided it was time to check up on him and his newly named 'Malware Sentinel'. This is part 1, where we discuss some of the recent malware infections, and where you need to look for new file creation, and what you can be looking for in your windows logs that are excellent indicators of malware compromise.

 

Windows logging cheat sheet - http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf

 

Malware Management Framework - http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework


Here is a new episode of Brakeing Down Security!

Monday, August 25, 2014

Reconnaissance: Finding necessary info during a pentest


I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important.  We hash it out, and find some common ground this week.

People search links:

Spokeo - http://www.spokeo.com/

Pipl - https://pipl.com/

 

Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm


Here is a new episode of Brakeing Down Security!

Friday, August 22, 2014

Mr. Boettcher made a thing! Setting up a proper Debian install!


Mr. Boettcher made a thing!  He created a video that highlights how to install Linux securely in a VM.  His next video will be how to setup OWASP's WebGoat to test for vulnerable web apps.  He noticed that documentation is a bit sparse, and often contradictory, so he wanted to help other folks who are having issues to get a proper install.

 

You will need an Network Install ISO of Debian, and you will need either VMware Player or Workstation.

His notes are below... Enjoy!

Secure the Goat #1 - Goat Pen

Create a directory where you will put the VM.  We'll call it 'goat'.
Download the Debian Network Install ISO and place it in the 'goat' directory.

Create a 'share' directory inside the goat directory
Place a (test) file in the share directory
In VMware Worstation create a new vm using a Debian ISO and run install

Update the sudoers file
$ su - root
$ update-alternatives --config editor
    change to vim.tiny by pressing 2 and enter
$ visudo -f /etc/sudoers
    copy the root line and add one for goat user

In order to install vmware tools, we'll need to install these packages
$ sudo apt-get install gcc linux-headers-$(uname -r) make

For the vmware tools install to work properly, these simlinks are required
$ cd /lib/modules/$(uname -r)/build/include/linux
$ sudo ln -s ../generated/utsrelease.h
$ sudo ln -s ../generated/autoconf.h

Insert vmware tools virtual CD
In the workstation menu select vm -> install vmware tools
$ tar -C /tmp/ -zxvf /media/cdrom/VMwarTools...
$ sudo /tmp/VMwareTools.../vmware-install.pl

Show desktop icons
$ gsettings set org.gnome.desktop.background show-desktop-icons true

change resolution in menu at top:
    applications/system tools/preferences/system settings/ then 'displays'

in Workstation under vm/settings, set virtual machine shared folder

remove ISO file, take snapshot


Here is a new episode of Brakeing Down Security!

Monday, August 18, 2014

Ratproxy and on being a better Infosec Professional


This week, we go into a proxy program called "Ratproxy", discussed it's ins and outs.  Plus, Mr. Boettcher and I have a discussion about how we as infosec people should work with developers and IT professionals to provide them training and understanding of security concepts.

https://code.google.com/p/ratproxy/

http://blog.secureideas.com/2012/07/how-to-setup-ratproxy-on-windows.html

 

 

 

 

Ratproxy icon courtesy of honeytech and flicker

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, August 10, 2014

Introduction to nmap, Part 2


Here is Part 2 of our video for understanding the basics of nmap.  I discuss some of the logging output, the scripts found in Nmap, and the output that Nmap gives you for reporting or comparison later.

 

I really did want to go more into the Lua portion of the scripting engine, and perhaps make a simple script, but time constraints halted that. I hope to get more adept at video creation and hopefully editing, to make a more concise video tutorial.

Nmap target specifications: http://nmap.org/book/man-target-specification.html

 

http://nmap.org/book/nse-usage.html

 

Explanation of all Nmap scripts: http://nmap.org/nsedoc/

 

nmap icon courtesy of insecure.org


Here is a new episode of Brakeing Down Security!

Saturday, August 9, 2014

Risk Management discussion with Josh Sokol - Part 2


This week we take some time to talk about risk management with Josh Sokol.  This is part 2 from our interview with him last week... We talk some more about Simple Risk from the POV of Risk Management, licensing/modification of Simple Risk.

Mr. Boettcher and Josh discuss the merits of Qualitative vs. Quantitative Risk Analysis, and which one is better...

We also discuss NIST 800 series guidelines, and how he used those to excellent effect in Simple Risk.

 

NIST 800 Series docs - http://csrc.nist.gov/publications/PubsSPs.html

 

 

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/


Here is a new episode of Brakeing Down Security!

Sunday, July 27, 2014

Sqlmap - a little how-to, and getting your developers involved in using it.


Mr. Boettcher and I discussed SQLMAP, a tool that can automate the process of pentesting databases and even registries on Windows.  We discuss some functions of the program and why developers should get training on these.

Mr. Boettcher and I talk about how Infosec professionals should help to educate QA and Developers to be able to look at their processes and incorporate security testing, using tools like sqlmap in the Software lifecycle.

 

SQLMAP links

SQLMAP Wiki and more detailed documentation - https://github.com/sqlmapproject/sqlmap/wiki

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap

http://hackertarget.com/sqlmap-tutorial/

https://www.owasp.org/index.php/Automated_Audit_using_SQLMap

http://www.binarytides.com/sqlmap-hacking-tutorial/

http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection.html


Here is a new episode of Brakeing Down Security!

Sunday, July 20, 2014

Part 2 with Georgia Weidman!


It only gets better in Part 2 of our Interview with Georgia Weidman, Author, Security Researcher and Creator of the Smartphone Pentesting Framework.

 

She talks about how people underestimate the mobile platform for pentesting purposes, and we even find out that in addition to Teaching a class on exploit development at BlackHat this year, she's going to be helping a great organization overseas.

We also got her talking about some do's and don'ts of pentesting! ;)

Please enjoy!

 

Georgia's book on No Starch: http://www.nostarch.com/pentesting

on Amazon.com: http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641 (non-sponsored link)


Here is a new episode of Brakeing Down Security!

Sunday, July 13, 2014

Nmap (pt1)


So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work.

I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches.

The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.

 

 

Nmap icon courtesy of livehacking.com


Here is a new episode of Brakeing Down Security!

Part 1 with Author and Mobile Security Researcher Georgia Weidman!


We have a real treat the next two weeks.  Author and Mobile Security Researcher Georgia Weidman, who we also found out will be providing exploit development training at Black Hat this year.

She is the author of an awesome book "Penetration Testing: A Hands-On Introduction to Hacking" (http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1405304124&sr=8-1&keywords=georgia+weidman)

She sat down with us over Skype and gave a nice talk about where she came from,  and why she wrote the book, and even what she's about to do in the future (that's next week) ;) You'll have to listen next week to find out the awesome trip she's about to take.

http://www.bulbsecurity.com/

 


Here is a new episode of Brakeing Down Security!

Sunday, July 6, 2014

Establishing your Information Security Program - Part 2


This is the continuation of our podcast from last week with Phil Beyer.
We started out talking about risk registers, and we end the podcast with a little Q&A about positions in companies (Chief Risk Officer, Chief Data Protection Officer), and whether these positions are useful.

 Risk registers - http://en.wikipedia.org/wiki/Risk_register

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Here is a new episode of Brakeing Down Security!

Thursday, July 3, 2014

Choose your adventure!

Hello valued Listener! I want to do another video, and I thought that you might want to decide which one piece of software I highlight. So here are three options:

1. Nikto
2. Nmap
3. OpenVAS

You can send me your choice to my twitter (@bryanbrake) or to my gmail account (bds.podcast@gmail.com).

I will be taking input until 0000 UTC on Sunday July 6th (1800 Saturday 5 July US/Eastern). You can only vote once.


Here is a new episode of Brakeing Down Security!

Sunday, June 29, 2014

Establishing your Information Security Program - Part 1


Establishing an Information Security program can make or break an organization. So what do you need to get that started?
We have friend of the show Phil Beyer come in and discuss with us the five steps of the creation of an Information Security Program.  Join us for Part 1, and next week, we'll finish up with a little Q&A, as well as what a 'risk register' is.

Here is a new episode of Brakeing Down Security!

Sunday, June 22, 2014

OWASP Top Ten: 1-5


We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.

 

 

 

http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation

http://oauth.net/2/ - Great information on OAUTH 2.0.

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Here is a new episode of Brakeing Down Security!

Monday, June 16, 2014

OWASP Top Ten: Numbers 6 - 10


As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these.

So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard.

Next week is the big ones, the Top 5... all your favorites, in one place!

 

OWASP Top 10 (2013) PDF:  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6

 

 

 

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Here is a new episode of Brakeing Down Security!

Sunday, June 8, 2014

Talk with Guillaume Ross - Part 2 (all things cloud)


This is part 2 of our podcast interview with Guillaume Ross, Infosec professional who is well versed with the intracacies of various cloud architectures, whether they are IaaS, PaaS, or SaaS.  This part of the podcast discussed how contracts are established, and we ask if smaller cloud providers have a chance against behemoths like Google, Amazon, and Microsoft.

 

Links brought up during the interview:

 

Rich Mogull's $500 Epic fail - https://securosis.com/blog/my-500-cloud-security-screwup

Rich Mogull's write up on how the aftermath and investigation - https://securosis.com/tag/cloud+security

 

Amazon VPC: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Azure Endpoints (how-to): http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/?rnd=1

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Here is a new episode of Brakeing Down Security!

Sunday, June 1, 2014

It all goes in "the cloud"

Brian and I interviewed Mr. Guillaume Ross (@gepeto42), an Information Security professional who helps organizations get themselves situated into cloud based solutions. We get a better understanding of why people would want to put their info into the 'cloud' and how they are different than traditional co-lo and datacenters.



Guillaume's Blog: http://blog.binaryfactory.ca/




AWS (amazon) Security Best Practices WhitePaper: http://aws.amazon.com/whitepapers/aws-security-best-practices/


Amazon EC2 FAQ: http://aws.amazon.com/ec2/faqs/


Microsoft's Azure FAQ:http://azure.microsoft.com/en-us/support/faq/?rnd=1






"cloud computing icon" courtesy of smartdatacollective.com



Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 3.0

http://creativecommons.org/licenses/by/3.0/


Brian and I interviewed Mr. Guillaume Ross (@gepeto42), an Information Security professional who helps organizations get themselves situated into cloud based solutions. We get a better understanding of why people would want to put their info into the 'cloud' and how they are different than traditional co-lo and datacenters.

 

Guillaume's Blog: http://blog.binaryfactory.ca/

 

AWS (amazon) Security Best Practices WhitePaper: http://aws.amazon.com/whitepapers/aws-security-best-practices/

Amazon EC2 FAQ: http://aws.amazon.com/ec2/faqs/

Microsoft's Azure FAQ:http://azure.microsoft.com/en-us/support/faq/?rnd=1

 

 

"cloud computing icon" courtesy of smartdatacollective.com

 

Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Here is a new episode of Brakeing Down Security!

Monday, May 26, 2014

BONUS!!!! Kismet Video!


As promised, I am posting a video I made explaining how to setup Kismet to do wireless scans.

The only pre-requisites you need are Vmware (it will work the same in VirtualBox), and a VM of Kali linux. The only real difference is the message that asks where the wireless adapter should connect to.

It's my first attempt editing a video, so please be kind


Here is a new episode of Brakeing Down Security!

Wireless scans with Kismet and Aircrack-ng


Mr. Boettcher and I had a great time this week.  We talked all about doing wireless audits for PCI using Kismet and Aircrack-ng, and talked about some capabilities of both.

 

Alfa AWUS051NH (works in Kali/Backtrack): http://www.amazon.com/gp/offer-listing/B002BFO490/ref=dp_olp_0?ie=UTF8&condition=all

kismetwireless.net

 Using Karma with a pineapple to fool clients into connecting unencrypted: http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html

Tutorial on hacking various wireless: http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm


Here is a new episode of Brakeing Down Security!

Saturday, May 24, 2014

Kevin Johnson Interview parts 1 and 2

It's been almost 3 months since we had the pleasure of interviewing Kevin Johnson, CEO of SecureIdeas. We haven't conducted a ton of interviews, but it was very interesting to get his perspective on security, and being in his SEC542 class was a great experience.


He has since quit teaching for SANS, but he is still doing training at other conventions now, many of those classes involve the newest versions of SamuraiWTF and Burp CO2, the new add-on for Burp.


He has another class he is teaching with James Jardine in Orlando July 14th-17th, 2014. More Info Here


If you are in Orlando, you should take this course. Much cheaper than you'd probably get at SANS, and probably just as instructive.


If you'd like to hear our two part interview we did with Kevin Johnson, you can find them below

Part 1 Part 2

Have a great holiday weekend, and if you find yourself without anything to do, feel free to grab our other podcasts and have a listen!

Monday, May 19, 2014

PGP and GPG -- protecting your data and comms

I just posted our latest podcast about using PGP and GPG in your daily life and work. You can listen here: http://brakeingsecurity.com/pgp-and-gpg-protect-your-data We've also got a great integration with iTunes. We are 'BrakeingDownSecurity' on iTunes...

Or, you can just go to our homepage at

Thursday, May 1, 2014

Check out our new podcast episodes!

If you're here because of the blog post from here, then Welcome! We have several great interviews and episodes over at the Brakeing Down Security Podcast page. This page is for my ramblings, brain droppings, and general talk about security topics in general.

Please head over to brakeingsecurity.com and have a listen!

Wednesday, February 26, 2014

Episode 6: Michael Gough Part 2, video tutorials, and moving to Seattle, and a big thank you.

We had a great interview session with Michael Gough. That gentleman knows his way around malware, and I think his Sniper Forensic Toolkit would work great if you needed to secure several sensitive computer systems on the network. His Bsides Austin in March is shaping up to be really excellent. Red Team/Blue Team debate, speakers talking about safeguarding credit card info, and the Wednesday night talk on Windows logging is going to something special. Add to the price of attending the conference, you'd be crazy to not go. Plus, We've been asked to have a table at the conference! I would love to say we'll have swag, but all we'll have is Mr. Boettcher (hopefully!) will be doing drive by interviews. Please come on by, and he'll ask you probing questions, like favorite colors, favorite packet dumps, and Picard/Kirk preference. :)


During the post interview conversation, we talked about the Neiman Marcus alerts that were being generated, 60,000 alerts, and they still didn't see them going off. Here is the link to that article... Neiman Marcus

We would really like to do more interviews, but I worry about not showcasing our talents, so I will be working on some tutorial type videos. Nothing fancy, just testing the waters for more in-depth type applications. I wanted to start with an oldie, but a goodie... kismet. Show how to it up, configuring it to work with GPS, importing into Google Maps... incidentally, this will be a double feature with war driving. I'll get to work on my shaky cam skills too... but if I can get it to work, I'll be doing pretty well.


I'm sitting in my hotel room with my family, waiting to fly with my wife, daughter, and 3 furry children to Seattle, so my wife can work at a great job. I am able to work remotely, which is great, except the time zone is going to be a bit different for me. Plus, Mr. Boettcher and I will be 2 hours difference, which changes recording times for the podcast. We have the same issue on my other podcast (www.majortechnicality.com), since up until today, we were spread across 3 time zones. Things just got simpler, but we still have 3 hours between Dale, Jared, Farid, and myself. Change is good though. Makes for an interesting dynamic.


I just wanted to thank all of the people who have downloaded and/or listened to our podcast. Thanks to all of you, we've been accepted to iTunes, and we're getting to do what we love. Sharing info, talking about security, and having a good time. Plus, you probably get a few CPEs in the process.


Next week, we'll have part 1 of our interview with Kevin Johnson. A really great couple of interviews. Stay tuned!


Here is Part 2 of the Michael Gough Interview: Episode 6 Part 2

Thursday, February 20, 2014

Episode 6 Part 1: Michael Gough, Moon Pcap, Moving, and editorializing

Holy cow! We are in iTunes!!!

https://itunes.apple.com/us/podcast/brakeingdownsecurity-podcast/id799131292

We're in the big leagues now. I just noticed that this morning on our stats page from Libsyn... Apparently, people discovered us before I discovered myself. LOL


We had a great interview with Michael Gough (@hackerhurricane) from MI2Security about the malware that has been in the news recently. We talked a bit about how he would have done things differently if he was in the IT shop at Target.


One thing that we have to learn, as new podcasters in this industry, is to not editorialize. We cannot make statements of opinion as if they are a fact. We cannot say "Mr. Jones thinks X is fantastic", when he may not be all in on something.


It's a learning process, and thankfully, we learned it early, with someone who is cool and not pursuing legal action.


I (Bryan Brake) will be leaving the Austin area next week, and moving to the Pacific Northwest with my wife, who has taken a position with a small mom and pop software company up there. I'm going to be working remotely, which is always nice, but my job will be no less demanding of my time. I'll just have to adapt to 7am PST meetings. :) We'll still be having a podcast, next week is another interview with a person that Brian and I hold immense respect, both as a human being, and a security professional. You'll have to tune in to find out who. Use that spiffy new iTunes link. Now, we just have to figure out how to change the icon, and author, and everything...


Oh yea, was trolling Twitter the other day, and someone at @sans_isc posted a link to a pcap of the MOON self-replicating malware that is plaguing Linksys routers. I posted a link on the BDS homepage, so you can grab it. It goes to our Google Drive, so download and check it out, you packet weasels!!! MOON Pcap file


Without further ado, here's Episode 6, Part 1, with Michael Gough Link

Sunday, February 9, 2014

Episode 5: Interview with Frank Kim

Man, it was a great week. If you ever have the chance to go to a SANS Course, do it, and do it often. It may be expensive, but the networking opportunities are great, and the instructors are just good people.



During the "Capture the Flag", which I will not give out information about (so don't ask), I felt utterly useless. I had done all that I felt I could do, but it's amazing that you can take experiences from your own work and apply it to issues. Once we'd gotten in, I remembered something about a security issue at our office, and in doing so, I found a flag! I went from thinking I was a failure to being a hero of our team. What we didn't know was that another team had found all the flags, but because of a configuration issue on their browser, they missed a flag they'd discovered. If they'd not done that, they would have won.



But because of that mistake, our team capitalized on the the CTF, and won first place!



Mr. Boettcher and I had a blast over the week, networking with various people and instructors, meeting a tons of great people, hearing Robert 'RSnake' Hansen speaking at the SANS Summit, and just getting some really excellent training on tools like Burp, SamuraiWTF, Sqlmap, and others.



We also got several interviews in the can. Episode 5 is with Frank Kim, an Instructor with SANS, who was teaching the Secure Java coding class. We got him to sit down with us and discuss some of the issues dealing with the culture of secure coding

Have a listen: Frank Kim Interview

Sunday, February 2, 2014

Episode 4: Origin stories, and talking about mentoring and reconnaissance

Next week is going to be super hectic for your favorite co-hosts. Starting on Monday 3 February, we'll be taking SANS SEC542 in an effort to get our GIAC Web Pentest certs (GWAPT).


I haven't been this nervous since I went for my CISSP. Another company paid the skrill for that cert as well. Thankfully, I passed my CISSP on the first try. I was always excellent listening and retaining information in school, and I write a decent test.


But I know I'll prevail, because of excellent instructors like Kevin Johnson and Jason Lam. And I'll have my comrade in security Mr. Boettcher right alongside of me.


Anywho, enjoy the episode, we didn't have show notes, because of some logistical issues, our interview with Michael Gough had to get re-scheduled until after our class... but we are going to have that really soon, and it will be awesome.


Take care, we love the feedback, thanks to all those with positive feedback, and those with constructive feedback. We hear you, and are learning so we can do better.

Sunday, January 26, 2014

#15: Episode 3 of Brakeing Down Security: Alerts, Events, and a bit of incident response

As promised, I just uploaded Episode 3. We go into detail about alert levels, what types of events cause alerts, and why they should be investigated and mitigated. Take a listen, to it and all of the other podcasts we've done. I think you enjoy them.


If you are a security, compliance, or audit professional, and would like to come on our show, please hit me up on Twitter (@bryanbrake), or put a comment here on the blog. We'd love to have you on, and have a healthy debate.

Episode 3 on Libsyn

Here are the show notes:


Episode 3 show notes

Saturday, January 25, 2014

#14: The Prime Directive, malware, and having a ball

The Prime Directive in pentesting... "Don't do anything outside the scope document". It's like the Fight Club rule. You don't go outside the scope of the pentest. You don't go playing around in environments you shouldn't, even if it's there.


But what happens when the scope document was made by someone other than people with an intimate knowledge of the assets involved, and can be called ambiguous at best? Is this like Star Trek, where breaking the Prime Directive is bad, but you do your best to notify as best you can, and stop when or if someone raises a flag?


When your organization engages a company to do a pentest, defining what systems are being tested and locking your scope down is paramount to having a good operation. Even after the document is agreed upon, speaking with the pentester doing the operation can clear up any issues that can arise. If the pentester does happen to exceed scope, don't berate him unnecessarily. Thank him for notifying them of the findings, and then explain to them that they are outside of scope. If they continue to do so, you should report them. Often, they may have seen something so glaring that they are ethically bound to mention it. I know that if I was doing a pentest or evaluation and it was a bank or business I used, I would definitely find a way to let them know.


You want to get the most bang for your money, so you give the pentester a decent amount of time to test things. You may even want to run preliminary nmap scans, nikto scans (if web apps are involved), or vulnerability scanners. This is very important info for the beginning of a pentest, but often takes the longest to do by the pentester. This is menial stuff that is a waste of good pentesting time. Plus, a professional pentest shouldn't be adversarial in nature. Unless, of course, it's supposed to be... :)


I know in my last post, we were going to have an interview with Michael Gough (Twitter @hackerhurricane) from MI2 Security about Malware and APT attacks. In talking with him after our monthly ISSA meeting, we figured out that we could do a multi-part interview on Malware and APT. He also mentioned in our ISSA meeting that there had been 6 additional retailers that had been breached. We found out today (25 January) in a blog post from Brian Krebs, that Michaels' and it's subsidiary Aaron's Brothers were hit. That leaves 5 more retailers to through.


My guess is that WalMart is involved, and the only other one I'd imagine would be Kohl's... I don't know why, but those two are always on my mind when this story keeps coming up.


I never have had as much fun doing security as when I started this podcast, blog, and learning how to market ourselves. We are learning a lot about different subjects. It's also taken me out of my comfort zone quite a bit, because I'm not good at talking with people that I don't know, or soliciting input from strangers. I want to get my name, my brand out there, and my palms get sweaty just asking people if they'd like to come on our podcast. I'm sure that it will get easier. It's like learning to edit audio or video, you're gonna suck at it at first.


Episode 3 will be up late tomorrow night, just in time for your earballs to enjoy on your Monday morning commute. Hope you enjoy it. Our meeting with Michael Gough will take place Wednesday, and we'll be able to bring you that two or three parter in the weeks to come...

Sunday, January 19, 2014

#13: Vulnerability Scanners -- Episode 2

Episode 2 podcast

It's an odd thing editing audio. Some people make it look so easy. It helps having only two people on the podcast. This is not my first podcast to be on. My other podcast "Major Technicality", I am merely a contributor. And Jared, our producer, and co-host, spends several hours making everything sound just so.


Anyway, the audio will sound better on this one. Mic levels were dialed in, audio was normalized, and the crackling in the Intro is gone.


I really had a good time talking about vulnerability scanners. It's hard to believe that they've been around for over 20 years, and yet they haven't changed all that much. They still use concepts like banner grabbing, port scanning/knocking, and best guesses to scan a system for vulnerabilities. They should never be used as an end all be all, and truly on taken with a grain of salt.


Question all findings, trust nothing...


Next Friday, we'll be flush from our monthly ISSA meeting, which Michael Gough, from MI2 Security, will be discussing malware infection, and we are hoping to be able to get a few minutes with him. We'll have the interview spliced into the podcast, and we'll be able to continue our discussion about malware. Our first Interview! SQUEEEE!


I would have loved to speak about the other web application security scanners, but I really have only used Burp Suite. Brian and I will be attending SEC542 at the SANS convention 3-8 February in Austin, and we will definitely have one or more podcasts about web application pentesting and security assessment of websites.


Here are the show notes for this week:


Episode 2 show notes

Tuesday, January 14, 2014

#12: Here it is folks! Episode #1!

I hate sound editing.  I hate the sound of my voice when it's not reverberating in my head.  But doing this was all worth it. HERE IT IS!!!!  Episode #1 of "Brake"ing Down Security!!!!!111ELEVENTY!!

It's all about hashes.  I have included the show notes below in case you want to do more research.

Here is the link to access it on LibSyn:

http://traffic.libsyn.com/brakeingsecurity/final1.mp3

LibSyn also gives us an easy RSS feed, and you can follow in your favorite Feed by using the following link:

http://brakeingsecurity.libsyn.com/rss

We will try to get into iTunes very soon, but I will be posting this on my LinkedIn, and Twitter.

There are errors... We are working out the issues.  Sometimes it only sounds like we are out of sync... we talk over each other...

Something for readers just of this blog... I will post the heretofore unpublished first try of our podcast...  I give you EPISODE 0!!!  A prequel, if you will.  This was our first try at the podcast in our office.  We jumped around a little too much, which is why we re-did it.  If you click here, you can listen to it.  Uncut, unedited...

http://traffic.libsyn.com/brakeingsecurity/old_ep1.mp3

https://docs.google.com/document/d/1k5tK4OsH6M--UidcvArbfW0rjOkHeSEDm1_UrF64iyY/edit?usp=sharing

Feedback is welcome, thank you...

Saturday, January 11, 2014

#11: Well, it's an audio thing...

We recorded our first episode yesterday, and I thought it went great, however, there is a small issue with the audio.  I failed to change the switch on the back of the Snowball Microphone to setting '3', which makes the mic take audio from both the front and the back. So my co-host sounds great, as he was in the 'front', but I sound like I'm 10 feet away.

We aren't audio engineers... if we were, we would not be doing security. So I get to add to my repertoire of vast and varied skills.  One of these days, we'll be doing video editing for technical segments...  I can only imagine how that's going to do.

Also, there was some content issues we'd like to address as well.  Our first podcast is on the subject of Hashes, what they are, how they are used, and we even talked about how to make them more difficult to find any info from them (e.g. passwords, PII, etc).  We talked about collisions, hash stretching, and adding salt to make them resistant to rainbow tables.

So my colleague will listen to it, and if he is okay with it, I'll post it on Monday. Don't expect a ton of production values, Probably intro and outro music.  And we probably won't have our first interview for a couple of weeks.

If you are interested in doing a 10-20 minute interview about a security topic near and dear to your heart, please let me know.  Twitter is probably the best way.  I can be found @bryanbrake, or you can message me on LinkedIn.

This blog will still be used to put up the show notes, which will have links to information that we talked about. We will try to find real info, and not just a ton of Wikipedia articles. :)  Also, we will use this for additional opinion articles that could be podcast episodes later on...

Have a great weekend, or hope you had a good one (depending on when you read this)...