Sunday, January 26, 2014

#15: Episode 3 of Brakeing Down Security: Alerts, Events, and a bit of incident response

As promised, I just uploaded Episode 3. We go into detail about alert levels, what types of events cause alerts, and why they should be investigated and mitigated. Take a listen, to it and all of the other podcasts we've done. I think you enjoy them.

If you are a security, compliance, or audit professional, and would like to come on our show, please hit me up on Twitter (@bryanbrake), or put a comment here on the blog. We'd love to have you on, and have a healthy debate.

Episode 3 on Libsyn

Here are the show notes:

Episode 3 show notes

Saturday, January 25, 2014

#14: The Prime Directive, malware, and having a ball

The Prime Directive in pentesting... "Don't do anything outside the scope document". It's like the Fight Club rule. You don't go outside the scope of the pentest. You don't go playing around in environments you shouldn't, even if it's there.

But what happens when the scope document was made by someone other than people with an intimate knowledge of the assets involved, and can be called ambiguous at best? Is this like Star Trek, where breaking the Prime Directive is bad, but you do your best to notify as best you can, and stop when or if someone raises a flag?

When your organization engages a company to do a pentest, defining what systems are being tested and locking your scope down is paramount to having a good operation. Even after the document is agreed upon, speaking with the pentester doing the operation can clear up any issues that can arise. If the pentester does happen to exceed scope, don't berate him unnecessarily. Thank him for notifying them of the findings, and then explain to them that they are outside of scope. If they continue to do so, you should report them. Often, they may have seen something so glaring that they are ethically bound to mention it. I know that if I was doing a pentest or evaluation and it was a bank or business I used, I would definitely find a way to let them know.

You want to get the most bang for your money, so you give the pentester a decent amount of time to test things. You may even want to run preliminary nmap scans, nikto scans (if web apps are involved), or vulnerability scanners. This is very important info for the beginning of a pentest, but often takes the longest to do by the pentester. This is menial stuff that is a waste of good pentesting time. Plus, a professional pentest shouldn't be adversarial in nature. Unless, of course, it's supposed to be... :)

I know in my last post, we were going to have an interview with Michael Gough (Twitter @hackerhurricane) from MI2 Security about Malware and APT attacks. In talking with him after our monthly ISSA meeting, we figured out that we could do a multi-part interview on Malware and APT. He also mentioned in our ISSA meeting that there had been 6 additional retailers that had been breached. We found out today (25 January) in a blog post from Brian Krebs, that Michaels' and it's subsidiary Aaron's Brothers were hit. That leaves 5 more retailers to through.

My guess is that WalMart is involved, and the only other one I'd imagine would be Kohl's... I don't know why, but those two are always on my mind when this story keeps coming up.

I never have had as much fun doing security as when I started this podcast, blog, and learning how to market ourselves. We are learning a lot about different subjects. It's also taken me out of my comfort zone quite a bit, because I'm not good at talking with people that I don't know, or soliciting input from strangers. I want to get my name, my brand out there, and my palms get sweaty just asking people if they'd like to come on our podcast. I'm sure that it will get easier. It's like learning to edit audio or video, you're gonna suck at it at first.

Episode 3 will be up late tomorrow night, just in time for your earballs to enjoy on your Monday morning commute. Hope you enjoy it. Our meeting with Michael Gough will take place Wednesday, and we'll be able to bring you that two or three parter in the weeks to come...

Sunday, January 19, 2014

#13: Vulnerability Scanners -- Episode 2

Episode 2 podcast

It's an odd thing editing audio. Some people make it look so easy. It helps having only two people on the podcast. This is not my first podcast to be on. My other podcast "Major Technicality", I am merely a contributor. And Jared, our producer, and co-host, spends several hours making everything sound just so.

Anyway, the audio will sound better on this one. Mic levels were dialed in, audio was normalized, and the crackling in the Intro is gone.

I really had a good time talking about vulnerability scanners. It's hard to believe that they've been around for over 20 years, and yet they haven't changed all that much. They still use concepts like banner grabbing, port scanning/knocking, and best guesses to scan a system for vulnerabilities. They should never be used as an end all be all, and truly on taken with a grain of salt.

Question all findings, trust nothing...

Next Friday, we'll be flush from our monthly ISSA meeting, which Michael Gough, from MI2 Security, will be discussing malware infection, and we are hoping to be able to get a few minutes with him. We'll have the interview spliced into the podcast, and we'll be able to continue our discussion about malware. Our first Interview! SQUEEEE!

I would have loved to speak about the other web application security scanners, but I really have only used Burp Suite. Brian and I will be attending SEC542 at the SANS convention 3-8 February in Austin, and we will definitely have one or more podcasts about web application pentesting and security assessment of websites.

Here are the show notes for this week:

Episode 2 show notes

Tuesday, January 14, 2014

#12: Here it is folks! Episode #1!

I hate sound editing.  I hate the sound of my voice when it's not reverberating in my head.  But doing this was all worth it. HERE IT IS!!!!  Episode #1 of "Brake"ing Down Security!!!!!111ELEVENTY!!

It's all about hashes.  I have included the show notes below in case you want to do more research.

Here is the link to access it on LibSyn:

LibSyn also gives us an easy RSS feed, and you can follow in your favorite Feed by using the following link:

We will try to get into iTunes very soon, but I will be posting this on my LinkedIn, and Twitter.

There are errors... We are working out the issues.  Sometimes it only sounds like we are out of sync... we talk over each other...

Something for readers just of this blog... I will post the heretofore unpublished first try of our podcast...  I give you EPISODE 0!!!  A prequel, if you will.  This was our first try at the podcast in our office.  We jumped around a little too much, which is why we re-did it.  If you click here, you can listen to it.  Uncut, unedited...

Feedback is welcome, thank you...

Saturday, January 11, 2014

#11: Well, it's an audio thing...

We recorded our first episode yesterday, and I thought it went great, however, there is a small issue with the audio.  I failed to change the switch on the back of the Snowball Microphone to setting '3', which makes the mic take audio from both the front and the back. So my co-host sounds great, as he was in the 'front', but I sound like I'm 10 feet away.

We aren't audio engineers... if we were, we would not be doing security. So I get to add to my repertoire of vast and varied skills.  One of these days, we'll be doing video editing for technical segments...  I can only imagine how that's going to do.

Also, there was some content issues we'd like to address as well.  Our first podcast is on the subject of Hashes, what they are, how they are used, and we even talked about how to make them more difficult to find any info from them (e.g. passwords, PII, etc).  We talked about collisions, hash stretching, and adding salt to make them resistant to rainbow tables.

So my colleague will listen to it, and if he is okay with it, I'll post it on Monday. Don't expect a ton of production values, Probably intro and outro music.  And we probably won't have our first interview for a couple of weeks.

If you are interested in doing a 10-20 minute interview about a security topic near and dear to your heart, please let me know.  Twitter is probably the best way.  I can be found @bryanbrake, or you can message me on LinkedIn.

This blog will still be used to put up the show notes, which will have links to information that we talked about. We will try to find real info, and not just a ton of Wikipedia articles. :)  Also, we will use this for additional opinion articles that could be podcast episodes later on...

Have a great weekend, or hope you had a good one (depending on when you read this)...

Friday, January 3, 2014

#10: It's really happening folks...

Hell yea!  The new podcast "Brakeing Down Security" will happen on 10 January 2014.  Also, I'll have a co-host!

Before you go "Aw hell, ANOTHER security podcast", don't you fret my army of followers.  I have been following the "I am the Calvary" mailing list for a while (and if you aren't, you should be), and there is a real need out there for training and awareness.  Both those in the IT industry who do it on a daily basis, that maybe don't understand why they are doing what they are doing, or maybe that college student looking to expand her/his knowledge of Information Security and may not have a good place to go.

In the past year or so, I have seen many excellent speakers at the Capital of Texas ISSA chapter, talk about the difficulties of getting people to understand something as simple as password complexity or why we can't have Post-its on our monitors. This podcast is to be for folks like that, so if you're looking for techniques on how to reverse engineer Windows binaries, or creating malware for fun and profit, this won't be your bag. Ideally, I'd like to get up to that point, but that is probably many years in the future.

We are hoping to bring you interviews from people in the industry, people from the Privacy realm, from Healthcare, from Legal, you name it...  What we want to show is how vast the industry truly is, so we may have a pentester on one month, and a lawyer specializing in Privacy law next month, or a compliance "check box weasel" the next month (I apologize to all the Compliance Officers out there).  We want to do multimedia stuff as well, but just learning the sound editing is gonna be a pain, not even sure how video editing will do.

We're not trying to be the next Pauldotcom or Network Security Podcast (who am I kidding, that'd be awesome!), but we just want to put ourselves out there to be another reference for people who may not want a deep technical discussion.

This is going to be a labor of love, plus, we get CPEs for doing research and preparing for the podcast, so there is a plus in that.

So look here, or on my Twitter feed @bryanbrake, or on my LinkedIn for the post to the podcast.  We'll most likely be using LibSyn for hosting, since I've been told by more than one person that they are pretty awesome.

I hope you enjoy it, we definitely want feedback and emails and constructive criticism