Thursday, June 22, 2017

2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus


This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly.

One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments.

So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community.

Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers.

Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music)

 

 

To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, June 14, 2017

2017-020-Hector_Monsegur_DNS_OSINT_Outlaw_Tech_eClinicalWorks_fine


Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.

 

We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?

 

We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3

 

#RSS: www.brakeingsecurity.com/rss

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---------- 

Show notes:

 

going beyond DNS bruteforcing and passively discovering assets from public datasets???

Very interested in hearing about this

Straight OSINT, or what?

Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I’m working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like:

 

Training gained from internal phishing campaigns

Does it breed internal mis-trust?

Recent campaign findings

Why do it if we know one account is all it takes? Because we know it’s a ‘win’ for security?

 

Outlaw Tech on Science Channel

What’s it about? (let’s talk about the show)

 

http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - ”Estonia buoys cyber security with world's first data embassy” - interesting

 

https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit

-- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/

 

http://securewv.com/cfp.html

 

 

 

OneLogin/Docusign breaches

OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/

Docusign:  https://www.inc.com/sonya-mann/docusign-hacked-emails.html

http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm

Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/

 

China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect

 

Facial recognition for plane boarding:  http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html

 

 

Keybase.io’s Chrome plugin  -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, June 6, 2017

2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses


 

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.

 

-------

Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class

Patreon: https://www.patreon.com/bds_podcast

 

If you want the videos and don’t care about the class, they will be released a week after class is over for free.

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

 

https://twitter.com/jessysaurusrex/status/859123589123121152

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.

 

  1. Passwords
  2. Multifactor authentication
  3. Device encryption
    1. Ad blocking
    2. Browser hardening via extension/plugin
  4. Safe browsing (this breaks into a few different topics)
    1. Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc.
    2. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser
  5. Social engineering (this breaks into a few different topics)
  6. Segmentation/compartmentalizing data + communications
  7. Secure storage(local vs cloud data)
  8. Media storage safety (thumbdrives! Charge-only cables for mobile devices!)
    1. Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late
  9. Regularly reviewing permissions granted to apps through oAuth
  10. Backups

 

http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/

The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.”  summed up our entire industry in this paragraph --brbr

  

https://securingthehuman.sans.org/resources/security-awareness-report-2017

^^^^ saw this on Twitter yesterday -brbr

 

Key takeaways:

 

The study recommends the following for addressing communications:

 

  • Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.
  • Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.
  • Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.
  • Take communications training; they can be easily developed with the right focus.
  • Align with human resources to ensure an awareness program is tied into company culture.
  • Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. 

 

You writing a book?

 

I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)

 

You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.

 

Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.

 

Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?

 

Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?

 

If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?

  

And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use

Device encyption

2FA/MFA

 

What training do infosec people need? How important are the soft skills to help with communicating?


Here is a new episode of Brakeing Down Security Podcast!

Monday, May 29, 2017

2017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details


We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out.

Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet?

We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to exploit various web application vulnerabilities.  Details are in the show notes and in our Slack Channel.

 

Ms. Sunny Wear is doing a web app security class

Starts June 14th at 1900 Eastern (1600 Pacific, 2300 UTC) 

Sign up for the class at the $20 dollar Patreon level (if you plan on attending)

Sign up for immediate video access at the $10 Patreon level (cannot attend class, but want to follow along)

Everyone will have access to the Slack Channel to follow along with the class, ask questions, etc (join our #slack channel for more information)

https://www.patreon.com/bds_podcast

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-018-SANS_course-EternalBlue-Samba-DerbyCon.mp3

RSS: www.brakeingsecurity.com/rss

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 SHOW NOTES:

 

SANS experience

Pity Quincenera - I (bryan) sucked

Need more experience

Speed kills (I (bryan) got flustered and I shutdown) you took speed?

No Kali - was surprised, until I thought of why :D

Was not helpful to my team (jacek, ryan, Michael C., David)

John Strand was phenomenal

Frank Kim was great

The audio was not, unfortunately :(

 

 

Samba/SMB (port 445) vulns

Use case for having it exposed?

**** OPEN TO SUGGESTIONS *****

What does that say about the company?

No security team, or the security team is ineffectual about telling people about the risks?

What

MS17-010 is the new MS08-067

http://thehackernews.com/2017/05/samba-rce-exploit.html

Over 400,000 open to the web

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

 

Training announcement:

 

Ms. Sunny Wear doing a web app security class

Starts June 14th

Sign up for the class at the $20 dollar Patreon level

Sign up for immediate video access at the $10 Patreon level 

https://www.patreon.com/bds_podcast

 

 

Who’s Slide is it Anyways? @ImprovHacker

https://docs.google.com/forms/d/e/1FAIpQLSeLS0barWRdKVjPPyZ82lvC0UQMaDTJXRwF11qItlbZOrrf6A/viewform?c=0&w=1

 

#infosec #podcast #webAppSec #application #security


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, May 9, 2017

2017-017-Zero_Trust_Networking_With_Doug_Barth,_and_Evan_Gilman


 Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?

Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.

Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.

Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

show notes:

 

The lines are blurring:

 

DevOps

NetOps

SDN

SDP

docker/containerization

2FA authentication

 

https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)

https://www.beyondcorp.com/

 

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

 

Where is this Google article???

http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html

https://cloud.google.com/beyondcorp/

https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/

 

Who benefits from this? Network engineers, apparently… :)

Devs?

IT?

Sounds like a security nightmare… who would get the blame for it failing

 

How do we keep users from screwing up the security model? Putting certs on their personal boxes?

 

Prior BrakeSec shows:  Software Defined Perimeter with Jason Garbis

http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

 

http://shop.oreilly.com/product/0636920052265.do

 

Doug Barth Twitter: @dougbarth

 

Evan Gilman Twitter:  @evan2645

 

Runs counter, right? We are used to not trusting the client…

 

A Mature company can only implement

Device inventory

Config management

Data flow

Asset management

 

Micro-services?  

Brownfield networks

Sidecar model -

Certain OSes not possible


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, May 2, 2017

2017-016-Fileless_Malware, and reclassifying malware to suit your needs


 Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys.

The latest marketdroid speak appears to be the term 'fileless malware', which by definition...

 

FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.”

 

https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not ‘fileless’

But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection.

This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects

 

https://business.kaspersky.com/targeted-attacks-trends/6776/

http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 26, 2017

2015-015-Being a 'security expert' vs. 'security aware'


This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?

We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 19, 2017

2017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers


So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.

After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.

We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.

Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--- show notes----

 

Discuss AIDE with Ms. Berlin

 

Log-MD.com posted their first video.

 

Fingerprint Masters (a case against biometrics):

http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone

http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/


Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/

 

ShadowBrokers dump

“Worst since Snowden”

https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

Making policies, easier said than done

Discuss DefSec chapter on Policies

Difficulty: aligning policies with compliance standards

FedRamp, PCI, etc

Writing a good policy so that it follows the guidelines

 

http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 12, 2017

2017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt


Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.

We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)

This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

What does MFA try to solve:

  • Mitigate password reuse
  • Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server
  • Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials

 

Cred theft:

 

Phishing:

 

MFA / Bad things happening with that:

 

Phishing/2FA/Solutions?

  1. a) What does multifactor actually solve?
  2. b) Are we (infosec industry) issuing multifactor solutions to people just so people make money?
  3. c)  Do these things give a *false* sense of security?
  4. d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.

 

Internal training / is this actually working?


Australia Post didn't think so

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

 

Counterpoints:

It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )

C: I don’t like running some silly app on my phone

C: I also don’t like running around with a physical token

C: Embedding a Yubico nano in my usb slot leaves me with one usb port left

Also doesn’t solve when someone just steals that token

 

Does any of it matter:

Beyondcorp / "Lets make the machines state be part of the credential"

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

  • Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids

Is there some way we (not google) can make it so a credential is worthless?

 

Solutions:

Duo / “There's an app on my phone and it has context about what wants to do something right now”

Probably a step in the right direction

Kind of like some Aus banks which SMS you before transferring $X to Y account

Okta - (grab links to spec)

META // Does this actually solve it?

OAUTH - (grab links to spec)

Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower

META // Engineering things to short lived secrets is a better idea

 

I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:

  • The devices used everywhere are chromebooks run in standard mode rather than developer mode
    • (Whitelisting For Free™)
  • Everything is a web app
  • Everything else can’t run due to app whitelisting built-in
  • The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines
  • Everything cares about the machine the user is using - It’s part of the credential
  • Passwords are no longer important and it’s all single sign on
    • Suddenly credential theft doesn’t matter
  • The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter
  • As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters
    • Caveat, someone will probably think of some cool technique and that’ll ruin everything
    • See: Problem of induction / “Black swan event”

 

Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).

 

Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/

 

Duo Security // Beyondcorp

https://duo.com/blog/beyondcorp-for-the-rest-of-us



More info on Beyondcorp

https://www.beyondcorp.com

 

Misc// Hey google wrote a paper on U2F a while back

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)

https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf


META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing

https://risky.biz/RB448/


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 5, 2017

UK Gov Apprenticeship infosec programs with Liam Graves


One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was in a program created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.

I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)

So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)

Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--

 

Show Notes:

UK apprenticeship schemes:

long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.

End Point Assessment - project based final assessment.

 

A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf

 

Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)

 

Other schemes include (new and existing):

  • Cyber Intrusion Analysts
  • Cyber Security Technologists
  • Data Analysts
  • Digital Marketers
  • Infrastructure Technicians
  • IT Technical Salesperson
  • Network Engineers
  • Software Developers
  • Software Development Technicians
  • Software Testers
  • Unified Communications Trouble-shooters (no idea what these ones are)
  • Unified Communications Technicians

 

https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).

 

https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.

 

Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.

 

Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)

 

Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.

 

IBM has a trade school - hiring 2,000 US Veterans in the next 5 years

https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html

 

Technical schools

http://www.browardtechnicalcolleges.com/

http://www.bates.ctc.edu/ITSpecialist

 

DoL apprenticeship programs

https://oa.doleta.gov/bat.cfm

 

Difference between ‘for-profit’ and ‘trade schools’

 

Internships = some companies are paying fat bank:

http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries

 

Washington State trades/apprenticeships

Mostly ‘blue’ collar positions

http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/

Few ‘technical positions’

 

Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students

No ‘junior security architects’, or ‘junior pentesters’

Yet non-technical positions have junior slots

Manager / Senior manager, Project manager / Sr. Project manager

 

Difficulty in infosec apprenticeships

What are the ‘starter’ jobs?

IT related

Sysadmins

Log analyst

 

Useful links:

https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme

https://www.gov.uk/guidance/cyber-security-cni-apprenticeships

https://www.ncsc.gov.uk/new-talent

 

All available apprenticeships:

https://www.gov.uk/government/collections/apprenticeship-standards

 

Employer commitments:

https://www.gov.uk/take-on-an-apprentice

 

For people looking to pivot from non-Infosec jobs into cyber security:

https://cybersecuritychallenge.org.uk/about/new-to-the-challenge

https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/

https://www.gov.uk/government/publications/apprenticeship-levy-how-it-will-work/apprenticeship-levy-how-it-will-work

 

 

 


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, March 29, 2017

2017-011-Software Defined Perimeter with Jason Garbis


We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.

So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).

This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based...  So have a listen!

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---

 

Show Notes:

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter/

    Hmmm… seems like a standard created by companies selling their products for it

        Have a product, create a problem, fix the problem...

 

How much alike is this to things like ‘Beyondcorp’?

    https://www.beyondcorp.com/

    http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

 

De-perimeterization - removing all the bits ‘protecting’ your computer

    Treat your computers as ‘on the Internet’

    https://en.wikipedia.org/wiki/De-perimeterisation

https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf

 

https://github.com/WaverleyLabs/SDPcontroller

 

2FA becomes much more important, or just plain needed, IMO --brbr

 

Questions:

    How will development of applications change when attempting to implement these technologies?

   

    If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?

 

    Can this cut down on the “Shadow IT” issue? Does the user control the certs?

    How does this work with devices with no fully realized operating systems?

        Phones, HVAC, IoT

        Legacy SCADA or mainframes?

 

    What is the maturity level of a company to implement this?

        What minimum requirements are needed?

            Asset management?

            Policies?

        Who/how do you monitor this?

            More blinky boxes?

            Will WAFs and Web proxies still function as expected?

    Are there any companies companies were this is not a good fit?

        What’s the typical timeline for moving to this network model?

        What’s the best way to deploy this?

            Blow up old network, insert new network?

            Phase it in with new kit, replacing old kit?

    Compliance

        How do explain this to auditors?

            “We don’t have firewalls, that’s for companies that suck, we are 1337”

Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, March 22, 2017

2017-010-Authors Amanda Berlin and Lee Brotherston of the "Defensive Security Handbook"


Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook"

We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you.

The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link)

Hope you enjoy!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 Previous Lee Brotherston episodes:

Threat Modeling w/ Lee Brotherston

Is your ISP MiTM-ing you

 Lee fills in for Mr. Boettcher, along with Jarrod Frates

TLS fingerprinting application

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 


Here is a new episode of Brakeing Down Security Podcast!