Wednesday, April 26, 2017

2015-015-Being a 'security expert' vs. 'security aware'


This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?

We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 19, 2017

2017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers


So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.

After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.

We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.

Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--- show notes----

 

Discuss AIDE with Ms. Berlin

 

Log-MD.com posted their first video.

 

Fingerprint Masters (a case against biometrics):

http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone

http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/


Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/

 

ShadowBrokers dump

“Worst since Snowden”

https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

Making policies, easier said than done

Discuss DefSec chapter on Policies

Difficulty: aligning policies with compliance standards

FedRamp, PCI, etc

Writing a good policy so that it follows the guidelines

 

http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 12, 2017

2017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt


Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.

We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)

This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

What does MFA try to solve:

  • Mitigate password reuse
  • Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server
  • Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials

 

Cred theft:

 

Phishing:

 

MFA / Bad things happening with that:

 

Phishing/2FA/Solutions?

  1. a) What does multifactor actually solve?
  2. b) Are we (infosec industry) issuing multifactor solutions to people just so people make money?
  3. c)  Do these things give a *false* sense of security?
  4. d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.

 

Internal training / is this actually working?


Australia Post didn't think so

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

 

Counterpoints:

It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )

C: I don’t like running some silly app on my phone

C: I also don’t like running around with a physical token

C: Embedding a Yubico nano in my usb slot leaves me with one usb port left

Also doesn’t solve when someone just steals that token

 

Does any of it matter:

Beyondcorp / "Lets make the machines state be part of the credential"

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

  • Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids

Is there some way we (not google) can make it so a credential is worthless?

 

Solutions:

Duo / “There's an app on my phone and it has context about what wants to do something right now”

Probably a step in the right direction

Kind of like some Aus banks which SMS you before transferring $X to Y account

Okta - (grab links to spec)

META // Does this actually solve it?

OAUTH - (grab links to spec)

Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower

META // Engineering things to short lived secrets is a better idea

 

I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:

  • The devices used everywhere are chromebooks run in standard mode rather than developer mode
    • (Whitelisting For Free™)
  • Everything is a web app
  • Everything else can’t run due to app whitelisting built-in
  • The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines
  • Everything cares about the machine the user is using - It’s part of the credential
  • Passwords are no longer important and it’s all single sign on
    • Suddenly credential theft doesn’t matter
  • The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter
  • As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters
    • Caveat, someone will probably think of some cool technique and that’ll ruin everything
    • See: Problem of induction / “Black swan event”

 

Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).

 

Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/

 

Duo Security // Beyondcorp

https://duo.com/blog/beyondcorp-for-the-rest-of-us



More info on Beyondcorp

https://www.beyondcorp.com

 

Misc// Hey google wrote a paper on U2F a while back

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)

https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf


META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing

https://risky.biz/RB448/


Here is a new episode of Brakeing Down Security Podcast!

Wednesday, April 5, 2017

UK Gov Apprenticeship infosec programs with Liam Graves


One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was in a program created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.

I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)

So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)

Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--

 

Show Notes:

UK apprenticeship schemes:

long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.

End Point Assessment - project based final assessment.

 

A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf

 

Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)

 

Other schemes include (new and existing):

  • Cyber Intrusion Analysts
  • Cyber Security Technologists
  • Data Analysts
  • Digital Marketers
  • Infrastructure Technicians
  • IT Technical Salesperson
  • Network Engineers
  • Software Developers
  • Software Development Technicians
  • Software Testers
  • Unified Communications Trouble-shooters (no idea what these ones are)
  • Unified Communications Technicians

 

https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).

 

https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.

 

Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.

 

Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)

 

Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.

 

IBM has a trade school - hiring 2,000 US Veterans in the next 5 years

https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html

 

Technical schools

http://www.browardtechnicalcolleges.com/

http://www.bates.ctc.edu/ITSpecialist

 

DoL apprenticeship programs

https://oa.doleta.gov/bat.cfm

 

Difference between ‘for-profit’ and ‘trade schools’

 

Internships = some companies are paying fat bank:

http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries

 

Washington State trades/apprenticeships

Mostly ‘blue’ collar positions

http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/

Few ‘technical positions’

 

Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students

No ‘junior security architects’, or ‘junior pentesters’

Yet non-technical positions have junior slots

Manager / Senior manager, Project manager / Sr. Project manager

 

Difficulty in infosec apprenticeships

What are the ‘starter’ jobs?

IT related

Sysadmins

Log analyst

 

Useful links:

https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme

https://www.gov.uk/guidance/cyber-security-cni-apprenticeships

https://www.ncsc.gov.uk/new-talent

 

All available apprenticeships:

https://www.gov.uk/government/collections/apprenticeship-standards

 

Employer commitments:

https://www.gov.uk/take-on-an-apprentice

 

For people looking to pivot from non-Infosec jobs into cyber security:

https://cybersecuritychallenge.org.uk/about/new-to-the-challenge

https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/

https://www.gov.uk/government/publications/apprenticeship-levy-how-it-will-work/apprenticeship-levy-how-it-will-work

 

 

 


Here is a new episode of Brakeing Down Security Podcast!