Sunday, December 22, 2019

2019-046-end of the year, end of the decade, predictions, and how we've all changed


End of year, end of decade

    Are things better than 10 years ago? 5 years ago?

    If there was one thing to change things for the better, what would that be?

 

Good, Bad, Ugly 

Did naming vulns make things better?

    Which industries are doing a good job of securing themselves? Finance?

    What do you wished never happened (security/compliance wise)?

    Ransomware infections with no bounties

    Still have people believing “Nessus” is a pentest

 

https://nrf.com/

https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49 

https://monitorama.com/ 

https://www.apics.org/credentials-education/events

 

The Future

    PREDICTIONS!!!

    Bryan: The rise of the vetting programs  (Companies will want to vet content creators in their eco-systems)

    Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety.  Triggering a US GDPR type response.

Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10).  And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1

JB: a major change in social media/generational shift in how we use it, legal or focus on new types of  mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex”  --- what do you think about this statement?  ..it’s role in InfoSec? Talent?

 

JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)

 

JB - Link to hunting/stopping-human-trafficing org i mentioned :

Shoutout

 Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation

https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf

 

Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )

 

       

Other topics

    Talk about where you were 10 years ago, and what you did to get where you are?

    Best Hacking tool?

    Best Enterprise Tool?

 

Recent news

https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/

https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative 

https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/ 

https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices 

News Stories from 2010 (see if they still make sense, or outdated)



https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/

https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html

https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease




Download here!

Tuesday, December 17, 2019

2019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security


The day after part 1

Keybase halted the spacedrop the day after the first podcast is complete...

 

Security failures in implementation

    “We need to push this to market, we’ll patch it later!”

 

Risk management discussion for project managers (PMP)

 

CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line

    **Reference Noid’s Bsides Seattle talk and podcast earlier this year.**



Other companies that have made security mistakes in the name of business

 

Practical Pentest Labs storing passwords in the clear

https://twitter.com/mortalhys/status/1202867037120475136

https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136 

https://twitter.com/piaviation/status/1202994484172218368



T-Mobile Austria partial password issues:

https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear

    No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.

    Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)

        Insider threats could takeover accounts

 

Follow-up from last week’s show with Bea Hughes:

 

I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".

 

And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)

 

As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. 

 

**If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **

 

“Empowered teams”

 Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 


Download here!

Monday, December 9, 2019

2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1


Patreon donor goodness: Scott S. and Ion S.

@_noid_ @davedittrich

Their response:

 “it’s not a bug, it’s a feature”

    “Don’t write a blog post that will point out the issue”

    “You pointing out our issues makes things more difficult for us”

    “It’s a free service, why are you hurting us?”

 

 

https://keybase.io/docs/bug_reporting



Nov 22nd

 

Noid (@_noid_) Keybase discussion blog post

https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html

 

Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/ 

 

Keybase’s decision to fix it came out after The Register asked them about the issue…

 

Dec 4th

https://keybase.io/blog/dealing-with-spam

       

 

Dec 5th.

https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/



Problems with the implementation:  

        Requiring admins for Keybase to decide what’s wrong or if they need to be deleted

        Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)

        Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)

        They’ve already opened the spam door, and they’ll not be able to shut it.

Once they took the VC and aligned themselves with Stellar, the attack surface changes

    From Account takeover (integrity attacks) to deception (social engineering)

 

What is keybase?

    Social network?

    E2E chat

Encrypted file share/storage?

    CryptoCurrency Company? 

    Secure git repo protector?

 

Which ones do they do well?  

How could they have solved the spam issue?

    Made the cryptocoin a separate application?

        Even their /r/keybase is filling up with spammers asking about their Lumens

 

How could they fix it?

    You can’t contact someone unless that person allows you to.

    Allow someone to contact you, but do not allow adding to teams without permission

 

https://news.ycombinator.com/item?id=21719702 (ongoing HN thread)

Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto

 

https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform

 

https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf 



Stephen Carter's definition of “integrity.”

Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.

 — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/

 

Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?

 

noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google:

Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase.

The ACM Code of Conduct has several sections that could apply here:

1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.

1.2 Avoid harm.

1.6 Respect privacy.

2.1 Strive to achieve high quality in both the processes and products of professional work.

2.7 Foster public awareness and understanding of computing, related technologies, and their consequences.

3.1 Ensure that the public good is the central concern during all professional computing work.

3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.

 

The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).

 

In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.

 

This is in fact precisely what noid brought up in his initial communication with Keybase:

 

I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).


Download here!

Tuesday, December 3, 2019

2019-043-Bea Hughes, dealing with realistic threats in your org


Realistic Threats 

Nation states aren’t after you

https://twitter.com/beajammingh/status/1191884466752385025

https://twitter.com/beajammingh/status/1198671660150226946

https://twitter.com/beajammingh/status/1198671952824565762

 

https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

 

What are credible threats?

Malicious insiders - 

Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/

    Education issue?

    Is there such a thing as ‘non-malicious’ or is this just bunk?

 

Real threats

    https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/  

CIO magazine threats -- buzzword threats (we should totally containerize all the things)

Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN)

Lack of well-priced training?

    Dev Training?

    Security Training?

 

Better management communication will reduce threats

    Building trust so they don’t freak when ‘$insert_named_vuln’ shows up

    Gotta frame it to business needs

    “Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.

    Know your industry’s threats (phishing, money transfer fraud, malware

Patreon donor:  Michael K. $10 patron!

Layer8conf - https://www.workshopcon.com/events

https://layer8conference.com/

 

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

 

Saturday June 6, 2020, RI Convention Center

 

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

 

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!