Brakeing Down Security Podcast Blog

“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”

https://thehackernews.com/2018/11/nodejs-event-stream-module.html

“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”

https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/

Hacker News (with comments): https://news.ycombinator.com/item?id=18534392

Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of

https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018

2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm

According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)

Dependency hell in NodeJS:

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

“Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”

History of NodeJS security issues:

ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/

Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)

What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?

What the responsibility is of consumers of open source?

What can be done to ensure vetting for ‘important’ packages?

Can someone manage turnover? (or is that ship sailed?)

Security scanners:

https://geekflare.com/nodejs-security-scanner/

https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0

Threat assessment or ‘what could go wrong in the future’?

Bad code

“Trust issues”

Repo corruption

Hijacking packages

Keep up to date on NodeJS security issues:

https://nodejs.org/en/security/

https://groups.google.com/forum/#!forum/nodejs-sec

^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?

npmjs.com/advisories or @npmjs on twitter

https://rubysec.com/ -Ruby security group

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

Sunday, December 2, 2018

2018-042-Election security processes in the state of Ohio

Where in the world is Ms. Amanda Berlin?

Keynoting hackerconWV

Election Security

Cuyahoga County:

Intro: Jeremy Mio (@cyborg00101

Name?

Why are you here?

Discussing Ohio does election operations.

Walk through the process

Pre-Elections

Elections Night

Post Elections

All about the C.I.A.

Votes must be confidential

Votes must not be compromised (integrity)

Voting should be available and without outage

Did a tabletop exercise with all counties in Ohio (impressive!)

Gamified, using role-reversal

Points based system

Different technology has different point values

Physical security/chain of custody

Retention

EI-ISAC - election infra ISAC

https://www.cisecurity.org/services/albert/ - Albert system

https://www.cisecurity.org/best-practices-part-1/ - election security best practices

How does the Ohio election process stack up against other states?

Media Perception in Elections Hacking and threats

11 year olds ‘hacking election’

Yes, good for a new article title

Goes to show how easy it is to actually hack systems

Train someone on SQLI, pwn the things

Elections Security Operations and Preparation

Technology types

Ballot

Booths

Mail-in ballots

Securing election infra

What can be done to make it more secure?

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 25, 2018

2018-041: part 2 of Kubernetes security insights w/ ian Coldwater

@IanColdwater https://www.redteamsecure.com/ *new gig*

So many different moving parts

Plugins

Code

Hardware

She’s working on speaking schedule for 2019

How would I use these at home?

https://kubernetes.io/docs/setup/minikube/

Kubernetes - up and running

https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

https://twitter.com/alicegoldfuss - Alice Goldfuss

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

Tesla mis-configured Kubes env:

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

https://github.com/aquasecurity/kube-hunter -

Threat Model
What R U protecting?

Who R U protecting from?

What R your Adversary’s capabilities?

What R your capabilities?

Defenders think in Lists

Attackers think in Graphs

What are some of the visible ports used in K8S?

44134/tcp - Helmtiller, weave, calico

10250/tcp - kubelet (kublet exploit)

No authN, completely open

10255/tcp - kublet port (read-only)

4194/tcp - cAdvisor

2379/tcp - etcd

Etcd holds all the configs

Config storage

Engineering workflow:

Ephemeral -

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

Final points:

Advice securing K8S is standard security advice

Use Defense in Depth, and least Privilege

Be aware of your attack surface

Keep your threat model in mind

David Cybuck (questions from Slack channel)

My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics).

How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS?

Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 18, 2018

2018-040- Jarrod Frates discusses pentest processes

Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

TinkerSec’s story: https://threadreaderapp.com/thread/1063423110513418240.html

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

“limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

“Finance doesn’t use Powershell”

- Defense in Depth

“moving from passwords to pass phrases…”

“Improper disposal of information assets”

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome

Before the Test

Talk it over with stakeholders: Reasons, goals, schedules
Report is the product: Get samples
Who, what, when, where, why, how
Talk to testers (and clients, if you can find them)
- Ask questions
- Look for past defensive experience and understanding of your needs
- - Bonus points if they interview you as a client
- Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
Test in ‘test/dev’, NOT PROD
Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

During the Test

Comms: Keep in contact with the testers
- Status reports (if the engagement is long enough)
- Have an established method for escalation
- Have an open communication style --brbr (WeBrBrs)
Ask questions, but let the testers do their jobs
Be available and ready to address critical events
Keep critical stakeholders informed
Watch your network: things break, someone else may be getting in, capture packets(?)

After the Test

Getting Results:
- Report delivered securely
- Initial summary: How far did they get?
- Actual report
- - Written for multiple levels
  - No obvious copy/paste
  - Read, understand, provide feedback, and get revised version
Next steps:
- Don’t blame anyone unnecessarily
- Start planning with stakeholders on fixes
- Contact vendors, educate staff
Reacting to report
Sabotaging your test
Future testing

Ms. Berlin’s Legit business - Mental Health Hackers

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

Monday, November 12, 2018

2018-039-Ian Coldwater, kubernetes, container security

Ian Coldwater-

@IanColdwater https://www.redteamsecure.com/ *new gig*

So many different moving parts

Plugins

Code

Hardware

She’s working on speaking schedule for 2019

How would I use these at home?

https://kubernetes.io/docs/setup/minikube/

Kubernetes - up and running

https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

https://twitter.com/alicegoldfuss - Alice Goldfuss

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

Tesla mis-configured Kubes env:

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

Redlock report mentioned in Ars article: https://redlock.io/blog/cryptojacking-tesla

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

https://github.com/aquasecurity/kube-hunter -

Threat Model
What R U protecting?

Who R U protecting from?

What R your Adversary’s capabilities?

What R your capabilities?

Defenders think in Lists

Attackers think in Graphs

What are some of the visible ports used in K8S?

44134/tcp - Helmtiller, weave, calico

10250/tcp - kubelet (kublet exploit)

No authN, completely open

10255/tcp - kublet port (read-only)

4194/tcp - cAdvisor

2379/tcp - etcd

Etcd holds all the configs

Config storage

Engineering workflow:

Ephemeral -

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

Final points:

Advice securing K8S is standard security advice

Use Defense in Depth, and least Privilege

Be aware of your attack surface

Keep your threat model in mind

David Cybuck (questions from Slack channel)

My questions are: 1. Talk telemetry? What is the best first step for having my containers or kubernetes report information? (my overlords want metrics dashboards which lead to useful metrics).

How do you threat model your containers? Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

Mitre Att&ck framework, there is a spin off for mobile. Do we need one for Kube, swarm, or DC/OS?

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 4, 2018

2018-038-InfosecSherpa, security culture,

@InfoSecSherpa - Tracy Z. Maleeff (surname is pronounced like “may-leaf.”)

I have two talks coming up:

Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference
Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)

Since National Cyber Security Awareness Month just ended, I wanted to talk about things InfoSec pros can do to help educate others outside our community.

*Shameless Plug* My Nuzzel newsletters
https://nuzzel.com/InfoSecSherpa

https://nuzzel.com/InfoSecSherpa/cybersecurity-africa

News stories -

Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law) → (Tracy) I wanted to include this story as a discussion of which industries are still in the dark about security issues. To me, it feels like the legal world is either in denial or super slow to adapt. I know from working at law firms for about 10 years, that the industry as a whole is slow to adapt to technology. I once said that law firms are as agile as trying to turn a cruise ship when it came to technology.

https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html

Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec