Wednesday, December 26, 2018

Tuesday, December 18, 2018

2018-044: Mike Samuels discusses NodeJS hardening initiatives


Mike Samuels

https://twitter.com/mvsamuel


https://github.com/mikesamuel/attack-review-testbed

https://nodejs-security-wg.slack.com/



Hardening NodeJS

 

Speaking engagement talks:

A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw

Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009

Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781



What is a package: (holy hell, why is this so complicated?)

   

A package is any of:

  1. a) a folder containing a program described by a package.json file
  2. b) a gzipped tarball containing (a)
  3. c) a url that resolves to (b)
  4. d) a <name>@<version> that is published on the registry with ©
  5. e) a <name>@<tag> that points to (d)
  6. f) a <name> that has a latest tag satisfying (e)
  7. g) a git url that, when cloned, results in (a).


https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

 

https://blog.risingstack.com/node-js-security-checklist/

 

https://www.npmjs.com/package/trusted-types

https://github.com/WICG/trusted-types/issues/31


Here is a new episode of Brakeing Down Security Podcast!

Monday, December 10, 2018

2018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure


Adam Baldwin (@adam_baldwin)

Director of Security, npm

 

https://foundation.nodejs.org/

https://spring.io/understanding/javascript-package-managers

 

Role in the NodeJS project

    Advisory? Active role? Maintain security modules?

    Are there any requirements to being a dev?

    Are there different roles in the NodeJS environment?

    Is there any review of system sensitive packages? (or has that ship sailed…)

 

Discussion of timeline from NodeJS security team

    When were you notified? (or were you notified at all?)

    What steps were taken to fix the issue?

    Lessons learned?

 

Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)

 

Event-stream (initial bug report):   https://github.com/dominictarr/event-stream/issues/116

 

Only affected bitcoin Wallets from ‘Copay’

                    https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/

“Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :

We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (

 

https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”

 

https://thehackernews.com/2018/11/nodejs-event-stream-module.html

“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”

 

https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/

 

Hacker News (with comments): https://news.ycombinator.com/item?id=18534392

 

Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of

https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018

 

2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm

 

According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)

 

Dependency hell in NodeJS:

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

    “Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”

 

History of NodeJS security issues:

 

ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/

Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

 

How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)

What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?

 

What the responsibility is of consumers of open source?

 

What can be done to ensure vetting for ‘important’ packages?

Can someone manage turnover? (or is that ship sailed?)

 

Security scanners:

https://geekflare.com/nodejs-security-scanner/

https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0

 

Threat assessment or ‘what could go wrong in the future’?

    Bad code

    “Trust issues”

    Repo corruption

    Hijacking packages

   

Keep up to date on NodeJS security issues:

https://nodejs.org/en/security/

https://groups.google.com/forum/#!forum/nodejs-sec

 

^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?

npmjs.com/advisories or @npmjs on twitter


https://rubysec.com/ -Ruby security group

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, December 2, 2018

2018-042-Election security processes in the state of Ohio


Where in the world is Ms. Amanda Berlin?

    Keynoting hackerconWV

 

Election Security

 

Cuyahoga County:

 

Intro: Jeremy Mio (@cyborg00101

Name?

Why are you here?

 

Discussing Ohio does election operations.

    Walk through the process

Pre-Elections

Elections Night

Post Elections

 

All about the C.I.A.

Votes must be confidential

Votes must not be compromised (integrity)

Voting should be available and without outage

 

Did a tabletop exercise with all counties in Ohio (impressive!)

    Gamified, using role-reversal

    Points based system

    Different technology has different point values

 

Physical security/chain of custody

Retention

 

EI-ISAC - election infra ISAC

https://www.cisecurity.org/services/albert/ - Albert system

https://www.cisecurity.org/best-practices-part-1/ - election security best practices

 

How does the Ohio election process stack up against other states?

 

Media Perception in Elections Hacking and threats

11 year olds ‘hacking election’

    Yes, good for a new article title

    Goes to show how easy it is to actually hack systems

        Train someone on SQLI, pwn the things

 

Elections Security Operations and Preparation

Technology types

    Ballot

    Booths

    Mail-in ballots

 

Securing election infra

    What can be done to make it more secure?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 25, 2018

2018-041: part 2 of Kubernetes security insights w/ ian Coldwater


@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

 

She’s working on speaking schedule for 2019

 

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -


Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

  1. How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

  1. Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 18, 2018

2018-040- Jarrod Frates discusses pentest processes


Jarrod Frates

Inguardians

@jarrodfrates

“Skittering Through Networks”

Ms. Berlin in Germany - How’d it go?

   

TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html

 

Takeaways

Blue Team:

- Least Privilege Model

- Least Access Model

    “limited remote access to only a small number of IT personnel”

“This user didn't need Citrix, so her Citrix linked to NOTHING”

“They limited access EVEN TO LOCAL ADMINS!”

- Multi-Factor Authentication

- Simple Anomaly Rule Fires

    “Finance doesn’t use Powershell”

- Defense in Depth

    “moving from passwords to pass phrases…”

“Improper disposal of information assets”

 

Red Team:

- Keep Trying

- Never Assume

- Bring In Help

- Luck Favors the Prepared

- Adapt and Overcome



Before the Test

  • Talk it over with stakeholders: Reasons, goals, schedules
  • Report is the product: Get samples
  • Who, what, when, where, why, how
  • Talk to testers (and clients, if you can find them)
    • Ask questions
    • Look for past defensive experience and understanding of your needs
      • Bonus points if they interview you as a client
    • Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear
  • Define the scope: Test type(s), inclusions, exclusions, permissions, accounts
  • Test in ‘test/dev’, NOT PROD
  • Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.

 

During the Test

  • Comms: Keep in contact with the testers
    • Status reports (if the engagement is long enough)
    • Have an established method for escalation
    • Have an open communication style --brbr (WeBrBrs)
  • Ask questions, but let the testers do their jobs
  • Be available and ready to address critical events
  • Keep critical stakeholders informed
  • Watch your network: things break, someone else may be getting in, capture packets(?)

 

After the Test

  • Getting Results:
    • Report delivered securely
    • Initial summary: How far did they get?
    • Actual report
      • Written for multiple levels
      • No obvious copy/paste
      • Read, understand, provide feedback, and get revised version
  • Next steps:
    • Don’t blame anyone unnecessarily
    • Start planning with stakeholders on fixes
    • Contact vendors, educate staff
  • Reacting to report
  • Sabotaging your test
  • Future testing

 

Ms. Berlin’s Legit business - Mental Health Hackers

 

CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019

 

CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31

 

Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March

 

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Monday, November 12, 2018

2018-039-Ian Coldwater, kubernetes, container security


Ian Coldwater-

@IanColdwater  https://www.redteamsecure.com/ *new gig*

 

So many different moving parts

Plugins

Code

Hardware

She’s working on speaking schedule for 2019

How would I use these at home?

    https://kubernetes.io/docs/setup/minikube/

 

Kubernetes - up and running

    https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677

 

General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes

 

https://twitter.com/alicegoldfuss - Alice Goldfuss

 

Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater

 

Tesla mis-configured Kubes env:

 

From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

 

Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla

 

Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)

 

Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

 

https://github.com/aquasecurity/kube-hunter -

 

Threat Model
    What R U protecting?

    Who R U protecting from?

    What R your Adversary’s capabilities?

    What R your capabilities?

 

Defenders think in Lists

Attackers think in Graphs

 

What are some of the visible ports used in K8S?

    44134/tcp - Helmtiller, weave, calico

    10250/tcp - kubelet (kublet exploit)

        No authN, completely open

    10255/tcp - kublet port (read-only)

    4194/tcp - cAdvisor

    2379/tcp - etcd

        Etcd holds all the configs

        Config storage

 

Engineering workflow:

    Ephemeral -  

 

CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/

 

Final points:

    Advice securing K8S is standard security advice

    Use Defense in Depth, and least Privilege

    Be aware of your attack surface

    Keep your threat model in mind

 

David Cybuck (questions from Slack channel)

 

My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).

 

  1. How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?

 

  1. Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

 

heck out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, November 4, 2018

2018-038-InfosecSherpa, security culture,


@InfoSecSherpa - Tracy Z. Maleeff (surname is pronounced like “may-leaf.”)

 

I have two talks coming up:

  • Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference
  • Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)

 

Since National Cyber Security Awareness Month just ended, I wanted to talk about things InfoSec pros can do to help educate others outside our community.

 

*Shameless Plug* My Nuzzel newsletters
https://nuzzel.com/InfoSecSherpa

https://nuzzel.com/InfoSecSherpa/cybersecurity-africa



News stories -




Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law) → (Tracy) I wanted to include this story as a discussion of which industries are still in the dark about security issues. To me, it feels like the legal world is either in denial or super slow to adapt. I know from working at law firms for about 10 years, that the industry as a whole is slow to adapt to technology. I once said that law firms are as agile as trying to turn a cruise ship when it came to technology.

 

https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html



Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, October 21, 2018

2018-037-iWatch save man's life, Alexa detects your mood, and post-derby discussion


Health & Tech?

https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/

 

https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)

 

(def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow

 

https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/

 

https://www.adheretech.com/

Privacy implications?

Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/

Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/

https://www.papercall.io/dachfest18

Make plans for next year! Follow @derbycon on Twitter!

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, September 30, 2018

2018-035-software bloat is forever; malicious file extensions; WMIC abuses


Pizza Party Link -

https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046

 

News stories-

 

Software/library bloat

 

http://tonsky.me/blog/disenchantment/

 

https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f

 

https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/

    https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html

 

https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/

 

https://attack.mitre.org/wiki/Technique/T1170  - HTA file malware examples

 

https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/

 

https://www.bbc.com/news/technology-45686890 -

(facebook account hack)

 

https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc  IOC’s from various malware

 

UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/


Block These Extensions:

 

File Extension    File Type

.adp Access Project (Microsoft)

.app Executable Application

.asp Active Server Page

.bas BASIC Source Code

.bat Batch Processing

.cer Internet Security Certificate File

.chm Compiled HTML Help

.cmd DOS CP/M Command File, Command File for Windows NT

.cnt Help file index

.com Command

.cpl Windows Control Panel Extension(Microsoft)

.crt Certificate File

.csh csh Script

.der DER Encoded X509 Certificate File

.exe Executable File

.fxp FoxPro Compiled Source (Microsoft)

.gadget Windows Vista gadget

.hlp Windows Help File

.hpj Project file used to create Windows Help File

.hta Hypertext Application

.inf Information or Setup File

.ins IIS Internet Communications Settings (Microsoft)

.isp IIS Internet Service Provider Settings (Microsoft)

.its Internet Document Set, Internet Translation

.js JavaScript Source Code

.jse JScript Encoded Script File

.ksh UNIX Shell Script

.lnk Windows Shortcut File

.mad Access Module Shortcut (Microsoft)

.maf Access (Microsoft)

.mag Access Diagram Shortcut (Microsoft)

.mam Access Macro Shortcut (Microsoft)

.maq Access Query Shortcut (Microsoft)

.mar Access Report Shortcut (Microsoft)

.mas Access Stored Procedures (Microsoft)

.mat Access Table Shortcut (Microsoft)

.mau Media Attachment Unit

.mav Access View Shortcut (Microsoft)

.maw Access Data Access Page (Microsoft)

.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)

.mdb Access Application (Microsoft), MDB Access Database (Microsoft)

.mde Access MDE Database File (Microsoft)

.mdt Access Add-in Data (Microsoft)

.mdw Access Workgroup Information (Microsoft)

.mdz Access Wizard Template (Microsoft)

.msc Microsoft Management Console Snap-in Control File (Microsoft)

.msh Microsoft Shell

.msh1 Microsoft Shell

.msh2 Microsoft Shell

.mshxml Microsoft Shell

.msh1xml Microsoft Shell

.msh2xml Microsoft Shell

.msi Windows Installer File (Microsoft)

.msp Windows Installer Update

.mst Windows SDK Setup Transform Script

.ops Office Profile Settings File

.osd Application virtualized with Microsoft SoftGrid Sequencer

.pcd Visual Test (Microsoft)

.pif Windows Program Information File (Microsoft)

.plg Developer Studio Build Log

.prf Windows System File

.prg Program File

.pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)

.reg Registration Information/Key for W95/98, Registry Data File

.scf Windows Explorer Command

.scr Windows Screen Saver

.sct Windows Script Component, Foxpro Screen (Microsoft)

.shb Windows Shortcut into a Document

.shs Shell Scrap Object File

.ps1 Windows PowerShell

.ps1xml Windows PowerShell

.ps2 Windows PowerShell

.ps2xml Windows PowerShell

.psc1 Windows PowerShell

.psc2 Windows PowerShell

.tmp Temporary File/Folder

.url Internet Location

.vb VBScript File or Any VisualBasic Source

.vbe VBScript Encoded Script File

.vbp Visual Basic project file

.vbs VBScript Script File, Visual Basic for Applications Script

.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)

.vsw Visio Workspace File (Microsoft)

.ws Windows Script File

.wsc Windows Script Component

.wsf Windows Script File

.wsh Windows Script Host Settings File

.xnk Exchange Public Folder Shortcut

.ade ADC Audio File

.cla Java class File

.class Java class File

.grp Microsoft Widows Program Group

.jar Compressed archive file package for Java classes and data

.mcf MMS Composer File

.ocx ActiveX Control file

.pl Perl script language source code

.xbap Silverlight Application Package

 ------------------------------

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Monday, September 24, 2018

2018-034-Pentester_Scenario


Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 


Here is a new episode of Brakeing Down Security Podcast!

Saturday, September 15, 2018

2018--033-Chris_Hadnagy-SE-OSINT-vishing-phishing-book_interview-pt2


Part 2 of our interview with Chris Hadnagy
Discuss more about his book,
best ways to setup your pre-text in an engagement
how you might read someone on a poker table
a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch”
and we talk about “innocent lives foundation”, something near and dear to Chris' heart.

We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it physical engagements?”

 

Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure

 

Social Engineering - the different aspects:

  1. Info Gathering
    1. Time constraints
    2. Accommodating non-verbals
    3. Body language must match mood
    4. Using a slower rate of speech
    5. Suspending ego
    6. RSVP
  2. Rapport
  3. Psychology
    1. “Getting information without asking for it”
  4. Elicitation
    1. ‘The Dark Art’ -negative outcome for the target
  5. Manipulation
    1. “Getting someone to do what you want them to do”
    2. Understanding the science of compliance
  6. Influence
  7. Profiling
  8. Communications Modeling
  9. Facial Expressions
  10. Body Language
    1. Don’t overextend your reach
    2. Knowledge that comes from a point of truth, or is easily faked
  11. Pretexting
  12. Emotional Hijacking
  13. Misdirection
  14. Art
  15. Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.

 

Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 


Here is a new episode of Brakeing Down Security Podcast!

Saturday, September 8, 2018

2018-032-chris Hadnagy, discusses his new book, OSINT and SE Part 1


Christopher Hadnagy Interview:

Origin story

  • connoisseur  of moonshine

Social Engineering: The Science of Human Hacking 2nd Edition



Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9

SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/

Chris’ Podcast: https://www.social-engineer.org/podcast/

 

SECTF at Derby (contestants are chosen)

   

 

Remembering - attention to detail

    Remembering details

    Can be the difference between success and failure



Social Engineering - the different aspects:

  1. Info Gathering
    1. Time constraints
    2. Accommodating non-verbals
    3. Body language must match mood
    4. Using a slower rate of speech
    5. Suspending ego
    6. RSVP
  2. Rapport
  3. Psychology
    1. “Getting information without asking for it”
  4. Elicitation
    1. ‘The Dark Art’ -negative outcome for the target
  5. Manipulation
    1. “Getting someone to do what you want them to do”
    2. Understanding the science of compliance
  6. Influence
  7. Profiling
  8. Communications Modeling
  9. Facial Expressions
  10. Body Language
    1. Don’t overextend your reach
    2. Knowledge that comes from a point of truth, or is easily faked
  11. Pretexting
  12. Emotional Hijacking
  13. Misdirection
  14. Art
  15. Science

 

   

Questions:

    What precipitated the need to write another book?

    You bring up several successful operations, and several failures…

        How do you regroup from a failure, especially if the point of entry is someone that ‘got you’...

“The level of the assistance you request must be equal to the level of rapport you have built” -

    Seems like understanding this is an acquired skill, not set in stone…

 

Many of us in the infosec world are introverts… how do you suggest we hone our skills in building rapport without coming off as creepy?

Work place? On the commute?

Does being an introvert mean that it might take longer to get to the goal? Can we use our introverted natures to our advantage?

        Get Ryan on the show…        

                   

Lots of items

(8 principles of influence)   

 

Typical daily SE activities

    Holding a door open, then the person reciprocates

 

Framing

    We don’t ‘kill our dogs’, we ‘put them to sleep’.



Questions from our Slack:

 

Ben:

Do you feel there's an importance for non-InfoSec adjacent folks to learn about Social Engineering, and maybe go through some sort of training in order to navigate day-to-day life in the modern world?

 

What does an interview at Chris’ company look like?

 

https://www.innocentlivesfoundation.org/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!