Sunday, December 22, 2019

2019-046-end of the year, end of the decade, predictions, and how we've all changed


End of year, end of decade

    Are things better than 10 years ago? 5 years ago?

    If there was one thing to change things for the better, what would that be?

 

Good, Bad, Ugly 

Did naming vulns make things better?

    Which industries are doing a good job of securing themselves? Finance?

    What do you wished never happened (security/compliance wise)?

    Ransomware infections with no bounties

    Still have people believing “Nessus” is a pentest

 

https://nrf.com/

https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49 

https://monitorama.com/ 

https://www.apics.org/credentials-education/events

 

The Future

    PREDICTIONS!!!

    Bryan: The rise of the vetting programs  (Companies will want to vet content creators in their eco-systems)

    Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety.  Triggering a US GDPR type response.

Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10).  And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1

JB: a major change in social media/generational shift in how we use it, legal or focus on new types of  mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex”  --- what do you think about this statement?  ..it’s role in InfoSec? Talent?

 

JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)

 

JB - Link to hunting/stopping-human-trafficing org i mentioned :

Shoutout

 Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation

https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf

 

Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )

 

       

Other topics

    Talk about where you were 10 years ago, and what you did to get where you are?

    Best Hacking tool?

    Best Enterprise Tool?

 

Recent news

https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/

https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative 

https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/ 

https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices 

News Stories from 2010 (see if they still make sense, or outdated)



https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/

https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html

https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease




Download here!

Tuesday, December 17, 2019

2019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security


The day after part 1

Keybase halted the spacedrop the day after the first podcast is complete...

 

Security failures in implementation

    “We need to push this to market, we’ll patch it later!”

 

Risk management discussion for project managers (PMP)

 

CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line

    **Reference Noid’s Bsides Seattle talk and podcast earlier this year.**



Other companies that have made security mistakes in the name of business

 

Practical Pentest Labs storing passwords in the clear

https://twitter.com/mortalhys/status/1202867037120475136

https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136 

https://twitter.com/piaviation/status/1202994484172218368



T-Mobile Austria partial password issues:

https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear

    No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.

    Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)

        Insider threats could takeover accounts

 

Follow-up from last week’s show with Bea Hughes:

 

I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".

 

And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)

 

As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. 

 

**If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **

 

“Empowered teams”

 Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

 


Download here!

Monday, December 9, 2019

2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1


Patreon donor goodness: Scott S. and Ion S.

@_noid_ @davedittrich

Their response:

 “it’s not a bug, it’s a feature”

    “Don’t write a blog post that will point out the issue”

    “You pointing out our issues makes things more difficult for us”

    “It’s a free service, why are you hurting us?”

 

 

https://keybase.io/docs/bug_reporting



Nov 22nd

 

Noid (@_noid_) Keybase discussion blog post

https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html

 

Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/ 

 

Keybase’s decision to fix it came out after The Register asked them about the issue…

 

Dec 4th

https://keybase.io/blog/dealing-with-spam

       

 

Dec 5th.

https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/



Problems with the implementation:  

        Requiring admins for Keybase to decide what’s wrong or if they need to be deleted

        Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)

        Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)

        They’ve already opened the spam door, and they’ll not be able to shut it.

Once they took the VC and aligned themselves with Stellar, the attack surface changes

    From Account takeover (integrity attacks) to deception (social engineering)

 

What is keybase?

    Social network?

    E2E chat

Encrypted file share/storage?

    CryptoCurrency Company? 

    Secure git repo protector?

 

Which ones do they do well?  

How could they have solved the spam issue?

    Made the cryptocoin a separate application?

        Even their /r/keybase is filling up with spammers asking about their Lumens

 

How could they fix it?

    You can’t contact someone unless that person allows you to.

    Allow someone to contact you, but do not allow adding to teams without permission

 

https://news.ycombinator.com/item?id=21719702 (ongoing HN thread)

Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto

 

https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform

 

https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf 



Stephen Carter's definition of “integrity.”

Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.

 — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/

 

Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?

 

noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google:

Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase.

The ACM Code of Conduct has several sections that could apply here:

1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.

1.2 Avoid harm.

1.6 Respect privacy.

2.1 Strive to achieve high quality in both the processes and products of professional work.

2.7 Foster public awareness and understanding of computing, related technologies, and their consequences.

3.1 Ensure that the public good is the central concern during all professional computing work.

3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.

 

The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).

 

In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.

 

This is in fact precisely what noid brought up in his initial communication with Keybase:

 

I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).


Download here!

Tuesday, December 3, 2019

2019-043-Bea Hughes, dealing with realistic threats in your org


Realistic Threats 

Nation states aren’t after you

https://twitter.com/beajammingh/status/1191884466752385025

https://twitter.com/beajammingh/status/1198671660150226946

https://twitter.com/beajammingh/status/1198671952824565762

 

https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

 

What are credible threats?

Malicious insiders - 

Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/

    Education issue?

    Is there such a thing as ‘non-malicious’ or is this just bunk?

 

Real threats

    https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/  

CIO magazine threats -- buzzword threats (we should totally containerize all the things)

Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN)

Lack of well-priced training?

    Dev Training?

    Security Training?

 

Better management communication will reduce threats

    Building trust so they don’t freak when ‘$insert_named_vuln’ shows up

    Gotta frame it to business needs

    “Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.

    Know your industry’s threats (phishing, money transfer fraud, malware

Patreon donor:  Michael K. $10 patron!

Layer8conf - https://www.workshopcon.com/events

https://layer8conference.com/

 

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

 

Saturday June 6, 2020, RI Convention Center

 

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

 

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, November 27, 2019

2019-042-CircuitSwan, Gitlabs, Job descriptions that don't suck, layer8con


Diana Initiative

@circuitswan @dianainitiative

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

 

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

 

info@dianainitiative.org

 

Topics  

 

  1. Diana initiatives
    1. Past
      1. 2015 - idea at defcon 23
      2. 2016-17-18 growing but got too big!
      3. 2019 got our own space, ~800 tickets
      1. 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
      2. Mentoring both CFP and presenters this year! (expansion from last year)
      3. student scholarship (we want to double the amount of money, target still 10)
      4. Free tickets (expansion over last year)
    2. Present
      1. Slogan contest 2020
      2. I don’t want to think about 2021 yet :)
    3. Future
      1. Mentors
      2. Reviewers
      3. Volunteers
      4. Donations (giving tuesday, scholarships)
    4. Needs/wants

 

 

  • Other topics of interests
  • Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
  • WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
  • GitLab security scans (that's me!) 

 

  1. We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
    1. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019

 

 

 

2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer 

 

SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace




Layer8conf - https://www.workshopcon.com/events

 

https://layer8conference.com/

 

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

 

Saturday June 6, 2020, RI Convention Center

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, November 20, 2019

2019-041-circuitswan, diana initiative, diversity initiatives at conferences


Diana Initiative

 

@circuitswan

 

https://www.dianainitiative.org/

https://twitter.com/DianaInitiative

 

Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)

 

info@dianainitiative.org

 

Topics  

 

  1. Diana initiatives
    1. Past
      1. 2015 - idea at defcon 23
      2. 2016-17-18 growing but got too big!
      3. 2019 got our own space, ~800 tickets
      1. 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking
      2. Mentoring both CFP and presenters this year! (expansion from last year)
      3. student scholarship (we want to double the amount of money, target still 10)
      4. Free tickets (expansion over last year)
    2. Present
      1. Slogan contest 2020
      2. I don’t want to think about 2021 yet :)
    3. Future
      1. Mentors
      2. Reviewers
      3. Volunteers
      4. Donations (giving tuesday, scholarships)
    4. Needs/wants

 

 

  • Other topics of interests
  • Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic)
  • WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more
  • GitLab security scans (that's me!) 

 

  1. We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc.
    1. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019

 

 

 

2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer 

 

SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace




Layer8conf - https://www.workshopcon.com/events

 

https://layer8conference.com/

 

Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures.

As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups.

In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com

Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!

 

Saturday June 6, 2020, RI Convention Center

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Monday, November 11, 2019

2019-040-vulns in cisco kit, google's project 'nightmare', healthcare data issues, TAGNW conference update


Tagnw.org

Amazon Smile - brakesec.com/smile

 

News: 

 

https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/

https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html

https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list “nuzzle”

https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html

https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html

https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/ 

       https://en.wikipedia.org/wiki/Data_Protection_API

https://latesthackingnews.com/2019/11/10/multiple-security-issues-detected-in-cisco-small-business-routers-update-now/

 

https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/ 

 

https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Sunday, November 3, 2019

2019-039-bluekeep_weaponized-npm_security_cracks-grrcon_report


Grrcon update

 

2019-039-  bluekeep Weaponized… and more

 

Bluekeep weaponized

https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ 

 

https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining

 

NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/

 

Null sessions and how to avoid them:
https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/

https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions

 

Linux has a marketing problem:

https://hackaday.com/2019/10/31/linuxs-marketing-problem/

 

20 accounts could pwn majority of NPM

 

https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/ 

 

Chrome 0day

 

https://thehackernews.com/2019/11/chrome-zero-day-update.html

 

India Nuclear plant is hacked

https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/

 

High Tea Security Podcast: 

https://www.podcasts.com/high-tea-security-190182dc8

 

https://TAGNW.org - Bryan

Panel and talking about networking

 

Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203 

Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667 

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Tuesday, October 29, 2019

2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA


OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)


https://www.tagnw.org/events/


Risk in Infosec

 

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’


Risk Analysis - systemic examination of the components and characteristics of risk

 

Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?

       

           

        Identification

            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?

 

https://en.wikipedia.org/wiki/Routine_activity_theory

 

            Scope of risk analysis?

            Threat modeling to find risks?

                https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?

                https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

                https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

 

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration 

 

        Estimation

            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate

 

        Implementation

            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?

           

        Evaluation

            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making

           

 

Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?

 

Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing - 

   


Download here!

Monday, October 21, 2019

2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2


 

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

 

If an attacker is going to use powershell, let’s make them regret it

 

Powershell has had quite an impact and history.

 

My own sorry logging/alerting attempts

 

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

 

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

 

https://github.com/danielbohannon/Invoke-Obfuscation 

https://github.com/danielbohannon/Revoke-Obfuscation

 

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ 

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A 

 

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

 

Derbycon keynote with Lee Holmes and Daniel bohannon - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

 

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

 

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

 

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html 

https://github.com/sans-blue-team/DeepBlueCLI 

 

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE 

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense 

 

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ 

 

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ 

 

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

 

https://github.com/infosecn1nja/AD-Attack-Defense

 

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

 

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

 

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO

 


Download here!

Wednesday, October 16, 2019

2019-037-Lee Holmes, Powershell logging, and why there's an 'execution bypass'


Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

 

If an attacker is going to use powershell, let’s make them regret it

 

Powershell has had quite an impact and history.

 

My own sorry logging/alerting attempts

 

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

 

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

 

https://github.com/danielbohannon/Invoke-Obfuscation 

https://github.com/danielbohannon/Revoke-Obfuscation

 

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ 

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A 

 

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

 

Derbycon keynote with Lee Holmes and Daniel bohannon - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

 

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

 

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

 

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html 

https://github.com/sans-blue-team/DeepBlueCLI 

 

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE 

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense 

 

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ 

 

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ 

 

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

 

https://github.com/infosecn1nja/AD-Attack-Defense

 

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

 

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

 

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO


Download here!