Wednesday, June 24, 2020

2020-024-Bit of news, Ripple20 vulns, IoT Security, windows error codes, captchas used for evil, Marine Momma


How would we map this against the MITRE matrix?

Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?


Check out our Store on Teepub!

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email

#Brakesec Store!:




#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:

Download here!

Wednesday, June 17, 2020

2020-023-James Nelson from Illumio, cyber resilence, business continuity

James Nelson, VP of Infosec, Illumio

How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?

The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.

Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.


Doug Barth and Evan Gilman -

part1 with Masha Sedova:


Key concepts:

Visibility into your environment

Controls necessary to repel attackers

Architecture of the network to create chokepoints (east/west, north/south isolation)

Threat modeling and regular threat assessment

Mechanisms to allow for rapid response

How long will current security controls hold a determined attacker at bay?

Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.


Cyber-Resilence Framework (per NIST

What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?

Which cyber resiliency objectives are most important to a given stakeholder? 

To what degree can each cyber resiliency objective be achieved? 

How quickly and cost-effectively can each cyber resiliency objective be achieved? 

With what degree of confidence or trust can each cyber resiliency objective be achieved? 


(What do we as security people do to ensure that all of these are properly answered? --brbr)

Architecture of systems:

Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten. 

We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)


Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:


  • Comparison of security to the human immune system.
  • Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
  • How do you define “most valuable assets”? Value vs. obligations vs. ...?
  • Does a compliance mindset help or hinder resilience, and vice versa?
  • Referring back to a prior show, how does the human element contribute to resilience?
  • NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience?
  • Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then?
  • Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects).

Check out our Store on Teepub!

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email

#Brakesec Store!:




#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:


Download here!

Wednesday, June 10, 2020

2020-022-Andrew Shikiar, FIDO Alliance, removing password from IoT, and discussing FIDO implementation

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.


What is FIDO?

open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”

FIDO workflow

Did any one event precipitate creation of the FIDO alliance?



U2F = (yubikeys, tokens)


FIDO supports biometrics -


FIDO certified software and companies:


IBM:  -- 


Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework


NIST guidelines that FIDO meets:


From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?

Consumer education initiative


IoT Devices-


For Developers:   or - dev information about WebAuthN - upcoming webinars for FIDO related topics


NTT DOCOMO introduces passwordless authentication for d ACCOUNT!forum/fido-dev

Download here!

Monday, June 1, 2020

2020-021- Derek Rook, redteam tactics, blue/redteam comms, and detection of testing

**If Derek told you about us at SANS, send a DM to @brakeSec or email for an invite to our slack**

OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. 

Far different in the 'real' world.


Privilege escalation in Windows:

*as of June 2020, many of these items still work, may not work completely in the future*

*even so, many of these may not work if other mitigating controls are in place*






Redteam methodology:


Enumerate the machine


Network connections





Software installed (putty, git, MSO, etc) *older software may install with improper permissions*

Service paths (along with users services are ran as)

Windows Features (WSL, SSH, etc)

Patch level (Build 1703, etc)

Wifi networks and passwords (netsh wlan show profile <SSID> key=clear)

Powershell history

Bash History (if WSL is used)

Incognito tokens

Stored credentials (cmdkey /list)

Powershell transcripts (search text files for "Windows PowerShell transcript start")


Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore


Linux EoP:



Mostly the same as above

Bash history or profile files

           Writable scripts (tampering with paths or environment variables)

Setuid/Setgid binaries

Sticky bit directories


Email spools

World writable/readable files

.ssh config files (keys, active sessions)

Tmux/screen sessions

Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc)

VPN profiles

GNOME keyrings-


Ways to defend against those kinds of EoP.

Something cool:  -- high Rollers


Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) -


Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June)

Download here!