Brakeing Down Security podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake and Brian Boettcher teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in iTunes
Brakeing Down Security podcast
2015
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: Page 1
May 17, 2015

When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from.

Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.

 

May 10, 2015

We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751

This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.

May 8, 2015

At DerbyCon last year, Mr. Boettcher did a microcast with Johnny Long. An inspirational human being who left a life many info professionals dream of, and went to Africa to help disadvantaged people make a better life with access to technology.

Where is the audio you ask? Well, we've posted it on out Patreon so that they can have first dibs on it. We'll post it here this weekend for everyone. 

He is a great individual and we hope you'll enjoy it.

May 3, 2015

Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself. 

Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur.

Get ready for a crash course in code audits. The book is not required, but it definitely helps when we are discussing concepts.

We also mentioned our new Patreon account, so if you are a listener, and want to support what we do, you can give on a per month schedule. Donations are entirely optional, and if you don't wish to give, that's fine too.

 

24 Deadly Sins on Amazon:

http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751/ref=sr_1_1?ie=UTF8&qid=1430622916&sr=8-1&keywords=24+deadly+sins+of+software+security+programming+flaws+and+how+to+fix+them

 

https://cwe.mitre.org/

 

 

Apr 26, 2015

When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner.

ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major projects and security initiatives.

Tim Wood joins us for the second part of his interview. We discuss Change Management, Problem Management and making inter-departmental SLAs a reality for proper management of changes.

 

Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

Apr 18, 2015

Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these.  To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks.

We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a reality.

This week, we go over the History of ITIL, and understand the various incarnations from v1.0 to v3.0. You quickly understand where security will start fitting into all those facets of the ITIL framework.

 

Tim Wood's Presentation: https://drive.google.com/file/d/0B-qfQ-gWynwiVS0zLTZidml0VzA/view?usp=sharing (view only)

Apr 7, 2015

Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it

Apr 4, 2015

It's that time of year again...  when all the reports come out that shows how various industries did over the last year.

Brakeing Down Security went over the results of the Verizon PCI report.  Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.

 

 http://www.verizonenterprise.com/pcireport/2015/

 

Pay IRS using "Snapcard": http://www.coindesk.com/pay-taxes-bitcoin-snapcard-pay-irs/

 

According to the US Internal Revenue Service (IRS), virtual currencies are treated as "Property": http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance

Mar 28, 2015

We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges.  Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.

 

 

https://www.sans.org/media/critical-security-controls/CSC-5.pdf

 

 

http://www.openspf.org/

 

https://4sysops.com/

Mar 21, 2015

We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places. 

If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, and Jarrod talk about the highs and lows and even some of the gotchas in setting up a space.

Mar 15, 2015

Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics.  We discuss the seemingly short talent pool for IT/IS positions.  We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece of Internet Infrastructure, and finally, we figure out why PGP/GPG is not user-friendly, and if there are ways to make it better, or if it needs to be replaced permanently.

 

News of the week

  1. RowHammer -

http://www.darknet.org.uk/2015/03/rowhammer-ddr3-exploit-what-you-need-to-know/

 

  1. Lack of hire-able people in IT/IS - per Leviathan Sec report. https://www.leviathansecurity.com/blog/scarcity-of-cybersecurity-expertise/

 

  1. NTP maintained by one guy ‘Father Time’

http://www.informationweek.com/it-life/ntps-fate-hinges-on-father-time/d/d-id/1319432

 

  1. Moxie Marlinspike’s GPG/PGP rant: Perfection ruined the goal http://www.thoughtcrime.org/blog/gpg-and-me/

 

Mar 7, 2015

In our continuing discussion with Jeff and "Str4d", we got right to the heart of the matter: Privacy and anonymity.

 

If you're trying to remain anonymous, what steps do the devs of I2P use to keep themselves as anonymous as possible.  We also touch on what the "Browser Exploitation Framework", and why it scares the heck out of Jeff.

 

Finally, I ask them if there is any real 'good' sites on I2P, because of how the media seems to latch on to any story where we hear the bad things of any anonymizing network, is there a way we can improve the image of anonymizing networks.

 

*** If you have a blog, and it's about security/privacy/compliance, please consider adding us as a write-in for '2015 Best New Security Podcast' here:

https://www.surveymonkey.com/s/securitybloggers***

 

Show notes: https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

Feb 28, 2015

Mr. Boettcher got a hold of the developers and maintainers of the anonymizing network "I2P". We talked with "str4d" and "Jeff" this week.

In Part 1 of the interview, we discuss the technical aspects of I2P, how it functions, how 'Garlic routing' works, and how the flood Fill servers allow for I2P to function effectively.

In the final segment, we discuss form factors, specifically if I2P is available for embedded systems like Raspberry Pi.

If you find Tor not to your liking, give I2P a try... it's goals are the same, but the method of security and privacy are different. Plus, as you can hear from the podcast, it's very much a tight knit community of security and privacy enthusiasts.

 

Show notes, links, and contact info: 

https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

Feb 21, 2015

The second part of our interview with Pawel discussed Content management systems, and how you can integrate CSP in Drupal, Django, and the like.

Content managers, you'll want to listen to this, especially about how CSP can help you secure the content on your systems, as well as protect customers from web based attacks using the sandboxing functions of CSP

Pawel's Blog = ipsec.pl

Pawel's CSP builder app = cspbuilder.info

Quick Guide to CSP: http://content-security-policy.com/

 

 

Feb 16, 2015

Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.

 

We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it.

If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.

 

https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox

Feb 10, 2015

Extra special treat this week!  We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.

 

But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on"  NOW IS YOUR CHANCE! :)

This is a great opportunity if you're a veteran speaker, or just want to give back to the community at large... You can mentor a n00b to help them create a topic, help them hone their paper, and be with them when they give the talk at Bsides Las Vegas in July.  

Many thanks to @tottenkoph and @securitymoey. They need your help, both as a mentor and a mentee.  This is also an excellent networking opportunity. You get 1-on-1 access to an often influential mentor, someone in the infosec community, and your talk will be seen by several hundred people. hmmm.... maybe I should put one in :D

 

-----

SANS #14-10: 

Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control.

------

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Feb 7, 2015

During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited.  

 

We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research.  The bad news? Other ISPs, including American ISPs are using this technology.

 

This is one of those podcasts that you need to tell your friends about, cause it's truly surprising the lengths ISPs go to injecting content into your pages.

 We also have a short message about the Bsides Las Vegas Proving Grounds this year... If you've wanted to present a paper at a conference, and have a mentor guide you through the process, hit them up on the Proving Grounds page at http://www.bsideslv.com

Show notes (lots of info): https://docs.google.com/document/d/1YLkiRE1SVIyWquWc-iQrESWlT10rSJmW1VcrOX3kQZ0/edit?usp=sharing 

 

 

 

 

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Feb 1, 2015

Threat Modeling... ranks right up there with Risk Assessments in importance...  You gotta figure out how the applications you're creating or the systems you're engineering are secure.  It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs.

Brakeing Down Security talked about conducting threat modeling and application reviews with Lee Brotherston (@synackpse) from Leviathan Security (@LeviathanSecurity) this week. We discuss types of risk analysis, including one named 'Binary Risk Analysis', which may simplify assessment of your computer systems.  

 

Show notes = https://docs.google.com/document/d/1K-eycek2Xud7loVC4yrHg6eHCY0oyztV_ytbY433oYk/edit?usp=sharing

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Jan 25, 2015

Mr. Boettcher and I went over the bottom 5 of the SANS Top 20 security controls that businesses should implement. When put into the right order, you should be able to have an environment that is able to withstand most any attack.

We also talk about 5 'Quick Fixes' that will put you on the right track with becoming more secure.

 

You may be surprised at what is considered a priority...  have a listen: (QR code links to the mp3)

 

Show notes: https://docs.google.com/document/d/1JuRJ-RPTmw50pTeO82rb9_rC8tFf53eiUzkppfwQvs0/edit?usp=sharing

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Jan 17, 2015

Brakeing Down Security tackles the 'Deep Web' this week... yep, we talk about Tor. If you don't have a lot of experience with this or wonder how it works, we give you a little history and help you understand the traffic flow works.

 

We even give you some advice on de-identification and things you shouldn't allow when traveling the Deep Web, like Javascript, Flash, and Java.

 

Show Notes:

https://docs.google.com/document/d/1vBI_bg_0RzF_sSNMj84xQpEZGUrxtAkB8SxZ08MzUi0/edit?usp=sharing

 

 

 

 

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Jan 10, 2015

Security's the same, the world around...  and is a necessity in businesses of all sizes, from the mega-corporations, all the way down to the business with 10 employees in a garage in suburbia.

This week, Mr. Boettcher and I discuss security in small businesses. What is needed to make security part of the culture of a new company. We discuss some open source tools to ensure that networks are monitored properly, logs are collected, collated, and analyzed. And better yet, these are on the cheap, which is helpful for a small business on a tight budget.

 QR code links directly to the episode...

 

 http://www.ihotdesk.co.uk/article/801717385/Most-small-businesses-have-faced-InfoSec-breach-recently

 https://blog.whitehatsec.com/infosec-europe-wrapup/

 

 http://www.infosectoday.com/Articles/DRPlanning.htm

 

"Dirty Rhodes" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Jan 4, 2015

This is a quick little podcast I did without Mr. Boettcher about a Twitter discussion that occurred when Dr. Neil Degrasse Tyson mentioned that we should just make computers 'unhackable'.

The first episode of the 2015 season of Brakeing Down Security is here!

 

Tweet from Dr. Neil Degrasse Tyson

                        https://twitter.com/neiltyson/status/551378648578916353

Rebuttal from Kevin Johnson

 

                        https://twitter.com/secureideas/status/551510885441998848

 

 

 

"Dirt Rhodes"

Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 3.0

http://creativecommons.org/licenses/by/3.0/

Dec 26, 2014

We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast.

We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.

 

So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year!  Happy Holidays... all of them... :)

Dec 21, 2014

It's a Super Deluxe sized Brakeing Down Security this week...

It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :)

I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...  

We also discussed Sony, caused it's huge news of the year, and talked about Target, because we love dissing PCI... ;)

There might be a few bad words, so if you have small ears around, be advised...

When you're done, check out the other 96 episodes of Defensive Security, and check out our 55 other episodes..

 

http://www.defensivesecurity.org/

Twitter handles:

Andrew Kalat: https://twitter.com/lerg

Jerry Bell: https://twitter.com/Maliciouslink

 

 

Icon provided by DefensiveSecurity.org... I'd imagine they'd let us use it, since they were on the podcast ;)

Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) 
Licensed under Creative Commons: By Attribution 3.0
http://creativecommons.org/licenses/by/3.0/

Dec 15, 2014

This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it. 

We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice...

I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :)

***NOTE: I guess now would be a good time to mention that many of the links below have unsafe software and actual malware payloads, so use with extreme caution. Especially do not download anything from these sites unless it's in a VM that is not on your companies assets.***

http://www.hopperapp.com/ - Disassemble OSA binaries

http://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers - other Disassemblers

http://vxheaven.org/ - Virus Heaven

http://www.malwaredomainlist.com/ - Find websites serving malware

http://oc.gtisc.gatech.edu:8080/ - Georgia Tech malware repository

Sandboxie - http://www.sandboxie.com/

KoreLogic - http://www.korelogic.com/ (lots of great tools here)

http://secshoggoth.blogspot.com/ - Tyler's Blog

1 2 3 4 Next »