Info

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in iTunes
Brakeing Down Security Podcast
2017
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: 2017
May 9, 2017

 Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right?

Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and CA certificates are used to properly vet both the host and the server and are used to keep the whole system safe and as secure as possible.

Sounds great right? Well, and you can imagine, with our interview this week, we find out that it's not prefect, people have to implement their own Zero Trust Networking solution, and unless you are a mature organization, with things like complete asset management, data flow, and configuration management, you aren't ready to implement it.

Join us as we discuss Zero Trust Networking with Doug Barth (@dougbarth), and Evan Gilman (@evan2645)

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-017-Zero_Trust_Networks.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

show notes:

 

The lines are blurring:

 

DevOps

NetOps

SDN

SDP

docker/containerization

2FA authentication

 

https://devcentral.f5.com/articles/load-balancing-versus-application-routing-26129

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

All good points, except no one wants to do the needful bits (ID’ing information, data flow, proper network design)

https://www.beyondcorp.com/

 

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

 

Where is this Google article???

http://www.tomsitpro.com/articles/google-zerotrust-network-own-cloud,1-2608.html

https://cloud.google.com/beyondcorp/

https://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/

 

Who benefits from this? Network engineers, apparently… :)

Devs?

IT?

Sounds like a security nightmare… who would get the blame for it failing

 

How do we keep users from screwing up the security model? Putting certs on their personal boxes?

 

Prior BrakeSec shows:  Software Defined Perimeter with Jason Garbis

http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

 

http://shop.oreilly.com/product/0636920052265.do

 

Doug Barth Twitter: @dougbarth

 

Evan Gilman Twitter:  @evan2645

 

Runs counter, right? We are used to not trusting the client…

 

A Mature company can only implement

Device inventory

Config management

Data flow

Asset management

 

Micro-services?  

Brownfield networks

Sidecar model -

Certain OSes not possible

May 2, 2017

 Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys.

The latest marketdroid speak appears to be the term 'fileless malware', which by definition...

 

FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.”

 

https://www.theregister.co.uk/2017/04/28/fileless_malware_menace/ -- by definition, not ‘fileless’

But many of the 'fileless' attacks require a 'file' to be opened to enable the initial infection.

This week, Michael Gough (@hackerhurricane) comes on to discuss his latest blog post (http://hackerhurricane.blogspot.com/2017/05/fileless-malware-not-so-fast-lets.html) and we discuss the fact that a lot of malware classification and categorization and how it fails to actually convey to leaders what it affects

 

https://business.kaspersky.com/targeted-attacks-trends/6776/

http://www.binarydefense.com/powershell-injection-diskless-persistence-bypass-techniques/

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-016-fileless_malware_reclassifying_malware_types.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Apr 27, 2017

This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues?

We discuss the pros and cons of this argument this week, as well as how the idea of training people are flawed, because of who holds the purse strings. 

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-015-security_expert-vs-Security_aware_devs.mp3

 

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Bsides Springfield, MO Eventbrite for Tickets: https://www.eventbrite.com/e/bsides-springfield-tickets-33495265240 (only 27 tickets left as of 28 Apr)

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Apr 20, 2017

So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed.

After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3) by discussing why scientists are trying to create a 'master fingerprint' capable of opening mobile devices. We talk about FAR and FRR (false acceptance/rejection rates), and why the scientists may actually be able to pull it off.

We discussed Ms. Berlin's trip to the AIDE conference (https://appyide.org/), a two day #DFIR conference held at Marshall University by our good friend Bill Gardner (@oncee on Twitter). She gave a great interactive talk on working through online wargames and CTFs, and we get her update on the conference.

Finally, we did discuss a bit about the #ShadowBroker dump of #NSA tools. We discussed how different people are taking this dump over the #Wikileaks #CIA dump.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-014-Policy_writing_for_the_masses-master_fingerprints_disneyland.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--- show notes----

 

Discuss AIDE with Ms. Berlin

 

Log-MD.com posted their first video.

 

Fingerprint Masters (a case against biometrics):

http://www.popsci.com/computer-scientists-are-developing-master-fingerprint-that-could-unlock-your-phone

http://www.digitaltrends.com/cool-tech/master-prints-unlock-phones/


Encrypted comms causing issues for employers: https://iapp.org/news/a/employers-facing-privacy-issues-with-encrypted-messaging-apps/

 

ShadowBrokers dump

“Worst since Snowden”

https://motherboard.vice.com/en_us/article/the-latest-shadow-brokers-dump-of-alleged-nsa-tools-is-awful-news-for-the-internet

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

Making policies, easier said than done

Discuss DefSec chapter on Policies

Difficulty: aligning policies with compliance standards

FedRamp, PCI, etc

Writing a good policy so that it follows the guidelines

 

http://shop.oreilly.com/product/0636920051671.do -- Defensive Security Handbook

Apr 13, 2017

Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.

We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)

This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

---------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25    AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

 

 

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Show Notes:

 

What does MFA try to solve:

  • Mitigate password reuse
  • Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server
  • Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials

 

Cred theft:

 

Phishing:

 

MFA / Bad things happening with that:

 

Phishing/2FA/Solutions?

  1. a) What does multifactor actually solve?
  2. b) Are we (infosec industry) issuing multifactor solutions to people just so people make money?
  3. c)  Do these things give a *false* sense of security?
  4. d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.

 

Internal training / is this actually working?


Australia Post didn't think so

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

 

Counterpoints:

It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )

C: I don’t like running some silly app on my phone

C: I also don’t like running around with a physical token

C: Embedding a Yubico nano in my usb slot leaves me with one usb port left

Also doesn’t solve when someone just steals that token

 

Does any of it matter:

Beyondcorp / "Lets make the machines state be part of the credential"

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf

  • Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids

Is there some way we (not google) can make it so a credential is worthless?

 

Solutions:

Duo / “There's an app on my phone and it has context about what wants to do something right now”

Probably a step in the right direction

Kind of like some Aus banks which SMS you before transferring $X to Y account

Okta - (grab links to spec)

META // Does this actually solve it?

OAUTH - (grab links to spec)

Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower

META // Engineering things to short lived secrets is a better idea

 

I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:

  • The devices used everywhere are chromebooks run in standard mode rather than developer mode
    • (Whitelisting For Free™)
  • Everything is a web app
  • Everything else can’t run due to app whitelisting built-in
  • The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines
  • Everything cares about the machine the user is using - It’s part of the credential
  • Passwords are no longer important and it’s all single sign on
    • Suddenly credential theft doesn’t matter
  • The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter
  • As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters
    • Caveat, someone will probably think of some cool technique and that’ll ruin everything
    • See: Problem of induction / “Black swan event”

 

Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).

 

Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/

 

Duo Security // Beyondcorp

https://duo.com/blog/beyondcorp-for-the-rest-of-us



More info on Beyondcorp

https://www.beyondcorp.com

 

Misc// Hey google wrote a paper on U2F a while back

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)

https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf


META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing

https://risky.biz/RB448/

Apr 5, 2017

One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track.

I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about what you are learning. (Your mileage may vary)

So we asked Liam Graves (@tunnytraffic) to come on and discuss his experience, and how he was enjoying it. We discuss various methods of alternative educations here and in the UK, as well as why someone should possibly consider an apprenticeship. We also discuss how that would work in the US (or could it?)

Also, I very sorry Ireland ... :) I did not mean to lump you in the rest of the Commonwealth...

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-012-UK_Gov_apprenticeships_with_Liam_Graves.mp3

Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

--

 

Show Notes:

UK apprenticeship schemes:

long established though a recent focus shift back from academic achievement to hands-on skills and understanding/applying more than just remembering.

End Point Assessment - project based final assessment.

 

A mix of targeted learning and on-the-job experience working towards a brief: https://www.thetechpartnership.com/globalassets/pdfs/apprenticeship-standards/cyber-intrusion-analysis/occupational-brief-cyber-intrusion-analyst.pdf

 

Boring - but some background reading. Apprentices at this level will use levels 1-3 of Bloom’s taxonomy (https://en.wikipedia.org/wiki/Bloom's_taxonomy) 1) Remembering (What type questions). 2) Understanding (Which of these/Why type questions) 3) Applying (It this then what scenarios and questions)

 

Other schemes include (new and existing):

  • Cyber Intrusion Analysts
  • Cyber Security Technologists
  • Data Analysts
  • Digital Marketers
  • Infrastructure Technicians
  • IT Technical Salesperson
  • Network Engineers
  • Software Developers
  • Software Development Technicians
  • Software Testers
  • Unified Communications Trouble-shooters (no idea what these ones are)
  • Unified Communications Technicians

 

https://www.gov.uk/apply-apprenticeship (links for Scotland & Wales on the same page).

 

https://www.thetechpartnership.com/about/ - employers drive the training for the type of employees they need.

 

Routes to employment - fast paced industry so 1) older pathways may not be relevant. 2) there are so many ways in to the industry pick the right one for you - there’s a difference between people who appreciate structured learning, are autodidactic, learn extra and over what’s expected, dev, risk, red/blue team, academic, hands-on, etc.

 

Internships (rarer, though some degrees offer a year in industry and will assist in making positions available)

 

Graduate schemes - very common, will give a grad opportunities to move around the business. Direct hires from uni.

 

IBM has a trade school - hiring 2,000 US Veterans in the next 5 years

https://www.axios.com/ibm-2000-jobs-exclusive-2317626492.html

 

Technical schools

http://www.browardtechnicalcolleges.com/

http://www.bates.ctc.edu/ITSpecialist

 

DoL apprenticeship programs

https://oa.doleta.gov/bat.cfm

 

Difference between ‘for-profit’ and ‘trade schools’

 

Internships = some companies are paying fat bank:

http://www.vanityfair.com/news/2016/04/summer-interns-at-tech-start-ups-are-making-six-figure-salaries

 

Washington State trades/apprenticeships

Mostly ‘blue’ collar positions

http://www.lni.wa.gov/TradesLicensing/Apprenticeship/Programs/TradeDescrip/

Few ‘technical positions’

 

Not sure there is an ‘apprenticeship’ in the US, outside of ‘internships’ that are given to college students

No ‘junior security architects’, or ‘junior pentesters’

Yet non-technical positions have junior slots

Manager / Senior manager, Project manager / Sr. Project manager

 

Difficulty in infosec apprenticeships

What are the ‘starter’ jobs?

IT related

Sysadmins

Log analyst

 

Useful links:

https://www.gov.uk/government/news/huge-response-to-join-cyber-security-apprenticeship-scheme

https://www.gov.uk/guidance/cyber-security-cni-apprenticeships

https://www.ncsc.gov.uk/new-talent

 

All available apprenticeships:

https://www.gov.uk/government/collections/apprenticeship-standards

 

Employer commitments:

https://www.gov.uk/take-on-an-apprentice

 

For people looking to pivot from non-Infosec jobs into cyber security:

https://cybersecuritychallenge.org.uk/about/new-to-the-challenge

https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/

https://www.gov.uk/government/publications/apprenticeship-levy-how-it-will-work/apprenticeship-levy-how-it-will-work

 

 

 

Mar 29, 2017

We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines.

So after talking with a friend of mine about how they were trying to implement it, he suggested talking to Jason, since he was on the steering committee for it. While Jason does work for a company that sells this solution, our discussion with him is very vendor agnostic, and he even discusses an open source version of SDP that you could implement or test out as a PoC (details in show notes below).

This is a great topic to stay on top of, as one day, your CTO/CIO or manager will come by and ask about the feasibility of implementing this, especially if your company assets are cloud based...  So have a listen!

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-011') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 

 

-----

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

---

 

Show Notes:

https://en.wikipedia.org/wiki/Software_Defined_Perimeter

https://cloudsecurityalliance.org/group/software-defined-perimeter/

    Hmmm… seems like a standard created by companies selling their products for it

        Have a product, create a problem, fix the problem...

 

How much alike is this to things like ‘Beyondcorp’?

    https://www.beyondcorp.com/

    http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

 

De-perimeterization - removing all the bits ‘protecting’ your computer

    Treat your computers as ‘on the Internet’

    https://en.wikipedia.org/wiki/De-perimeterisation

https://collaboration.opengroup.org/jericho/SPC_swhitlock.pdf

 

https://github.com/WaverleyLabs/SDPcontroller

 

2FA becomes much more important, or just plain needed, IMO --brbr

 

Questions:

    How will development of applications change when attempting to implement these technologies?

   

    If we allow deperimeterization of legacy apps (like Oracle products), with a complicated security model, how do you keep these older apps under control?

 

    Can this cut down on the “Shadow IT” issue? Does the user control the certs?

    How does this work with devices with no fully realized operating systems?

        Phones, HVAC, IoT

        Legacy SCADA or mainframes?

 

    What is the maturity level of a company to implement this?

        What minimum requirements are needed?

            Asset management?

            Policies?

        Who/how do you monitor this?

            More blinky boxes?

            Will WAFs and Web proxies still function as expected?

    Are there any companies companies were this is not a good fit?

        What’s the typical timeline for moving to this network model?

        What’s the best way to deploy this?

            Blow up old network, insert new network?

            Phase it in with new kit, replacing old kit?

    Compliance

        How do explain this to auditors?

            “We don’t have firewalls, that’s for companies that suck, we are 1337”

Other than “scalability” (which seems like regular solutions would have as well) I’d like to know what real value they provide

Mar 22, 2017

Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook"

We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you.

The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link)

Hope you enjoy!

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-010-Defensive_Security_handbook.mp3

Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

Itunes: (look for '2017-010') https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

 

 Previous Lee Brotherston episodes:

Threat Modeling w/ Lee Brotherston

Is your ISP MiTM-ing you

 Lee fills in for Mr. Boettcher, along with Jarrod Frates

TLS fingerprinting application

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Mar 14, 2017

Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).

This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.

To help us, we asked Mr. Dave Kennedy  (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.

Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2.  We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.

We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3

Youtube:  https://www.youtube.com/watch?v=lqXGGg7-BlM

iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

--show notes--

http://www.bbc.com/news/world-us-canada-10758578

 

WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’

    Should they not have tools that allow them to infiltrate systems of ‘bad’ people?

    Promises to share information with manufacturers

        BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’

            Shit code, poor software design/architecture

            Security wonks aren’t without blame here either

 

http://www.bbc.com/news/technology-39218393  -RAND report

        Report suggested stockpiling is ‘good’

            “On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”

 

Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…  

http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668

 

(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)

 

Wikileaks - more harm than good?

    Guess that depends on what side you’re on

    What side is Assange on? (his own side?)

    Media creates FUD because they don’t understand

        Secure messaging apps busted (fud inferred by WL)

            In fact, data is circumvented before encryption is applied.

Some of the docs make you wonder about the need for ‘over-classification’


Vulnerabilities uncovered

 

Samsung Smart TVs “Fake-Off”

Tools to exfil data off of iDevices

    BrBr- Cellbrite has sold that for years to the FBI

        CIA appears to only have up to iOS 9 (according to docs released)

Car hacking tech

Sandbox detection (notices mouse clicks or the lack of them)

    Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html

Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html

    Not new: https://attack.mitre.org/wiki/Technique/T1093

**anything Mr. Kennedy feels is important to mention**

 

What can blue teamers do to protect themselves?

    Take an accounting of ‘smart devices’ in your workplace

        Educate users on not bringing smart devices to work

            And at home (if they are remote)

                Alexa,

        Restrict smart devices in sensitive areas

            SCIFs, conference rooms, even in ‘open workplace’ areas

           

    Segment possibly affected systems from the internet

    Keep proper inventories of software used in your environment

    Modify IR exercises to allow for this type of scenario?

    Reduce ‘smart’ devices

        Grab that drill and modify the TV in the conference room

        Cover the cameras on TV

            Is that too paranoid?

        Don’t setup networking on smart devices or use cloud services on ‘smart’ devices

    Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)

Mar 6, 2017

If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah?

 "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

Well... okay, so for companies that do regular IR response tests and have a good majority of their assets and production in cloud based services, is it time to discuss having the 'extreme' scenario of 'What do we do when [AWS|Azure|Google Compute] goes down?'

We also discuss an article about #developers who want to get rid of the #whiteboard #interview... is it as #discriminatory as they suggest, or is it just devs who aren't confident or lacking #skills trying to get hired? (see show notes below for links)

Finally, we talk about Ms. #Berlin's talk she will be giving at #AIDE on 6-7 April. It's gonna be a "hands-on" talk.  What do we mean? Listen to our show and find out.


#AIDE - https://appyide.org/events/ $60

more info: https://appyide.org/1313-2/

 

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-008-AWS_S3_outage-IR_scenarios_white-board-interviews.mp3

 

#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/   

CFP closes 27 march 2017

------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

---show notes---

 

AWS S3 outage (hopefully more information by the end of the week)

    Massive outages - many sites down

        IoT devices borked        https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/

 

TL;DR of the S3 outage - "an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended."

 

Brian: Water sprinkler story…

 

Do we put too much stock in Amazon?

        Email Story time: Recent IR exercise

            Mostly AWS shop

            “If we suspend reality” drinking game

            World War Z “the 10th man”

 

Not the 1st time AWS was involved in an outage:

    http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle

 

Realistic IR exercises need to examine the ‘ultimate’ bad…

    Even if you’re in ‘suspend reality’ mode

 

https://theoutline.com/post/1166/programmers-are-confessing-their-coding-sins-to-protest-a-broken-job-interview-process

http://blog.interviewing.io/you-cant-fix-diversity-in-tech-without-fixing-the-technical-interview/

 

No problem with copy/paste, hunting up functions, etc

    Problem comes when failure to understand the code you’re using, and the integration of that code therein

 

Programming Interviews Exposed

 

LOVED this idea….

https://letsjusthackshit.org/platypuscon2016.html

“In the spirit of what brought this community together, we’re aiming to build a super hands-on event: that is, instead of a series of talks while you plan on missing to catch up with your friends at the cafe down the road, we’re putting together a full day of hands-on workshops where you can get your hands dirty and we can all help each other learn something new.”

 

Patreon - just pop a dollar

CTF Club - Tuesdays 9am Pacific / 6pm Pacific

Book club - Defensive Security Handbook - Starting 15 March

Mar 1, 2017

Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion.

We have 3 interviews here this week:

Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not.

Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles.

Finally, Matt Domko discusses his experiences with Bro, as well as using Bro for packet analysis and what is needed when analyzing packets...

If you are looking for some great content, a Bsides is nearby, just look around...

 

Other Twitter handles mentioned on the show...

@ben_ra
@firewater_devs  (both phone hackers)

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-007-bsides_seattle_Feb2017.mp3

YouTube:

iTunes:

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Feb 19, 2017

Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible.

Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series.

We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the train to it's destination, one of prosperity and security. Conversely, we also discuss why some positions in security are so short-lived, such as the role of CISO.

 

From SC magazine (https://www.scmagazineuk.com/joel-scambray-joins-ncc-group-as-technical-director/article/634098/):

"Security expert and author, Joel Scambray, has joined NCC Group as technical director. He will be based at the Austin, US office.

Scambray has more than 20 years of experience in information security. In his new role, he will work with some of the company's biggest clients using his experience in business development, security evangelism and strategic consultancy."

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-006-Joel_scambray-infosec_advice-hacking_exposed.mp3

iTunes (generic link, subscribe for podcast):  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

Brakesec Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

-------

Show Notes:

 

Joel Scambray

 

In a bio:

    Joel’s words of security wisdom: Security is a type of risk management, which is about informing a decision. The security professional’s challenge is to bring the most evidence possible to support those decisions, both technical and non.”

 

Building and maintaining a security program

    Which is better?

starting with a few quick wins

Or having an overarching project to head where you want to go

 

Starting companies (buyouts / stock options / lessons learned)

 

Hacking Exposed

    Will you stop at ‘7’?

    Will there be a “hacking exposed: IoT”?

        Medical devices

   

What leadership style works best for you?

 

Things we couldn’t cover due to time:

Security Shift from network layer to app layer

    Software defined networking, for example

        How to set policies to keep your devs from running amok

 

------

Feb 14, 2017

Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors.

But this week, we have a different Mr. Douglas.  This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need, but thinks it does. We have some good times discussing ways to ensure the buying of your new shiny box at work goes more smoothly, what you should look out for, and ways to tell if they are over-selling and under-delivering.

Also, Mick has been working on a project near and dear to his heart. After discussing with @carnal0wnage a year or so back, he's fleshed out a spreadsheet that tracks attack vectors, and depending on what controls are in your environment, can show you how well a particular attack is against your environment. This would be a great asset to blue teams who might want to shore up defenses, especially if they are vulnerable in a particular area. Mr. Douglas is looking for comments, suggestions, and additions to his spreadsheet, and you can even download a copy of the Google Doc to try in your own environment, free of charge.

Book mentioned in the show: (non-sponsored link) https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X

Mick's document:

https://docs.google.com/spreadsheets/d/1pI-FI1QITaIjuBsN30au1ssbJAZawPA0BYy8lp6_jV8/edit#gid=0

Mick refers the the MITRE ATTACK matrix in the show, here's our show discussing it:

http://traffic.libsyn.com/brakeingsecurity/2015-051-ATTACK_Matrix.mp3

https://attack.mitre.org/wiki/ATT%26CK_Matrix

 

 

Mick's last appearances on BrakeSec:

http://traffic.libsyn.com/brakeingsecurity/2015-024-Mick_Douglas.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-025-Mick_douglas_part2.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-032-Jarrod_and_Mick_DFIR.mp3

http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3

 

Direct Link:   http://traffic.libsyn.com/brakeingsecurity/2017-005-mick_douglas-attack_defense_worksheet.mp3

iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2

YouTube: https://www.youtube.com/watch?v=A3K-2yneKU4

 

 

Bsides London is accepting Call for Papers starting 14 Febuary 2017, as well as a Call for Workshops. You can find out more information at https://www.securitybsides.org.uk/

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

Feb 6, 2017

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.

Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.

We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD

----------

HITB announcement:

“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

 

 

 

 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3

iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2

YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

 

-----------

Show notes:

 

Sandboxing tech  -  https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf

 

A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.

 

Various types of sandbox tech

 

Jails - freebsd

    Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian

        http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html

 

Pledge(8)  - new to OpenBSD

    Program says what it should use, if it steps outside those lines, it’s killed

    http://www.tedunangst.com/flak/post/going-full-pledge

    http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge

    http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html

 

Chroot - openbsd, linux (chroot jails)

    “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”

    Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’

 

Rules based execution - AppArmor, PolicyKit, SeLinux

    Allows users to set what will be ran, and which apps can inject DLLs or objects.

    “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”

https://en.wikipedia.org/wiki/Seccomp

https://en.wikipedia.org/wiki/Linux_Security_Modules

 

Android VMs

 

Virtual machines - sandboxes in their own right

    Snapshot capability

    Revert once changes have occurred

    CON: some malware will detect VM environments, change ways of working

 

Containers (docker, kubernetes, vagrant, etc)

    Quick standup of images

    Blow away without loss of host functionality

    Helpful to run containers as an un-privileged user.

https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/

 

Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

 

Emulation Vs. Virtualization

 

http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware  --seems like a good link

 

VMware Thinapp (emulator):

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224

 

(continued next page)

Malware lab creation (Alienvault blog):

https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide

 

https://www.reverse.it/

 

News: (assuming it goes short)

SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/

 

(whitelisting files in Apache)

https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937

 

http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html

https://github.com/robertkuhar/java_coding_guidelines

https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#

 

https://www.concise-courses.com/security/conferences-of-2017/

Jan 29, 2017

Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It’s always amazing to watch people talk about what they are passionate about, and Shmoocon is a great relaxed environment where that happens frequently."

James Green @greenjam94
Aaron Lint @lintile  
Jon? @hackeducate

Melanie Rich-Wittrig @securitycandy

Amanda Berlin attended ShmooCon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/)

Melanie Rich-Wittrig (@securitycandy) discusses how she's empowering kids to get into information security, even as early as age 10 or 11. She discusses how she motivates by teaching CTF and hacking concept, and gamifying by using point systems.

www.securitycandy.com

RSS: http://www.brakeingsecurity.com/rss

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-003-ShmooCon_Audio.mp3

YouTube:

 

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

Jan 21, 2017

In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike.

But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). These products aren't perfect, but they will provide a modicum of protection from 'known' bad actors, SSH trolls, etc.

We discuss some of the issues using them, discuss how to use them in your #environment.

Lastly, we discuss #mentorship. Having a good mentor/mentee relationship can be mutally beneficial to both parties. We discuss what it takes to be a good mentee, as well as a good mentor...

RSS: www.brakeingsecurity.com/rss

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-002-mentoring_threat_lists.mp3

iTunes:  https://itunes.apple.com/us/podcast/2017-002-threat-lists-ids/id799131292?i=1000380246554&mt=2

YouTube: https://www.youtube.com/watch?v=oHNrINl1oZE

 

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

----------

Show Notes:

HANGOUTS:  https://hangouts.google.com/call/w7rkkde5yrew5nm4n7bfw4wfjme

 

2017-002-Threat Lists, IDS/IPS rulesets, and infosec mentoring

 

  1. Threat Lists (didn’t have much time to research :/)
    1. THIS EXACTLY - http://blogs.gartner.com/anton-chuvakin/2014/01/28/threat-intelligence-is-not-signatures/   
      1. Don’t use threat list feeds (by IP/domain) as threat intelligence
      2. Can use them for aggressively blocking, don’t use for alerting
    2. https://isc.sans.edu/suspicious_domains.html
    3. https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    4. http://iplists.firehol.org/
    5. https://zeltser.com/malicious-ip-blocklists/
    6. https://medium.com/@markarenaau/actionable-intelligence-is-it-a-capability-problem-or-does-your-intelligence-provider-suck-d8d38b1cbd25#.ncpmqp9cx
    7. Spamhaus: https://www.spamhaus.org/
    8. leachers
    1. Open rulesets - You can always depend on the kindness of strangers
      1. Advantage is that these are created by companies that have worldwide reach
      2. Updated daily
      3. Good accompanying documentation
    2. You can buy large rulesets to use in your own IDS implementation
      1. Depends on your situation if you want to go managed or do yourself
      2. Regardless you need to test them
    3. Managed security services will do this for you
      1. I don’t recommend unless you have a team of dedicated people or you don’t care about getting hacked- signatures are way too dynamic, like trying to do AV sigs all by yourself
      2. Only a good idea for one-off, targeted attacks
    4. DIY
  2. IDS/IPS rulesets
    1. https://securityintelligence.com/signature-based-detection-with-yara/
    2. http://yararules.com/
    3. http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
  3. Yara rules
    1. For Mentors
      1. Set expectations & boundaries
      2. Find a good fit
      3. Be an active listener
      4. Keep open communication
      5. Schedule time
      6. Create homework
      7. Don’t assume technical level
      1. Ask questions
      2. Do your own research
      3. Find a good fit
      4. Put forth effort
      5. It’s not the Mentor’s job to handhold, take responsibility for own learning
      6. Value their time
      7. Come to each meeting with an agenda
    2. For Mentees
    3. Mentoring frameworks?
  4. InfoSec Mentoring
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef0741
  5. Podcasts (Courtesy of Ms. Hannelore)
    1. https://t.co/mLXjfF1HEr
    2. https://gist.github.com/AFineDayFor/5cdd0341a2b384c20e615dcedeef074
Jan 12, 2017

We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender).

We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try to find some understanding.

With all the various secure messaging systems out there, we discuss how why secure messaging systems fail so poorly with regards to #interoperability and the difficulties in getting average non-infosec people to adopt one. We also discuss #Perfect #Foward #Security and how it prevents people from decrypting old messages, even if the key is compromised.

----------

HITB announcement:

“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#RSS: http://www.brakeingsecurity.com/rss

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

 

---Show Notes---

News story:

http://www.latimes.com/politics/la-pol-sac-crime-ransomware-bill-20160712-snap-story.html

 

“If this legislation gives prosecutors the tools that they didn’t have before, where are the cases that they have lost because they didn’t have these tools?” said Brandon Perry, a senior consultant for NTT Com Security. “Authorities are focused on prosecuting criminals that they can’t even find, as opposed to educating the victims to prevent this from happening again and again.”

 

Ransomware won’t infect you if you watch training videos:

http://thehackernews.com/2017/01/decrypt-ransomware-files.html

 

Secure messaging - stuck in an Apple ecosystem

    Too many, no interoperability

        Signal, Whisper, Wickr, Wire, WhatsApp, FB messenger

        I uninstalled Signal… can’t convince people to adopt something if everyone cannot message one another --BrBr

 

OpenPGP is ‘dangerous’

http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/

    Forward Secrecy - https://en.wikipedia.org/wiki/Forward_secrecy

        “A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm.” (input given gives the same output every time)

Perfect Forward Secrecy - “In cryptography, forward secrecy (FS; also known as perfect forward secrecy[1]) is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys.

   

Ms. Amanda’s pentest homework:

“https://docs.google.com/document/d/17NJPXpqB5Upma2-6Hu5svBxd8PH0Ex7VgCvRUhiUNk8/edit”

1