BrakeSec Education Podcast

Brad Spengler, a Linux kernel security expert, dives into the evolution of Linux security over the last decade. He discusses GR Security's role in enhancing kernel safety and the complexities of maintaining older kernels. The conversation touches on the challenges of adopting security features and highlights initiatives to support diversity in tech. Spengler also reflects on his journey from Navy service to open source, sharing insights on community engagement and the impact of COVID-19 on tech conferences.

Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing  Agenda: Part 1: Background on the report Why is it called RIPPLE20? What’s the RIPPLE about?  Communications with Treck (and it’s Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines?  What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes?  What did JSOF gain by doing this?  What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks?  Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits?  Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don’t know what’s in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf   Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible “Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.” BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities?  Are some devices and systems more vulnerable than others?  How many are you still investigating to see if they are affected?   What’s the initial email look like when you tell a company “you’re vulnerable to X”? Who are you dealing with initially? What is your delivery when you’re routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you’d have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/   https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/   http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Whitepaper: https://www.jsof-tech.com/ripple20/ [blog] Build your own custom TCP/IP stack: https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/ Another custom TCP/IP stack: https://github.com/tass-belgium/picotcp RIPPLE 20 Whitepaper: https://drive.google.com/file/d/1d3NNVCRPVFk0-V0HUO5CxWWVn9pYIvmF/view?usp=sharing  Agenda: Part 1: Background on the report Why is it called RIPPLE20? What’s the RIPPLE about?  Communications with Treck (and it’s Japanese counterpart) Were you surprised about the reaction? Positive or negative? Types of systems affected? IoT Embedded systems SCADA What precipitated the research? What difficulties did you face in finding these vulns? Deadlines?  What tools were used for analysis? (I think you mentioned Forescout --brbr) What kind of extensibility are we talking about? TCP sizes?  What did JSOF gain by doing this?  What were the initial benefits of using the TCP/IP stack? Speed? Size? Do these vulns affect other TCP/IP stacks?  Did Treck give you access to source? Any specific requirements set by Treck? Any items that were off-limits?  Updates since the report was released? Are your vulns such that they can be detected online? Part 2: Supply chain issues What should companies do when they don’t know what’s in their own tech stack? https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf   Software bill of materials: https://en.wikipedia.org/wiki/Software_bill_of_materials PicoTCP link above does not release all code, because they use binary blobs that make proper code review next to impossible “Unfortunately we can't release all the code, a.o. because some parts depend on code or binaries that aren't GPL compatible, some parts were developed under a commercial contract, and some consist of very rough proof-of-concept code. If you want to know more about the availability under the commercial license, or the possibility of using our expert services for porting or driver development, feel free to contact us at picotcp@altran.com.” BLoBs = https://en.wikipedia.org/wiki/Proprietary_device_driver Vendor Contact How many organizations are affected by these vulnerabilities?  Are some devices and systems more vulnerable than others?  How many are you still investigating to see if they are affected?   What’s the initial email look like when you tell a company “you’re vulnerable to X”? Who are you dealing with initially? What is your delivery when you’re routed to non-technical people? How did you tailor your initial response when you learned of the position of the person? Lessons Learned: What would you have done differently next time? Any additional tooling that you’d have used? BlackHat talk: 05 August What should companies do to reduce or mitigate the chances of the types of vulnerabilities found by your org? https://cambridgewirelessblog.wordpress.com/2016/05/18/supply-chain-security-and-compliance-for-embedded-devices-iot/   https://blog.shi.com/solutions/embedded-hardware-supply-chain-attacks-embedded-system-attacks-how-to-stay-safe/   http://www.intrinsic-id.com/wp-content/uploads/2018/02/2016-A-Platform-Solution-for-Secure-Supply-Chain-and-Chip-Cycle-Management-Computer-Volume-49-Issue-8-Aug.-2016-Joseph-P.-Skudlarek-Tom-Katsioulas-Michael-Chen-%E2%80%93-Mentor-Graphics..pdf https://www.supplychainservices.com/blog/major-security-risks-windows-embedded-users https://www.bbc.com/news/business-32716802#:~:text=Japanese%20car%20giants%20Toyota%20and,March%202003%20and%20November%202007.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec    

1st: WISP.org PSA from Rachel Tobac (@racheltobac) & @wisporg talking about #shareTheMicInCyber #SAML PAN-OS: https://twitter.com/RyanLNewington/status/1278074919092289537  F5 vulnerability: https://www.wired.com/story/f5-big-ip-networking-vulnerability/ https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/   F5 Mitigation (if patching is not immediately possible): https://twitter.com/TeamAresSec/status/1280590730684256258 Redirect 404 /   https://twitter.com/wugeej/status/1280008779359125504 - Tweet with PoC for the LFI and RCE F5 Big-IP CVE-2020-5902 LFI and RCE LFI https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd or /etc/hosts or /config/bigip.license RCE https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami How to cope in a no-win situation:https://twitter.com/datSecuritychic/status/1280527467569008640 Semicolon in bash: https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm#:~:text=When%20the%20shell%20sees%20a,once%20at%20a%20single%20prompt.

Thank you to Marcus Carey for his excellent guidance and leadership this week.   Cognizant breach: https://www.ehackingnews.com/2020/06/cognizant-reveals-employees-data.html Maze ransomware write-up: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html   https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml PAN-OS CVE 2020-2021 -  We have been made aware of a serious issue with SAML on Palo Alto Networks PAN-OS We strongly encourage our customers to upgrade to one of the following versions : PAN-OS 8.1.15 PAN-OS 9.0.9 PAN-OS 9.1.3 and greater This is a critical vulnerability with the only mitigation being to either turn OFF SAML or to upgrade the PAN-OS. A CVE will be released on Monday ::  CVE-2020-2021   https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/   https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657 https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/   How would we map this against the MITRE matrix? Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?   https://www.us-cert.gov/ics/advisories/icsa-20-168-01 https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/   https://www.tenable.com/blog/cve-2020-11896-cve-2020-11897-cve-2020-11901-ripple20-zero-day-vulnerabilities-in-treck-tcpip https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

James Nelson, VP of Infosec, Illumio How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency? The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant. Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk. Cyber-Resilence- https://en.wikipedia.org/wiki/Cyber_resilience   https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience   https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206 Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3 Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3 https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/ Key concepts: Visibility into your environment Controls necessary to repel attackers Architecture of the network to create chokepoints (east/west, north/south isolation) Threat modeling and regular threat assessment Mechanisms to allow for rapid response How long will current security controls hold a determined attacker at bay? Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.   Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final) What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support? Which cyber resiliency objectives are most important to a given stakeholder?  To what degree can each cyber resiliency objective be achieved?  How quickly and cost-effectively can each cyber resiliency objective be achieved?  With what degree of confidence or trust can each cyber resiliency objective be achieved?    (What do we as security people do to ensure that all of these are properly answered? --brbr) Architecture of systems: Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten.  We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)   Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:   Comparison of security to the human immune system. Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice? How do you define “most valuable assets”? Value vs. obligations vs. ...? Does a compliance mindset help or hinder resilience, and vice versa? Referring back to a prior show, how does the human element contribute to resilience? NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience? Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then? Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects). Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.” Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/   From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

**If Derek told you about us at SANS, send a DM to @brakeSec or email bds.podcast@gmail.com for an invite to our slack** OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system.  Far different in the 'real' world.   Privilege escalation in Windows: *as of June 2020, many of these items still work, may not work completely in the future* *even so, many of these may not work if other mitigating controls are in place*   PENTEST METHODOLOGY :  PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines OSSTMM - https://www.isecom.org/OSSTMM.3.pdf   Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html   https://www.fuzzysecurity.com/tutorials/16.html   https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78   https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md   Enumerate the machine Services Network connections Users Logins Domains Files Software installed (putty, git, MSO, etc) *older software may install with improper permissions* Service paths (along with users services are ran as) Windows Features (WSL, SSH, etc) Patch level (Build 1703, etc) Wifi networks and passwords (netsh wlan show profile key=clear) Powershell history Bash History (if WSL is used) Incognito tokens Stored credentials (cmdkey /list) Powershell transcripts (search text files for "Windows PowerShell transcript start")   Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore   Linux EoP: https://guif.re/linuxeop   https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/   Enumeration Mostly the same as above Bash history or profile files            Writable scripts (tampering with paths or environment variables) Setuid/Setgid binaries Sticky bit directories Crontabs Email spools World writable/readable files .ssh config files (keys, active sessions) Tmux/screen sessions Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc) VPN profiles GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings   Ways to defend against those kinds of EoP. Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist  -- high Rollers   Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020   Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/

 Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”   Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/ From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?   Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec