BrakeSec Education Podcast

The day after part 1 Keybase halted the spacedrop the day after the first podcast is complete...   Security failures in implementation     “We need to push this to market, we’ll patch it later!”   Risk management discussion for project managers (PMP)   CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line     **Reference Noid’s Bsides Seattle talk and podcast earlier this year.** Other companies that have made security mistakes in the name of business   Practical Pentest Labs storing passwords in the clear https://twitter.com/mortalhys/status/1202867037120475136 https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136  https://twitter.com/piaviation/status/1202994484172218368 T-Mobile Austria partial password issues: https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear     No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.     Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)         Insider threats could takeover accounts   Follow-up from last week’s show with Bea Hughes:   I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".   And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)   As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020.    **If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **   “Empowered teams”  Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec    

Patreon donor goodness: Scott S. and Ion S. @_noid_ @davedittrich Their response:  “it’s not a bug, it’s a feature”     “Don’t write a blog post that will point out the issue”     “You pointing out our issues makes things more difficult for us”     “It’s a free service, why are you hurting us?”     https://keybase.io/docs/bug_reporting Nov 22nd   Noid (@_noid_) Keybase discussion blog post https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html   Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/    Keybase’s decision to fix it came out after The Register asked them about the issue…   Dec 4th https://keybase.io/blog/dealing-with-spam           Dec 5th. https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/ Problems with the implementation:           Requiring admins for Keybase to decide what’s wrong or if they need to be deleted         Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)         Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)         They’ve already opened the spam door, and they’ll not be able to shut it. Once they took the VC and aligned themselves with Stellar, the attack surface changes     From Account takeover (integrity attacks) to deception (social engineering)   What is keybase?     Social network?     E2E chat Encrypted file share/storage?     CryptoCurrency Company?      Secure git repo protector?   Which ones do they do well?   How could they have solved the spam issue?     Made the cryptocoin a separate application?         Even their /r/keybase is filling up with spammers asking about their Lumens   How could they fix it?     You can’t contact someone unless that person allows you to.     Allow someone to contact you, but do not allow adding to teams without permission   https://news.ycombinator.com/item?id=21719702 (ongoing HN thread) Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto   https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform   https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf  Stephen Carter's definition of “integrity.” Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.  — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/   Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?   noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google: Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing. 1.2 Avoid harm. 1.6 Respect privacy. 2.1 Strive to achieve high quality in both the processes and products of professional work. 2.7 Foster public awareness and understanding of computing, related technologies, and their consequences. 3.1 Ensure that the public good is the central concern during all professional computing work. 3.7 Recognize and take special care of systems that become integrated into the infrastructure of society.   The right to privacy of your information, as well as the right to choose with whom you associate and communicate, are both arguably duties based on the concept of autonomy (i.e., your right to choose).   In biomedical and behavioral research, the principle involved here is known as Respect for Persons and is best recognized as the idea of informed consent. Giving users autonomy in making their data public, but not giving them autonomy in who they allow to communicate with them and add them to “teams,” could be viewed as conflicting as regards this principle.   This is in fact precisely what noid brought up in his initial communication with Keybase:   I had a random guy I don’t follow add me to a team and start messaging me about cryptocurrency stuff. This really shouldn’t be default behavior. This can result in a spam or harassment vector (hence why I’m reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn’t recommended).

Realistic Threats  Nation states aren’t after you https://twitter.com/beajammingh/status/1191884466752385025 https://twitter.com/beajammingh/status/1198671660150226946 https://twitter.com/beajammingh/status/1198671952824565762   https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling    What are credible threats? Malicious insiders -  Non-malicious insiders - https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/     Education issue?     Is there such a thing as ‘non-malicious’ or is this just bunk?   Real threats     https://resources.infosecinstitute.com/5-new-threats-every-organization-prepared-2018/   CIO magazine threats -- buzzword threats (we should totally containerize all the things) Vulns that have names (blue team is stuck dealing with ‘theoretical’ issues e.g. SPECTRE/MELTDOWN) Lack of well-priced training?     Dev Training?     Security Training?   Better management communication will reduce threats     Building trust so they don’t freak when ‘$insert_named_vuln’ shows up     Gotta frame it to business needs     “Everyone is vulnerable” - keep FUD to a minimum, don’t exaggerate.     Know your industry’s threats (phishing, money transfer fraud, malware Patreon donor:  Michael K. $10 patron! Layer8conf - https://www.workshopcon.com/events https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Diana Initiative @circuitswan @dianainitiative https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)   info@dianainitiative.org   Topics     Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don’t want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants   Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop  Better job descriptions   Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0  HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka “birds of a feather concept” WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/  GitLab security scans (that's me!)    We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019   Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit     2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer    SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events   https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Diana Initiative   @circuitswan   https://www.dianainitiative.org/ https://twitter.com/DianaInitiative   Conference in Las Vegas (Aug 6-7, 2020) (Thu & Fri)   info@dianainitiative.org   Topics     Diana initiatives Past 2015 - idea at defcon 23 2016-17-18 growing but got too big! 2019 got our own space, ~800 tickets 2020 plans-westin again, 2 speaking tracks and 1 workshop track, solder village, career village, CTF, lock picking Mentoring both CFP and presenters this year! (expansion from last year) student scholarship (we want to double the amount of money, target still 10) Free tickets (expansion over last year) Present Slogan contest 2020 I don’t want to think about 2021 yet :) Future Mentors Reviewers Volunteers Donations (giving tuesday, scholarships) Needs/wants   Discuss how to add more DNI into your event (conference, meetup, slack, etc) Women in Technology Diana 2018 https://business.linkedin.com/talent-solutions/blog/job-descriptions/2018/5-must-dos-for-writing-inclusive-job-descriptions https://www.hudsonrpo.com/rpo-intelligence/recruitment-process-outsourcing/how-to-write-an-inclusive-job-description/ https://www.refinery29.com/en-us/2017/04/148547/how-to-get-a-raise-chatbot-cindy-gallop  Better job descriptions   Other topics of interests Career village / resume clinic work in general (spoken on this twice, volunteer at resume clinic) CFP advice in general (https://sites.google.com/site/amazonv/conference-call-for-papers-cfp-tips ) First time speaker advice in general https://sites.google.com/site/amazonv/first-time-speaker?authuser=0  HackerSwan (http://hackerswan.com/ ) HackerFoodies (http://hackerfoodies.com/ ) http://hackersummercamp.guide/ aka “birds of a feather concept” WAN party / Women’s meetup at Defcon with @sylv3on_ @nemessisc and more http://hackerconticketexchange.com/  GitLab security scans (that's me!)    We are responsible for baking Sec into DevOps and hence write the red team software (well integrate in most cases) for your appsec team if your devs are using GitLab. We have a security team that secures GitLab itself but that's not us. We have SAST, DAST, Dependency, Secret Detection and License Compliance baked into our paid tier, and SAST is coming down to the free tier! I’m pitching a talk about tuning to shmoocon because it seems like that's the most common question I got as a result of my devsecops talks at derbycon / shellcon / bsidesdc. N.Schwartz: Are you ready to leverage DevSecOps? BSidesDC 2019   Also could mention getting married to RenderMan and the open wedding invite we have if you are up for party shenanigans http://circuitswanandrenderman.com/ And i have a help guide for how to run an inclusive conference - https://docs.google.com/document/d/12OCiiWRVf6r08SuI3T4Djm98GwkfzlvhjYNpS225x3M/edit     2019 ShellCon Tuneup Tips for Your CV and Profile, From an Interviewer    SE Village Con - Thu, Feb 20 - Sat, Feb 22 | Hilton Orlando Buena Vista Palace Layer8conf - https://www.workshopcon.com/events   https://layer8conference.com/   Regarding diversity scholarships, it's being worked on and the number of available spots will highly depend on the number of Sponsorships the conference secures. As a side note WorkshopCon will sponsor a number of Layer8 conference tickets if people follow @WorkshopCon on Twitter and tweet to us why they are interested in Social Engineering and OSINT topics with hashtag #sendMeToLayer8. We will select folks from those tweets with the emphasis being on folks coming from underrepresented or minority groups. In terms of sponsorship information for Layer8, Patrick wants people to send an email to sponsors@layer8conference.com Please let us know if you have any other questions, and thank you so much for giving us a hand spreading the word!!!   Saturday June 6, 2020, RI Convention Center   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Tagnw.org Amazon Smile - brakesec.com/smile   News:    https://www.androidpolice.com/2019/11/11/google-project-nightingale-health-records-collection/ https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html https://blog.naijasecforce.com/the-jar-based-malware/ - ms. Infosecsherpa mailing list “nuzzle” https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/         https://en.wikipedia.org/wiki/Data_Protection_API https://latesthackingnews.com/2019/11/10/multiple-security-issues-detected-in-cisco-small-business-routers-update-now/   https://www.routefifty.com/tech-data/2019/11/plan-engage-hackers-election-security/161045/    https://www.darkreading.com/vulnerabilities---threats/microsoft-security-setting-ironically-increases-risks-for-office-for-mac-users/d/d-id/1336268    Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Grrcon update   2019-039-  bluekeep Weaponized… and more   Bluekeep weaponized https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/    https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining   NordVPN hacked: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/   Null sessions and how to avoid them:https://www.dummies.com/programming/networking/null-session-attacks-and-how-to-avoid-them/ https://social.technet.microsoft.com/Forums/en-US/2acdfb53-edee-444e-9ffa-25dcebcd9181/smb-null-sessions   Linux has a marketing problem: https://hackaday.com/2019/10/31/linuxs-marketing-problem/   20 accounts could pwn majority of NPM   https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/    Chrome 0day   https://thehackernews.com/2019/11/chrome-zero-day-update.html   India Nuclear plant is hacked https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/   High Tea Security Podcast:  https://www.podcasts.com/high-tea-security-190182dc8   https://TAGNW.org - Bryan Panel and talking about networking   Securewv.org - Training - https://www.eventbrite.com/e/security-dd-tickets-79219348203  Bsides Fredericton - https://www.eventbrite.ca/e/security-bsides-fredericton-2019-tickets-59449704667      Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE https://www.owasp.org/index.php/Women_In_AppSec OWASP Women in AppSec Twitter: 2013_Nayak (reach and ask to be added) https://www.tagnw.org/events/ Risk in Infosec   Risk - a situation which involves extreme danger and extensive amount of unrecovered loss     What about risks that are positive in nature?  PMP calls them ‘opportunities’ Risk Analysis - systemic examination of the components and characteristics of risk   Analysis Steps -          Understanding and Assessment             Understand there is a risk             What if a company does not have security standards?                             Identification             Identify and categorize risk -                  Informational risk                 Network risk                 Hardware risk                 Software risk                 Environment risk?   https://en.wikipedia.org/wiki/Routine_activity_theory               Scope of risk analysis?             Threat modeling to find risks?                 https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling              SWOT (strength/weakness/opportunities/threats) analysis will discover risks?             Risk analysis methodologies?                 https://www.project-risk-manager.com/blog/qualitative-risk-techniques/                 https://securityscorecard.com/blog/it-security-risk-assessment-methodology https://en.wikipedia.org/wiki/Probabilistic_risk_assessment   https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration            Estimation             Chance that risk will occur (once a decade, once a week)             Design controls to remediate           Implementation             Risk assessment is a combined approach             Combined approach for a risk analysis                 You mentioned a lot of people, what’s the scope?                 How do you do the risk assessment? Framework?                     Evaluation             Evaluation approach                 Like an agile approach             Provides an informed conclusion             Report must be clear (no jargon)         Decision Making               Examples to Reduce Risk Training and education     what kind of testing? Annual Security training?   Publishing policies Agreement with organization     BAA with 3rd parties Timely testing -     

  Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s   Encarta - https://en.wikipedia.org/wiki/Encarta   Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409   Congrats on the black badge :)   I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices   https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/    Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/   Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark   You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.   Powershell slime trail <3 (powershell transparency) “You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”   If an attacker is going to use powershell, let’s make them regret it   Powershell has had quite an impact and history.   My own sorry logging/alerting attempts   You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?   Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf   https://github.com/danielbohannon/Invoke-Obfuscation  https://github.com/danielbohannon/Revoke-Obfuscation   https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/  https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A    Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…   Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes   AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal   https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook   Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html  https://github.com/sans-blue-team/DeepBlueCLI    Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE  https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense    Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/    Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/    Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN   https://github.com/infosecn1nja/AD-Attack-Defense -    Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa   @Lee_Holmes @hackershealth @log-md @infosecCampout @seasecEast   @brakesec @bryanbrake @boettcherpwned @Infosystir @packscott @dpcybuck @megan_roddie @consultingCSO  

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s   Encarta - https://en.wikipedia.org/wiki/Encarta   Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409   Congrats on the black badge :)   I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices   https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/    Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/   Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark   You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.   Powershell slime trail <3 (powershell transparency) “You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”   If an attacker is going to use powershell, let’s make them regret it   Powershell has had quite an impact and history.   My own sorry logging/alerting attempts   You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?   Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf   https://github.com/danielbohannon/Invoke-Obfuscation  https://github.com/danielbohannon/Revoke-Obfuscation   https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/  https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A    Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…   Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes   AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal   https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook   Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html  https://github.com/sans-blue-team/DeepBlueCLI    Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE  https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense    Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/    Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/    Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN   https://github.com/infosecn1nja/AD-Attack-Defense -    Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa   @Lee_Holmes @hackershealth @log-md @infosecCampout @seasecEast   @brakesec @bryanbrake @boettcherpwned @Infosystir @packscott @dpcybuck @megan_roddie @consultingCSO