BrakeSec Education Podcast

Where in the world is Ms. Amanda Berlin?     Keynoting hackerconWV   Election Security   Cuyahoga County:   Intro: Jeremy Mio (@cyborg00101 Name? Why are you here?   Discussing Ohio does election operations.     Walk through the process Pre-Elections Elections Night Post Elections   All about the C.I.A. Votes must be confidential Votes must not be compromised (integrity) Voting should be available and without outage   Did a tabletop exercise with all counties in Ohio (impressive!)     Gamified, using role-reversal     Points based system     Different technology has different point values   Physical security/chain of custody Retention   EI-ISAC - election infra ISAC https://www.cisecurity.org/services/albert/ - Albert system https://www.cisecurity.org/best-practices-part-1/ - election security best practices   How does the Ohio election process stack up against other states?   Media Perception in Elections Hacking and threats 11 year olds ‘hacking election’     Yes, good for a new article title     Goes to show how easy it is to actually hack systems         Train someone on SQLI, pwn the things   Elections Security Operations and Preparation Technology types     Ballot     Booths     Mail-in ballots   Securing election infra     What can be done to make it more secure?   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware   She’s working on speaking schedule for 2019   How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss - Alice Goldfuss   Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater   Tesla mis-configured Kubes env:   From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/   Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla   Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)   Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/   https://github.com/aquasecurity/kube-hunter - Threat Model    What R U protecting?     Who R U protecting from?     What R your Adversary’s capabilities?     What R your capabilities?   Defenders think in Lists Attackers think in Graphs   What are some of the visible ports used in K8S?     44134/tcp - Helmtiller, weave, calico     10250/tcp - kubelet (kublet exploit)         No authN, completely open     10255/tcp - kublet port (read-only)     4194/tcp - cAdvisor     2379/tcp - etcd         Etcd holds all the configs         Config storage   Engineering workflow:     Ephemeral -     CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/   Final points:     Advice securing K8S is standard security advice     Use Defense in Depth, and least Privilege     Be aware of your attack surface     Keep your threat model in mind   David Cybuck (questions from Slack channel)   My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).   How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?   Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?

Jarrod Frates Inguardians @jarrodfrates “Skittering Through Networks” Ms. Berlin in Germany - How’d it go?     TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html   Takeaways Blue Team: - Least Privilege Model - Least Access Model     “limited remote access to only a small number of IT personnel” “This user didn't need Citrix, so her Citrix linked to NOTHING” “They limited access EVEN TO LOCAL ADMINS!” - Multi-Factor Authentication - Simple Anomaly Rule Fires     “Finance doesn’t use Powershell” - Defense in Depth     “moving from passwords to pass phrases…” “Improper disposal of information assets”   Red Team: - Keep Trying - Never Assume - Bring In Help - Luck Favors the Prepared - Adapt and Overcome Before the Test Talk it over with stakeholders: Reasons, goals, schedules Report is the product: Get samples Who, what, when, where, why, how Talk to testers (and clients, if you can find them) Ask questions Look for past defensive experience and understanding of your needs Bonus points if they interview you as a client Red flags: Pwning is all they talk about, they set no-crash guarantees, send info in the clear Define the scope: Test type(s), inclusions, exclusions, permissions, accounts Test in ‘test/dev’, NOT PROD Social Engineering: DO THIS. Yes, you’re vulnerable. DO IT ANYWAY.   During the Test Comms: Keep in contact with the testers Status reports (if the engagement is long enough) Have an established method for escalation Have an open communication style --brbr (WeBrBrs) Ask questions, but let the testers do their jobs Be available and ready to address critical events Keep critical stakeholders informed Watch your network: things break, someone else may be getting in, capture packets(?)   After the Test Getting Results: Report delivered securely Initial summary: How far did they get? Actual report Written for multiple levels No obvious copy/paste Read, understand, provide feedback, and get revised version Next steps: Don’t blame anyone unnecessarily Start planning with stakeholders on fixes Contact vendors, educate staff Reacting to report Sabotaging your test Future testing   Ms. Berlin’s Legit business - Mental Health Hackers   CFP for Bsides Seattle (Deadline: 26 November 2018) http://www.securitybsides.com/w/page/129078930/BsidesSeattle2019   CFP for BsidesNash https://twitter.com/bsidesnash/status/1063084215749787649 Closes Dec 31   Teaching a class in Seattle for SANS (SEC504) - need some students! Reach out to me for more information. Looking to do this at the end of February through March     heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ian Coldwater- @IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware She’s working on speaking schedule for 2019 How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss - Alice Goldfuss   Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater   Tesla mis-configured Kubes env:   From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/   Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla   Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)   Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/   https://github.com/aquasecurity/kube-hunter -   Threat Model    What R U protecting?     Who R U protecting from?     What R your Adversary’s capabilities?     What R your capabilities?   Defenders think in Lists Attackers think in Graphs   What are some of the visible ports used in K8S?     44134/tcp - Helmtiller, weave, calico     10250/tcp - kubelet (kublet exploit)         No authN, completely open     10255/tcp - kublet port (read-only)     4194/tcp - cAdvisor     2379/tcp - etcd         Etcd holds all the configs         Config storage   Engineering workflow:     Ephemeral -     CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/   Final points:     Advice securing K8S is standard security advice     Use Defense in Depth, and least Privilege     Be aware of your attack surface     Keep your threat model in mind   David Cybuck (questions from Slack channel)   My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).   How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?   Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?   heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@InfoSecSherpa   I have two talks coming up: Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)       *Shameless Plug* My Nuzzel newslettershttps://nuzzel.com/InfoSecSherpa https://nuzzel.com/InfoSecSherpa/cybersecurity-africa News stories - Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | Source: Above the Law)   https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says (Published: 25 October 2018 | Source: Next Gov)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Health & Tech? https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/   https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)   (def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow   https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/   https://www.adheretech.com/ Privacy implications? Microsoft healthcare initiative - https://enterprise.microsoft.com/en-us/industries/health/ Apple health - https://www.apple.com/ios/health/ - https://www.apple.com/researchkit/ https://www.papercall.io/dachfest18 Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there. This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website... Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-05-draw-a-bigger-circle-infosec-evolves-cheryl-biswas Cheryl's Stable talk: http://www.irongeek.com/i.php?page=videos/derbycon8/stable-29-patching-show-me-where-it-hurts-cheryl-biswas I saw Tomasz near the @log-md booth, it was his first Derbycon, and I was interested in hearing what he had to say about hypervisor introspection... Tomasz Tuzel: http://www.irongeek.com/i.php?page=videos/derbycon8/track-4-18-who-watches-the-watcher-detecting-hypervisor-introspection-from-unprivileged-guests-tomasz-tuzel Make plans for next year! Follow @derbycon on Twitter! Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Pizza Party Link - https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046   News stories-   Software/library bloat   http://tonsky.me/blog/disenchantment/   https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f   https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/     https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html   https://www.zdnet.com/article/windows-utility-used-by-malware-in-new-information-theft-campaigns/   https://attack.mitre.org/wiki/Technique/T1170  - HTA file malware examples   https://nakedsecurity.sophos.com/2018/09/26/finally-a-fix-for-the-encrypted-webs-achilles-heel/   https://www.bbc.com/news/technology-45686890 - (facebook account hack)   https://github.com/eset/malware-ioc/blob/master/sednit/lojax.adoc  IOC’s from various malware   UEFI rootkit - https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/ Block These Extensions:   File Extension    File Type .adp Access Project (Microsoft) .app Executable Application .asp Active Server Page .bas BASIC Source Code .bat Batch Processing .cer Internet Security Certificate File .chm Compiled HTML Help .cmd DOS CP/M Command File, Command File for Windows NT .cnt Help file index .com Command .cpl Windows Control Panel Extension(Microsoft) .crt Certificate File .csh csh Script .der DER Encoded X509 Certificate File .exe Executable File .fxp FoxPro Compiled Source (Microsoft) .gadget Windows Vista gadget .hlp Windows Help File .hpj Project file used to create Windows Help File .hta Hypertext Application .inf Information or Setup File .ins IIS Internet Communications Settings (Microsoft) .isp IIS Internet Service Provider Settings (Microsoft) .its Internet Document Set, Internet Translation .js JavaScript Source Code .jse JScript Encoded Script File .ksh UNIX Shell Script .lnk Windows Shortcut File .mad Access Module Shortcut (Microsoft) .maf Access (Microsoft) .mag Access Diagram Shortcut (Microsoft) .mam Access Macro Shortcut (Microsoft) .maq Access Query Shortcut (Microsoft) .mar Access Report Shortcut (Microsoft) .mas Access Stored Procedures (Microsoft) .mat Access Table Shortcut (Microsoft) .mau Media Attachment Unit .mav Access View Shortcut (Microsoft) .maw Access Data Access Page (Microsoft) .mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) .mdb Access Application (Microsoft), MDB Access Database (Microsoft) .mde Access MDE Database File (Microsoft) .mdt Access Add-in Data (Microsoft) .mdw Access Workgroup Information (Microsoft) .mdz Access Wizard Template (Microsoft) .msc Microsoft Management Console Snap-in Control File (Microsoft) .msh Microsoft Shell .msh1 Microsoft Shell .msh2 Microsoft Shell .mshxml Microsoft Shell .msh1xml Microsoft Shell .msh2xml Microsoft Shell .msi Windows Installer File (Microsoft) .msp Windows Installer Update .mst Windows SDK Setup Transform Script .ops Office Profile Settings File .osd Application virtualized with Microsoft SoftGrid Sequencer .pcd Visual Test (Microsoft) .pif Windows Program Information File (Microsoft) .plg Developer Studio Build Log .prf Windows System File .prg Program File .pst MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) .reg Registration Information/Key for W95/98, Registry Data File .scf Windows Explorer Command .scr Windows Screen Saver .sct Windows Script Component, Foxpro Screen (Microsoft) .shb Windows Shortcut into a Document .shs Shell Scrap Object File .ps1 Windows PowerShell .ps1xml Windows PowerShell .ps2 Windows PowerShell .ps2xml Windows PowerShell .psc1 Windows PowerShell .psc2 Windows PowerShell .tmp Temporary File/Folder .url Internet Location .vb VBScript File or Any VisualBasic Source .vbe VBScript Encoded Script File .vbp Visual Basic project file .vbs VBScript Script File, Visual Basic for Applications Script .vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft) .vsw Visio Workspace File (Microsoft) .ws Windows Script File .wsc Windows Script Component .wsf Windows Script File .wsh Windows Script Host Settings File .xnk Exchange Public Folder Shortcut .ade ADC Audio File .cla Java class File .class Java class File .grp Microsoft Widows Program Group .jar Compressed archive file package for Java classes and data .mcf MMS Composer File .ocx ActiveX Control file .pl Perl script language source code .xbap Silverlight Application Package  ------------------------------   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!   Thanks to our Patrons! Gonna be at Derbycon, come see us!   Congrats to our Derbycon Ticket CTF winners! Winner:  @gigstaggart 2nd Place: @ohai_ninja 3rd Place: @SoDakHib   Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t   Ms.Berlin’s Challenge:   potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7 Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN   Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8   Update on Mental Health GoFundMe: http://www.derbycon.com/wellness Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.   Missing event issues: https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement   https://github.com/palantir/windows-event-forwarding   https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows   https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/   https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4   https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/   https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/   http://bpatty.rocks/blue_team/weffles.html   https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/   Some issues with missing events… Everyone is affected by this!   WEF & PowerBI is good for small installations.   Any GPOs involved? Can it be done on a server by server basis? Can an attacker simply disable the service once initial access is achieved?   Pros and Cons of feeding the WEF output to a MapReduce system?   Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?   Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff... https://www.malwarearchaeology.com/logging/ Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec