BrakeSec Education Podcast

John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes extortion or blackmail.   We go over some of the things he's found, and discuss how we could address these issues.   Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences.  The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD. Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3   #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3 The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware). Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D ) We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner. We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline.  I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q) Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week! #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".     ---Show Notes---   Music change Couldn’t remember where I got the other music Little more news than we used to Try to shy away from news everyone will talk about   Brakeing Down Incident Response (BD-IR) podcast Hosted by Mr. Boettcher and Michael Gough Vendor talks Sponsors (provisionally) News: http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/ https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/ https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/ Upcoming Training: Amanda? - Cyber KillChain training Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour) Matt Miller - Reverse Engineering course More advanced, still working on details with him (no promises yet) Michael Gough - Malware Archaeology Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org Houston - April 3rd - 1 Day - HouSecCon Preparing and Responding to an endpoint incident, what to configure, and look for Tulsa - April 11-12th - 2 Days - BSides Oklahoma Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for Job postings on our Slack Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA) Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA He’s on Twitter (https://twitter.com/mfourdraine) or join us in our Slack Many positions he has will relocate you to lovely Bellevue, WA MG just posted “James Avery Information Security Manager” Teaching a mentor course in Seattle (SEC504) starting March 1st. Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Great if you work a job where you get called a lot Less likely to have to get up during class and walk away… Bit of a technical discussion - PTF (pentester framework) Setup, install software Lighter than Kali Works on debian, ubuntu, pretty much any linux Slack Invite only Slack bot died A new link every month is a bit of a PITA Being popular invites bots… would like to reduce that risk by broadcasting an invite Friend of mine was invited to speak on “A man’s view of women in technology” O.o (http://www.cmhwit.org/) “ John ---- Actually, my plan at this point is to interview several of the successful woman I know in technology, followed by personal observations of how I've seen them become well respected leaders in the field.”

As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content. Please enjoy! And please seek out these podcasts and have a listen! Slight warning: some rough language People and podcasts in attendance: Tracy Maleef (@infosecSherpa) Purple Squad Security Podcast (@purpleSquadSec) - John Svazic (@JohnsNotHere) Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe) Danny Akacki (@dakacki) - RallySec Podcast (@rallysec) Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin)   *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks. While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news.  Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices. We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con.    Direct Link: https://brakesec.com/2017-042 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training .  The CFP is open and the review board is already hard at work with the first submissions."     "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".         --Show Notes--   https://github.com/int0x80/githump   http://ptrarchive.com/   https://hunter.io/   https://www.data.com/   https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/ https://securelist.com/unraveling-the-lamberts-toolkit/77990/  

Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals. DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack. In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program. Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails.     Direct Download Link: https://brakesec.com/2017-041 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS  #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   --Show Notes--   Malware report   https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/   https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html   https://github.com/swannman/ircapabilities -  DFIR Hierarchy   Based on Maslow’s Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs Requirements must be met before you can move on. It’s not perfect, but gives a general idea of how needs should be met.    

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world. Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews. Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way.     Direct Link: https://brakesec.com/2017-040   *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec     ---Show Notes--- Agenda: Trip report from Amanda to New Zealand Did we talk about Amanda’s appearance on PSW?   Discuss last week’s show about custom training Comments? Suggestions for custom training solutions?   https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Expensify - https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy   How is this different than like a medical transcriptionist? Don’t you go in and modify the receipts yourself? Or is that a feature you can force?   It’s a privacy issue. Hotel receipts, boarding passes, even medical receipts   Turn off ‘smart scan’? Many companies like using it, and some will only accept smart scanned receipts Fat fingering receipts isn’t ‘cool’ Snap a photo, move along   Expensify is global, and could have wide reaching effects for this new ‘feature’... Expensify used Mechanical Turk, a ‘human intelligence tasks’ Micropayments to do menial tasks   Example of why periodic review of your 3rd parties is necessary New ‘features’ = new nightmares Privacy requirements change Functionality not in alignment with your business goals Apple ‘passwordless root’ http://appleinsider.com/articles/17/11/29/apple-issues-macos-high-sierra-update-to-fix-password-less-root-vulnerability   HIgh Sierra before today (29 November 2017) had the ability to login as root with no password… That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752   It also works on remote services, like ARD (apple remote desktop), and file shares… Rolling IR Was it necessary? Serious, yes Was discovered two weeks prior https://forums.developer.apple.com/thread/79235 Dev (chethan177) on the forum “didn’t realize it was a security issue”   Easy enough fix  (Bryan IR story) Open Terminal Sudo passwd root Change password   Do you trust users to do that? Not across a large enterprise  

This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday.   I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training.   Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics" Take a listen and we hope you enjoy it!   Direct Link: https://brakesec.com/2017-039   RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   ---Show notes (from Bryan and JB)---   Ms. Berlin in New Zealand   Mr. Boettcher with the family   Training   What makes us despise training so much? Cookie cutter Scenarios do not match environments Speaking is a little too perfect Flash based UI is horrible Outdated Easy questions   Infosec training is worse 2 hours of training each year Not effective   Why not make your own? Been doing it at work No more than 7 minutes Custom made Tailored for your own company   Do you training like a talk at a con Time limit: 7 (no more than 10 minutes) Create some slides (5-7 slides) Do it on a timely topic Recent tabletop exercise results Recent incident response Phishing campaign Script or no-script required Sometimes talking plainly can be enough   https://screencast-o-matic.com/ - Windows (free version is 7 minutes long) Quicktime - OSX (free) (Screenflow) Handbrake (convert to MKV or MP4) Microphone (can use internal microphones if you have a quiet place) [begin notes: SANS Berlin REMOTE segment]corresp. JB reach jb at(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/--pre-NetWars chat with the SEC 503 class:-what do you like about SANS conference-european privacy laws, even country to country!-biggest priority for next year:  building a SOC, working together with sales, asset management, constant improvement, password reuse--special BrakeSec members only cameo--“bring your own device” interview with an Information Security/forensics professionalpassword elimination or no reuse--interview with Heather Mahalik (@HeatherMahalik)Bio https://www.sans.org/instructors/heather-mahalik-“game over” whatsapp, unpatched android, other known-historically weak tools as “assume breach of mobile”-interesection of network forensics and mobile-open source tools and the lack of, how to judge your tools-Heather’s recent blog-getting into mobile, decompiling, etc.-number one topic for next year:  encryption for Andriod 8 Oreo, iOS 12-“most popular android is still v4.4”Heather’s blog we mentionedhttp://smarterforensics.comlink to the book Heather mentioned:https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/ --link to blog mentioned, jb’s initial reflections on SEC 503https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost JBs blog main link, or if you’re not a fan of linkedinhttps://cherokeejb.blogspot.de/ small featured music clips used with permission from YGAM Records, Berlin“Ж” by the artist Ōtone (Pablo Discerens), (c)(p)2016 Get it for free or donate at http://ygam.bandcamp.com !book club EMEA!:message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can’t make the main call ! ---[end segment]  

Direct Link: https://brakesec.com/2017-038   Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team. So I asked him on, and we went over the highlights of his talk. Some of the topics included: Discussing with management your manpower issues Who to include in your team Communication between teams   RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec         ----SHOW NOTES:   Amanda’s appearance on PSW   Building an AppSec Team - Michael de Libero (@noskillz)   https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\   https://www.owasp.org/index.php/OWASP_AppSec_Pipeline   https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett   Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing   Random Notes from Mike: Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. “security health” Role of management Managing a “remote” team Handling incoming requests from other teams   How do you sell a company on having an appsec team if they don’t have one?   If you have an existing ‘security team’, how easily is it to augment that into an appsec team? Can you do job rotation with some devs? Do devs care enough to want to do code audits “That’s not in my job description”   Skills needed in an appsec team Does it depend on the tech used, or the tech you might use?   Internal security vs. consultants   Intro to RE course with Tyler Hudak   Bsides Wellington speaker Amanda Berlin

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3 We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this. We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement. Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand. RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast   Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us. #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES:   Oreilly con report Malware report from Mr. Boettcher DDE (Dynamic Data Exchange), all the rage https://en.wikipedia.org/wiki/Windows_2.0 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216 https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/   Why asset management? Know what’s in your environment CIS Top 20...no wait, it’s the TOP THREE of the 20. It all builds on this… Know what’s in your environment http://www.open-audit.org/ https://metacpan.org/pod/App::Netdisco <- NetDisco (great for network equipment)   Where do you store that data? Or is it just enough to know where to get it? Systems you can pull asset data from: Patching systems Chef WSUS FIM systems Tripwire DLP systems Vuln Scanners AV/EDR management router/switch tables DNS Asset management systems are a gold mine for an attacker Names IPs email addresses   Coverage gaps in these systems will cause you to lose asset visibility   http://www.businessinsider.com/programmer-automates-his-job-2015-11

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.   Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).   RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast   Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/       SHOW NOTES:   Ideas and suggestions here:   Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it? What happens when it’s not done effectively, or at all?   At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to ‘check a compliance box’? Data flow diagram (example) -   process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary   Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike -  http://octotrike.org/   https://en.wikipedia.org/wiki/Johari_window   Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf   Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303   NIST CyberSecurity Framework: https://www.nist.gov/cyberframework   Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/   https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf   Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)   Adam’s Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=   Is the book still applicable? New book   What traps do people fall into?  Attacker-centered, asset-centered approaches Close with “how do I get started on threat modeling?” SecShoggoth’s Class “intro to Re” Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model