BrakeSec Education Podcast

This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us. Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've been trying to get people to be looking into mainframes and mainframe security for years. Mainframes are usually used by financial organizations, or older organizations. In many cases, these systems are managed by a handful of people, and you will have little or no help if you are a red teamer or pentester to make sure these systems are as secured as they possibly can. So, Cheryl (@3ncr1pt3d), @bigendiansmalls, and @mainframed767 (Philip) walk us through how a mainframe functions. We discuss what you might see when a scan occurs, that if runs a mainframe OS, and a Linux 'interface' OS. We also discuss methods you can use to protect your organization, and methods you can use as a redteamer to learn more about mainframes. Chad's talk at DerbyCon 2015: https://www.youtube.com/watch?v=b5AG59Y1_EY Chad discussing mainframe Security on Hak5: https://www.youtube.com/watch?v=YBhsWvlqLPo Linux for mainframes: http://www-03.ibm.com/systems/linuxone/ Philip's talks on Youtube: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n   Brian and I wish to thank Cheryl for all her help in making this happen. You can find her blog over at Alienvault's site... https://www.alienvault.com/blogs/author/cheryl-biswas   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast   Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-008-mainframe-security/id799131292?i=363392103&mt=2  

We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this.  We do a bit of history about #TLS, and the versions from 1.0 to 1.2 Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific application limitations, you can find out if someone has installed an unauthorized product, or you could even block unknown applications using this method by sensing the application and then creating an IPS rule from the fingerprint. Finally, something a bit special... we have a demo on our Youtube site that you can view his application in action!  Video demo: https://youtu.be/im6un0cB3Ns     https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png http://blog.squarelemon.com/tls-fingerprinting/ https://github.com/LeeBrotherston/tls-fingerprinting http://www.slideshare.net/LeeBrotherston/tls-fingerprinting-sectorca-edition https://www.youtube.com/watch?v=XX0FRAy2Mec http://2015.video.sector.ca/video/144175700 Cisco blog on malware using TLS... http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast iTunes: https://itunes.apple.com/us/podcast/2016-007-fingerprintls-profiling/id799131292?i=362885277&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-007-FingerprinTLS_with_Lee_Brotherston.mp3

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism Moxie: noun   "force of character, determination, or nerve."   Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise. But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional. Mr. Boettcher and I discuss over-reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-006-Moxie_vs_Mechanism-dependence_on_tools.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-006-moxie-vs-mechanism/id799131292?i=362373544&mt=2

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics. We discussed a number of topics: Cloud migrations What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration? We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures. Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates. It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time. Some #articles we drew upon for questions to ask Mr. Heim: http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/ http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/ http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast #iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3 Partick Heim image courtesy of darkreading.com

BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster... We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!   Bill's Twitter: https://www.twitter.com/oncee Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&sr=1-2 (non-sponsored link) Bill's "Reboot It" Podcast: http://www.rebootitpodcast.com/   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969   Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-004-Bill_Gardner.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-004-bill-gardner/id799131292?i=361222239&mt=2

#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971. This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them.  And what options do you have if you don't want to use anti-virus? We also argue about whether it's just a huge industry selling snake oil that is bolstered by #compliance #frameworks, like #PCI? #mcafee,#symantec,#panda,#avg,#kaspersky,#logging,#siem  *NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec #Podcast #Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-003-AntiVirus_what_is_it_good_for.mp3 Itunes:https://goo.gl/Jk3CxU  

This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap. Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo? We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/   Book: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 Show Notes: https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing *NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2  

#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks.  For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program.   Jay Schulman's #website: https://www.jayschulman.com/ Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1 Jay's Twitter: https://twitter.com/jschulman     TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: bds.podcast@gmail.com iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3

Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET).  You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets. But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we interviewed a couple of weeks ago) and others to improve #ISC2 processes, and to make #CISSP and other certs more competitive in the #infosec/IT community. And yes... we find out about what is going on with DerbyCon and get some updates with what will happen in the next DerbyCon.   iTunes Link: https://itunes.apple.com/us/podcast/2015-054-dave-kennedy/id799131292?i=359677576&mt=2 TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: bds.podcast@gmail.com

This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to. Sit back with some eggnog, and let your ears savor the sounds of the season.  Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured fun. WARNING: There is adult language, and themes, so if you have little ones around, you might want to skip this one until after bedtime. Happy Holidays from Brakeing Down Security Podcast.