BrakeSec Education Podcast

Katherine Carpenter is a privacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.   This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.   email contact: carpenter.katherinej@gmail.com http://jama.jamanetwork.com/article.aspx?articleid=192740   https://depts.washington.edu/bioethx/topics/consent.html https://en.wikipedia.org/wiki/De-anonymization https://en.wikipedia.org/wiki/Data_anonymization https://en.wikipedia.org/wiki/De-identification   https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles   http://www.nature.com/news/privacy-protections-the-genome-hacker-1.12940   http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html   https://en.wikipedia.org/wiki/Information_privacy_law   http://www.theguardian.com/technology/2015/apr/06/data-privacy-europe-facebook   http://www.theguardian.com/technology/2015/jun/15/eu-privacy-laws-data-regulations   http://www.theatlantic.com/technology/archive/2013/01/obscurity-a-better-way-to-think-about-your-data-than-privacy/267283/   http://fusion.net/story/171429/app-genetic-access-control-genes-dna-for-password/ ###   Katherine’s note, comment, and links. It is good to be thinking about de-identification (especially regarding health care data)   I think a better question to ask is how easy is it to re-identify information that has been de-identified. The HIPAA rule has 18 Identifiers which count as Personally Identifiable Information (PII) or Personal Health Information (PHI) include birth date, zip code, and IP address; When data is collected in non-health contexts, these identifiers are not considered PII/PHI (for example: this kind of information can be used for marketing purposes or financial/credit-related purposes).   A brief history on the topic: in 1997 a precocious grad student IDed the Governor of MA using purchased voter records to reID deIDed health information that was released. (This study was one motivator to pass HIPAA.) Further research along the same lines of the previous project can be summed up with a simple and scary statistic: in 2000, 87% of Americans may be uniquely identified by combining zip code, birthday and sex(gender).   For this reason, health information is threatened not only by deID’n & reID’n, but by the combination of and other types of information that are publicly available or available for purchase and could reveal things about an individual that would contribute to reID of individual’s health info.   Here are a bunch of articles that discuss the topic from different angles.   http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/   https://datafloq.com/read/re-identifying-anonymous-people-with-big-data/228   http://www.bloomberg.com/news/articles/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy   https://epic.org/privacy/reidentification/   http://news.harvard.edu/gazette/story/2011/10/you%E2%80%99re-not-so-anonymous/   Dwork, C. and Yekhanin, S. (2008), “New Efficient Attacks on Statistical Disclosure Control Mechanisms,” Advances in Cryptology—CRYPTO 2008, to appear, also at http://research.microsoft.com/research/sv/DatabasePrivacy/dy08.pdf   Is Deidentification Sufficient to Protect Health Privacy in Research? Mark A. Rothsteinhttp://www.ncbi.nlm.nih.gov/pmc/articles/PMC3032399/

 In an incident response, the need for clear communication is key to effective management of an incident. This week, we had Mick Douglas, DFIR instructor at SANS, and Jarrod Frates, who is a pentester at InGuardians, and has great experience handling incidents. Find out some roles in an incident response (the Shadow, the event coordinator, the lead tech), and how companies should have an IR plan that handles various 'incident severities'. Jarrod updates us on "TheLab.ms" and how you might like to help them!  Finally, We are holding a contest to win a ticket to DerbyCon, full instructions are below. We are giving away two tickets.  DerbyCon 1st Ticket contest expires 31 July 2015.    1.     To enter for a ticket to DerbyCon a.     A donation must be made to Hackers for Charity (http://www.hackersforcharity.org/) b.     Once the donation is made, email your receipt of your donation to bds.podcast@gmail.com c.     If you win:  We will contact you by the email you mailed the receipt from with our contact information. You will need to contact us when you get to DerbyCon, as we will not send you the ticket directly. You will also be responsible for airfare and accommodations at DerbyCon.

Strap yourselves in ladies and Gentlemen.  With Mr. Boettcher gone on "vacation" this week, I needed some help with the podcast, and boy did we pick a doozy.  If you're a fan of Turing Complete algorithms, frankly, who isn't ;) , we had Ms. Fabienne Serrière (@fbz) and Ms. Magen Wu (@tottenkoph) who discuss higher order math and psychology on our podcast this week. We also discuss a little project management and even talk about why proper survey sizes and getting a good cross-section is important.   Be sure to pick up one of Ms. Fbz's scarves, especially if you're a math nut, and love fracctals and patterns as I do. Kickstarter: https://www.kickstarter.com/projects/fbz/knityak-custom-mathematical-knit-scarves Elementary Cellular Automaton : http://mathworld.wolfram.com/ElementaryCellularAutomaton.html Turing Complete:  https://en.wikipedia.org/wiki/Turing_completeness Sierpinski Triangle: https://en.wikipedia.org/wiki/Sierpinski_triangle Chomsky Hierarchy: https://en.wikipedia.org/wiki/Chomsky_hierarchy Hammer/LangSec: https://github.com/UpstandingHackers/hammer Sergey Bratis: http://www.cs.dartmouth.edu/~sergey/ Stego Hats: http://www.ravelry.com/projects/fbz/pseudo-random-reversible-hat SeaSec East: http://www.meetup.com/SEASec-East/

My podcast co-host Brian Boettcher, along with Kate Brew, an Austin, TX based security blogger, headed up this panel called "Red Team Vs. Blue Team". The idea was to ask people from various sides of the aisles (attackers and defenders) pressing questions about how the industry operates. Infosec heavyweights like Kevin Johnson (@secureideas), Mano Paul (@manopaul), Josh Sokol (@joshSokol), made this a very excellent podcast...   We hope you enjoy!

Roxy, who we interviewed a few months ago on our podcast about hackerspaces, is back with us this week to discuss a project she is working on, called 'Big Brown Cloud'. If you've ever wanted to setup your own fake blog and send people to it to gain information on possible attacks, you've come to the right place.     We also get an update on the hackerspace that Jarrod, Sean, and Roxy were getting setup a few months ago. They've come a long way, and they are about to move into their new facility https://thelab.ms/

In this podcast, you'll learn about: Log analytics software that can be used to parse system logs for naaty malware Detecting Malware artifacts learn about windows directory locations looking for indicators like packing, changed hashes, etc Tips for capturing malware using tools like RoboCopy Learn about what code caves are and how malware hides inside them (http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves)   SANS DFIR poster - https://www.sans.org/security-resources/posters/windows-forensics-evidence-of-75 

Michael Gough joined us again to discuss malware detection techniques on Windows systems. We talk about how you can modify Powershell's defaults to allow for better logging potential. Also, we find out some hidden gems that pretty much guarantee to let you know that you've been infiltrated.  Stay for the powershell security education, and you also learn some new terminology, like "Malware Archaeology", Malwarians, and 'Log-aholic', to name a few...

This week, we discuss various methods of enabling companies to move applications to cloud based platforms.  We discuss containers, like Docker, and how various hosting services handle converting businesses from a traditional data centers to a secure. cloud based entity. We even discuss securing the data in the cloud, preventing bad guys from accessing it, as well as the cloud provider themselves, who can be served with a subpeona to hand over data. Brakeing Down Security would like to thank FireHost for allowing Chase and Mike to join us.

With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.   Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should.  By being deficient in necessary skills, the knowledge between bad guys and the defenders widens. 

We had the opportunity to discuss with Mick Douglas the fact that there is a stigma of blue team always being on the losing end of the security. Is it because there are more tools for the pentesters or bad guys, or that it takes a massive IT budget to be secure? We don't believe so... Great insights into how a blue team can protect their network.