BrakeSec Education Podcast

Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics.  We discuss the seemingly short talent pool for IT/IS positions.  We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece of Internet Infrastructure, and finally, we figure out why PGP/GPG is not user-friendly, and if there are ways to make it better, or if it needs to be replaced permanently.   News of the week RowHammer - http://www.darknet.org.uk/2015/03/rowhammer-ddr3-exploit-what-you-need-to-know/   Lack of hire-able people in IT/IS - per Leviathan Sec report. https://www.leviathansecurity.com/blog/scarcity-of-cybersecurity-expertise/   NTP maintained by one guy ‘Father Time’ http://www.informationweek.com/it-life/ntps-fate-hinges-on-father-time/d/d-id/1319432   Moxie Marlinspike’s GPG/PGP rant: Perfection ruined the goal http://www.thoughtcrime.org/blog/gpg-and-me/  

In our continuing discussion with Jeff and "Str4d", we got right to the heart of the matter: Privacy and anonymity.   If you're trying to remain anonymous, what steps do the devs of I2P use to keep themselves as anonymous as possible.  We also touch on what the "Browser Exploitation Framework", and why it scares the heck out of Jeff.   Finally, I ask them if there is any real 'good' sites on I2P, because of how the media seems to latch on to any story where we hear the bad things of any anonymizing network, is there a way we can improve the image of anonymizing networks.   *** If you have a blog, and it's about security/privacy/compliance, please consider adding us as a write-in for '2015 Best New Security Podcast' here: https://www.surveymonkey.com/s/securitybloggers***   Show notes: https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

Mr. Boettcher got a hold of the developers and maintainers of the anonymizing network "I2P". We talked with "str4d" and "Jeff" this week. In Part 1 of the interview, we discuss the technical aspects of I2P, how it functions, how 'Garlic routing' works, and how the flood Fill servers allow for I2P to function effectively. In the final segment, we discuss form factors, specifically if I2P is available for embedded systems like Raspberry Pi. If you find Tor not to your liking, give I2P a try... it's goals are the same, but the method of security and privacy are different. Plus, as you can hear from the podcast, it's very much a tight knit community of security and privacy enthusiasts.   Show notes, links, and contact info:  https://docs.google.com/document/d/1Vh0HiUDXchesI2-BlthztoIIswZa0GZa_Jg0mOu0ao4/edit?usp=sharing

The second part of our interview with Pawel discussed Content management systems, and how you can integrate CSP in Drupal, Django, and the like. Content managers, you'll want to listen to this, especially about how CSP can help you secure the content on your systems, as well as protect customers from web based attacks using the sandboxing functions of CSP Pawel's Blog = ipsec.pl Pawel's CSP builder app = cspbuilder.info Quick Guide to CSP: http://content-security-policy.com/    

Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.   We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it. If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.   https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1 https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox

Extra special treat this week!  We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.   But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on"  NOW IS YOUR CHANCE! :) This is a great opportunity if you're a veteran speaker, or just want to give back to the community at large... You can mentor a n00b to help them create a topic, help them hone their paper, and be with them when they give the talk at Bsides Las Vegas in July.   Many thanks to @tottenkoph and @securitymoey. They need your help, both as a mentor and a mentee.  This is also an excellent networking opportunity. You get 1-on-1 access to an often influential mentor, someone in the infosec community, and your talk will be seen by several hundred people. hmmm.... maybe I should put one in :D   ----- SANS #14-10:  Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control. ------     "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited.     We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research.  The bad news? Other ISPs, including American ISPs are using this technology.   This is one of those podcasts that you need to tell your friends about, cause it's truly surprising the lengths ISPs go to injecting content into your pages.  We also have a short message about the Bsides Las Vegas Proving Grounds this year... If you've wanted to present a paper at a conference, and have a mentor guide you through the process, hit them up on the Proving Grounds page at http://www.bsideslv.com Show notes (lots of info): https://docs.google.com/document/d/1YLkiRE1SVIyWquWc-iQrESWlT10rSJmW1VcrOX3kQZ0/edit?usp=sharing                  "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Threat Modeling... ranks right up there with Risk Assessments in importance...  You gotta figure out how the applications you're creating or the systems you're engineering are secure.  It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs. Brakeing Down Security talked about conducting threat modeling and application reviews with Lee Brotherston (@synackpse) from Leviathan Security (@LeviathanSecurity) this week. We discuss types of risk analysis, including one named 'Binary Risk Analysis', which may simplify assessment of your computer systems.     Show notes = https://docs.google.com/document/d/1K-eycek2Xud7loVC4yrHg6eHCY0oyztV_ytbY433oYk/edit?usp=sharing       "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Mr. Boettcher and I went over the bottom 5 of the SANS Top 20 security controls that businesses should implement. When put into the right order, you should be able to have an environment that is able to withstand most any attack. We also talk about 5 'Quick Fixes' that will put you on the right track with becoming more secure.   You may be surprised at what is considered a priority...  have a listen: (QR code links to the mp3)   Show notes: https://docs.google.com/document/d/1JuRJ-RPTmw50pTeO82rb9_rC8tFf53eiUzkppfwQvs0/edit?usp=sharing         "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Brakeing Down Security tackles the 'Deep Web' this week... yep, we talk about Tor. If you don't have a lot of experience with this or wonder how it works, we give you a little history and help you understand the traffic flow works.   We even give you some advice on de-identification and things you shouldn't allow when traveling the Deep Web, like Javascript, Flash, and Java.   Show Notes: https://docs.google.com/document/d/1vBI_bg_0RzF_sSNMj84xQpEZGUrxtAkB8SxZ08MzUi0/edit?usp=sharing           "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/