BrakeSec Education Podcast

Security's the same, the world around...  and is a necessity in businesses of all sizes, from the mega-corporations, all the way down to the business with 10 employees in a garage in suburbia. This week, Mr. Boettcher and I discuss security in small businesses. What is needed to make security part of the culture of a new company. We discuss some open source tools to ensure that networks are monitored properly, logs are collected, collated, and analyzed. And better yet, these are on the cheap, which is helpful for a small business on a tight budget.  QR code links directly to the episode...    http://www.ihotdesk.co.uk/article/801717385/Most-small-businesses-have-faced-InfoSec-breach-recently  https://blog.whitehatsec.com/infosec-europe-wrapup/    http://www.infosectoday.com/Articles/DRPlanning.htm   "Dirty Rhodes" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

This is a quick little podcast I did without Mr. Boettcher about a Twitter discussion that occurred when Dr. Neil Degrasse Tyson mentioned that we should just make computers 'unhackable'. The first episode of the 2015 season of Brakeing Down Security is here!   Tweet from Dr. Neil Degrasse Tyson                         https://twitter.com/neiltyson/status/551378648578916353 Rebuttal from Kevin Johnson                           https://twitter.com/secureideas/status/551510885441998848       "Dirt Rhodes" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0 http://creativecommons.org/licenses/by/3.0/

We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast. We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.   So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year!  Happy Holidays... all of them... :)

It's a Super Deluxe sized Brakeing Down Security this week... It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :) I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...   We also discussed Sony, caused it's huge news of the year, and talked about Target, because we love dissing PCI... ;) There might be a few bad words, so if you have small ears around, be advised... When you're done, check out the other 96 episodes of Defensive Security, and check out our 55 other episodes..   http://www.defensivesecurity.org/ Twitter handles: Andrew Kalat: https://twitter.com/lerg Jerry Bell: https://twitter.com/Maliciouslink     Icon provided by DefensiveSecurity.org... I'd imagine they'd let us use it, since they were on the podcast ;) Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it.  We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice... I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :) ***NOTE: I guess now would be a good time to mention that many of the links below have unsafe software and actual malware payloads, so use with extreme caution. Especially do not download anything from these sites unless it's in a VM that is not on your companies assets.*** http://www.hopperapp.com/ - Disassemble OSA binaries http://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers - other Disassemblers http://vxheaven.org/ - Virus Heaven http://www.malwaredomainlist.com/ - Find websites serving malware http://oc.gtisc.gatech.edu:8080/ - Georgia Tech malware repository Sandboxie - http://www.sandboxie.com/ KoreLogic - http://www.korelogic.com/ (lots of great tools here) http://secshoggoth.blogspot.com/ - Tyler's Blog

Tyler Hudak (@secshoggoth) came to discuss with us the process of doing analysis on malware binaries. We talk about MASTIFF, his malware framework.  We also discuss how to gain information from malware program headers, and some software that is used to safely analyze it. Helpful Links: Ida Pro: https://www.hex-rays.com/products/ida/ Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Mastiff White Paper: http://digital-forensics.sans.org/blog/2013/05/07/mastiff-for-auto-static-malware-analysis Mastiff latest: http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/ cuckoo sandbox: www.cuckoosandbox.org Anubis: https://anubis.iseclab.org/   PE Headers: http://en.wikipedia.org/wiki/Portable_Executable ELF: http://fr.wikipedia.org/wiki/Executable_and_Linkable_Format REMnux- reverse engineering linux distro:https://remnux.org/   Inetsim: http://www.inetsim.org/     Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Last week, we talked with Ben Donnelly about ADHD (Active Defense Harbinger Distro). But Ben isn't a one trick pony, oh no... this young punk is trying to solve fundamental problems in the business industry, in particular securing passwords.  That's why he's been working with Tim Tomes (@lanmaster53)invented 'Ball and Chain', which is a large (>2TB) file that can be used to help generate passwords and entropy.         Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

We snagged an interview with Benjamin Donnelly, a maintainer of the Active Defense Harbinger Distribution (ADHD). version 0.60   A thoroughly enjoyable conversation with a new up-and-coming security professional. He's the future, and he is already contributing a lot of great info to the infosec industry.   Part 1 is all about ADHD, next week, we discuss his talk about a project he's working on that will remove the threat of password breaches using 'Ball and Chain'.  And it's all open source...       ADHD ISO:  http://sourceforge.net/projects/adhd/ CryptoLocked:   https://bitbucket.org/Zaeyx/cryptolocked   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

My man Mr. Boettcher posted up a video on how to install OWASP's WebGoat Vulnerable web application! He walks you through WebGoat 5.4, and even gives you some tips on solving issues that he'd found.  And to make it even easier, he's given you some instructions below. Hope you enjoy, especially if you've had issues setting up WebGoat in the past.     Webgoat 5.4 instructions========================1. search google and download the war file             (From Bryan: Here's the link -- https://code.google.com/p/webgoat/downloads/list ) 2. install tomcat    sudo apt-get install tomcat73. move the war file to tomcat webapp directory    sudo mv ~/Downloads/WebGoat-5.4.war /var/lib/tomcat7/webapps/WebGoat.war4. edit tomcat-users.xml by adding the content below    sudo vi /var/lib/tomcat7/conf/tomcat-users.xml 5. restart tomcat        sudo /etc/init.d/tomcat7 restart6. in your browser, type localhost:8080/WebGoat/attack

Active Defense... It conjures images of the lowly admin turning the tables on the evil black hat hackers, and giving them a dose of their own medicine by hacking their boxes and getting sweet, sweet revenge... But did you know that kind of 'revenge' is also rife with legal rammifications, even bordering on being illegal?? This week, Mr. Boettcher and I tackle this prickly subject, and discuss some software you can use to 'deter, prevent, and dissuade' potential bad guys...  ADHD Training (courtesy of Paul's Security Weekly Podcast): http://blip.tv/securityweekly/active-defense-harbinger-distribution-release-party-7096833 Artillery - https://www.binarydefense.com/project-artillery/ DenyHosts - http://denyhosts.sourceforge.net/ Nova:  http://www.sans.org/reading-room/whitepapers/detection/implementing-active-defense-systems-private-networks-34312   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/