BrakeSec Education Podcast

https://twitch.tv/brakesec www.brakeingsecurity.com @infosystir on Twitter @bryanbrake @boettcherpwned

Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/   https://www.tibco.com/reference-center/what-is-process-automation   https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/   https://www.malwarearchaeology.com/cheat-sheets   https://overapi.com/   https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

https://www.twitch.tv/brakesec Youtube video (full version): https://www.youtube.com/watch?v=eRwYB22XMNw Shannon Noonan and Stacey Cameron - QoS Consulting https://www.bizagi.com/en/blog/digital-process-automation/4-ways-to-deliver-change-management-for-process-automation https://www.forrester.com/blogs/the-new-change-management-automated-and-decentralized/   https://www.tibco.com/reference-center/what-is-process-automation   https://kissflow.com/workflow/workflow-automation/an-8-step-checklist-to-get-your-workflow-ready-for-automation/   https://www.malwarearchaeology.com/cheat-sheets   https://overapi.com/   https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-cracked-in-less-than-60-minutes

For context, we at the K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.     https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf   https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619   https://edscoop.com/texas-school-paid-547k-ransomware-jam/    https://statescoop.com/ransomware-allen-texas-school-district-email-parents/    https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education   https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/   https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf   85-89% are underneath 2,500 students Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01   https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence l GMA   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:   All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?

The K12 Security Information Exchange (K12 SIX) are a relatively new K12-specific ISAC – launched to help protect the US K12 sector from emerging cybersecurity risk. One of our signature accomplishments in our first year was the development and release of our ‘essential protections’ series – an effort to establish baseline cybersecurity standards for schools. See: https://www.k12six.org/essential-cybersecurity-protections https://www.grf.org/ Global Resilience Federation We will help your industry develop or enhance a trusted threat information sharing community, obtain actionable intelligence, and support you in emergencies.   We all count on the resiliency of essential services - services from the electricity powering our homes and the connectivity of entertainment apps, to the legal systems and financial pipelines driving the global economy. But this infrastructure faces constant threats from hacktivists, criminals, and rogue states, and they are growing in sophistication.   Leveraging nearly 20 years of ISAC and ISAO expertise, GRF is a non-profit created to connect sharing communities, for mutual defense.     https://static1.squarespace.com/static/5e441b46adfb340b05008fe7/t/611d5fceff375d79ff4507c7/1629315022292/K12+SIX+Essential+Cybersecurity+Protections+2021+2022.pdf   https://theconversation.com/cybercriminals-use-pandemic-to-attack-schools-and-colleges-167619   https://edscoop.com/texas-school-paid-547k-ransomware-jam/    https://statescoop.com/ransomware-allen-texas-school-district-email-parents/    https://www.toptal.com/insights/innovation/cybersecurity-in-higher-education   https://www.highereddive.com/spons/inside-higher-educations-ransomware-crisis-how-colleges-and-universities/609688/   https://www.cnn.com/2022/01/07/politics/ransomware-schools-website/index.html https://www.13abc.com/2021/02/22/toledo-public-school-students-seeing-effects-of-massive-data-breach/ 2020 report: https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf   85-89% of school systems have 2,500 students or fewer Omg: https://www.edweek.org/leadership/education-statistics-facts-about-american-schools/2019/01   https://www.youtube.com/watch?v=otv0KzkfLSc –Florida mom, daughter accused of rigging homecoming queen votes break silence   There are 130,930 public and private K-12 schools in the U.S., according to 2017-18 data from the National Center for Education Statistics (NCES). Here’s how they break down:   All: 130,930 Elementary schools: 87,498 Secondary schools: 26,727 Combined schools: 15,804 Other: 901 What are some of the ways you go about addressing the challenge of even reaching smaller schools? Does the isac help?   How do you communicate major security events like log4j? Do you keep track of complications with certain software stacks?   Someone listening might say “hey, I’d love to help…” what/if any opportunities can the larger infosec community do to help your org?

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright)   Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software).  “If you make money using our software, you must buy a license” - not an end-user license   Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”  Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19   https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19   IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/   Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways -  Devices -  Mobile apps - SDKs -  integrations   Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf   network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/  Stalking/privacy vs. tracking/surveillance   Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html   Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone)   What do companies want with that information?   What is a ‘happy medium’ to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure?  https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms   Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/   https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20)   https://www.businessinsider.com/iot-security-privacy   https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey   https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/   https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure   Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk  

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) Talk about side projects, podcasts, speaking events, etc (if you want to) Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software).  “If you make money using our software, you must buy a license” - not an end-user license   Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”  Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19   https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19   IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/   Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways -  Devices -  Mobile apps - SDKs -  integrations   Cloud services DO go offline, point of failure:https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf   network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/  Stalking/privacy vs. tracking/surveillance   Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html   Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone)   What do companies want with that information?   What is a ‘happy medium’ to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure?  https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms   Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/   https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20)   https://www.businessinsider.com/iot-security-privacy   https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey   https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/   https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure   Fetch:As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk  

News articles we covered this week: https://www.wired.com/story/belarus-railways-ransomware-hack-cyber-partisans/ https://www.hackingarticles.in/linux-privilege-escalation-polkit-cve-2021-3560/ https://old.reddit.com/r/msp/comments/s48iji/vmware_horizon_servers_being_actively_hit_with/ https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/ Whimmery's Walkthroughs: Join @whimmery on her twitch or on the @brakesec Youtube channel for walkthroughs on Burp Suite training and more! Twitter handles: Official Podcast: @brakesec Brian Boettcher: @boettcherpwned Amanda Berlin: @infosystir @hackersHealth @infosecroleplay Bryan Brake: @bryanbrake  

Alyssa Milller (@AlyssaM_InfoSec) April Wright (@Aprilwright) 0. Open Source issues (quick discussion, because I value your opinions, and supply chain is important in the IoT world too.) Log4j and OSS software management and profitability Free as in beer, but you pay for the cup… (license costs $$, not the software).  “If you make money using our software, you must buy a license” - not an end-user license Open source conference at Whitehouse: https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ https://www.wsj.com/articles/white-house-convenes-open-source-security-summit-amid-log4j-risks-11642119406 “For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems,” said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all.”  Show was inspired by this Twitter conversation: https://twitter.com/aprilwright/status/1461724712455782400?t=Fv2tmSTXrn-SSjPCka3gxg&s=19 https://twitter.com/AlyssaM_InfoSec/status/1464661807751213056?t=CFy-hgcHo2a8NwowKYo0hg&s=19 IOT architecture (https://www.avsystem.com/blog/iot-ecosystem/) Open source IoT platforms: https://www.record-evolution.de/en/open-source-iot-platforms-making-innovation-count/ Cloud services - processing messages, register/de-register devices, pass messages to other devices/gateways Gateways -  Devices -  Mobile apps - SDKs -  integrations Cloud services DO go offline, point of failure: https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/ Connectivity and sharing mesh networks assumes you like your neighbors. Sidewalk Whitepaper: https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf network vulnerabilities: https://fractionalciso.com/why-you-should-not-be-using-xfinitywifi-hotspots/  Stalking/privacy vs. tracking/surveillance Fine GPS locations Nearby devices triangulate (via BLE, wifi, or 900mhz) We want to find our lost devices, but devices can be used for stalking https://www.autoevolution.com/news/police-claim-apple-has-unwillingly-created-the-most-convenient-stalking-device-179228.html Just have an iPhone and you’ll be able to find a stalking device, just install a 100MB app (Ring, Alexa, etc) to detect all devices in the area, or use the right ecosystem to find these items (or know every possible device that could be used to track someone) What do companies want with that information? What is a ‘happy medium’ to allow you to find your dog, but not to track people? Device controls? Buzzers? (how loud can you make a noise in a small device?) Size issues, battery life, beaconing, self-identification (“Hi, I am a lost device…”) Is what Airtags doing enough to reduce the fear? Are we designing to edge cases? There are cheaper/easier ways to track someone (phones have a longer standby time than fetch/airtag/tile) How often do you lose your keys? Why is your dog not on a leash or properly trained? What will it take to make these kinds of devices more secure?  https://spectrum.ieee.org/why-iot-sensors-need-standards Will it take privacy protections to motivate IoT devices to design a better IoT device? Or force standards to be followed, like https://www.ioxtalliance.org/get-ioxt-certified? Or NIST standards: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf https://csrc.nist.gov/publications/detail/sp/800-213a/final - detailed specs Threat modeling, vulnerabilities in IoT networks and platforms Does your Iot Platform give out SDKs for integrations or allowing 3rd party products or apps? https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ https://www.avsystem.com/blog/iot-ecosystem/ Old and outdated libraries, like TCP vulnerabilities (RIPPLE20) https://www.businessinsider.com/iot-security-privacy https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/ https://arxiv.org/ftp/arxiv/papers/1302/1302.0939.pdf - Security and Privacy Issues in Wireless Mesh Networks: A Survey https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/ https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK Opt-out of Amazon sidewalk     Amazon Sidewalk discussion: https://www.silabs.com/support/training/amazon-sidewalk-development/amz-103-amazon-sidewalk-technology-architecture-and-infrastructure Fetch: As one example, this week we announced Fetch, a compact, lightweight device that will clip to your pet’s collar and help ensure they’re safe. If your dog wanders outside a perimeter you’ve set using the Ring app, Fetch will let you know. In the future, expanding the Amazon Sidewalk network will provide customers with even more capabilities like real-time location information, helping you quickly reunite with your lost pet. For device makers, Fetch also serves as a reference design to demonstrate the potential that devices connected to a broad, reliable network can provide to their customers. https://www.aboutamazon.com/news/devices/introducing-amazon-sidewalk  

Adam Baldwin (@adam_baldwin) Amélie Koran (@webjedi)   https://logging.apache.org/log4j/2.x/license.html https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/ F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS. https://twitter.com/BleepinComputer/status/1480182019854327808 https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries Faker.js - https://www.npmjs.com/package/faker  Generate massive amounts of fake contextual data Colors.js - https://www.npmjs.com/pafaker  - npm package/colors get color and style in your node.js console https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/ Should OSS teams expect payment for giving their time/code away for free? What are their expectations Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity? OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/ https://webjedi.net/2022/01/03/security-puppy/ Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists https://en.wikipedia.org/wiki/History_of_free_and_open-source_software History of open source Licensing Overview: https://youtu.be/Eu_GvrSlShI  (this was a talk I gave for Splunk on this --AK) Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets https://libraries.io/ Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.