BrakeSec Education Podcast

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s Encarta - https://en.wikipedia.org/wiki/Encarta Scott Hanselman's twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409 Congrats on the black badge :) I like that you bring up execution policies. That it was never created to become a security control I started alerting on it anyway at least from non-admin devices https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/ Jeffrey Snover "The Cultural battle to remove Windows from Windows Server": https://www.youtube.com/watch?v=3Uvq38XOark You talk about "why would anyone want to remove powershell" as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn't realize how powerful it could be as an admin because of it. Powershell slime trail <3 (powershell transparency) "You can't force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders" If an attacker is going to use powershell, let's make them regret it Powershell has had quite an impact and history. My own sorry logging/alerting attempts You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others? Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf https://github.com/danielbohannon/Invoke-Obfuscation https://github.com/danielbohannon/Revoke-Obfuscation https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch… Derbycon keynote with Lee Holmes and Jeffrey Snover - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 - Windows Powershell cookbook Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html https://github.com/sans-blue-team/DeepBlueCLI Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ Maslow's security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN https://github.com/infosecn1nja/AD-Attack-Defense - Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa @Lee_Holmes @hackershealth @log-md @infosecCampout @seasecEast @brakesec @bryanbrake @boettcherpwned @Infosystir @packscott @dpcybuck @megan_roddie @consultingCSO

Secure Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt's tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Derbycon Discussion (bring Matt in) Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt's tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Podcast Interview (Youtube): https://youtu.be/4tdJwBMh3ow Tracy Maleeff (pronounced like may-leaf) - https://twitter.com/InfoSecSherpa https://medium.com/@InfoSecSherpa https://nuzzel.com/InfoSecSherpa Python secure coding class - November 2nd / 5 Saturdays @nxvl Teaching https://www.eventbrite.com/e/secure-python-coding-with-nicolas-valcarcel-registration-72804597511 Derbycon Talk: https://www.youtube.com/watch?v=KILlp4KMIPA Plugs: Nuzzel newsletter: https://nuzzel.com/infosecsherpa OSINT-y Goodness blog: https://medium.com/@infosecsherpa Tomato pie: https://www.eater.com/2016/8/19/12525602/tomato-pie-philadelphia-new-jersey Infosec is a service industry job (gasp!) Customer service is an attitude, not department Reference Interview:https://en.wikipedia.org/wiki/Reference_interview Approachability Does your org make it easy to contact you? What is your tone of writing? What does your outgoing communication look like? Reign in your attitude, language, etc… "I am using an online translator" (great idea!) What is your department's reputation? Create an assessment of your department… "I didn't know there was humans in security?" -- Interest Be interested in solving the problem. Make interaction a 'safe space' No judging, mocking LOL, "EE Cummings" https://poets.org/poem/amores-i Listening Pay attention to what the end user doesn't say. Don't interrupt the end user Interviewing Repeat back what the user said or asked Tone: Ask clarification questions, not accusatory questions Searching Did security fail the user? Answering Teachable moments Building trust/relationship equity "While you're on the phone…" "Thank you for your time" Follow-Up Think of ways to create a culture of security Create canned emails Random acts of kindness cyberCupcakes!!!! Or potentially small value gift cards(?) Kindness as currency Christmas cookies Spreading goodwill building relationship equity Reciprocity Lunch and learns People can't be educated into vaccinations, but behaviorial nudges help "Telling people facts won't change behavior" Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Topics:Infosec Campout report Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let's put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn't strong enough for non-repudiation By default, API server doesn't log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn't enforced Certificates are long-lived, with no revocation capability Etcd doesn't authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn't have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager's group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman "Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

This evening, we all came together to spend a bit of time talking about the final Derbycon. We talk to Mic Douglas about his 9 Derbycon appearances, Gary Rimar (piano player Extraordinare) talks about @litmoose's talk on how to tell C-Levels that their applications aren't good. We also got asked about how the show came about, and how we found each other. **Apologies for the echo in some parts... I did what I could to clean it up, but we were too close and the mics got a bit overzealous...**

Topics:Infosec Campout report Derbycon Pizza Party (with podcast show!) https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705 Mental health village at Derbycon Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let's put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn't strong enough for non-repudiation By default, API server doesn't log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn't enforced Certificates are long-lived, with no revocation capability Etcd doesn't authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn't have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager's group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman "Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Intro - Ms. DirInfosec "Anna" Call Centers suffer from wanting to give good customer service and need to move the call along. Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people's altruism "Pregnant woman needing help through the security door" "Person on crutches" "Delivery person with arms full" "Can't remember information, others filling in missing bits" Call Center Reps are _paid_ to be helpful. "Customer is never wrong" Creating a sense of urgency to spur action Real-life scenario: "bob calls asking about status of an order" Questions: What were you doing for training prior to these calls? (it's alright if you weren't doing anything) :) Pre-training audio (#1 and #2) What was their reaction about the calls received? Did the training take the first time? What difficulties did you have after the first training? 'Getting better Audio' (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud @consultingCSO on twitter Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.infosecurity-magazine.com/news/95-test-problems/ https://www.databreaches.net/a-misconfigured-aws-bucket-exposed-personal-and-counseling-logs-of-almost-300000-indian-employees/ https://www.scmagazine.com/home/security-news/data-breach/sephora-reports-data-breach-but-few-details/ https://www.infosecurity-magazine.com/news/93-of-organizations-cite-phishing/ https://tresorit.com/blog/the-top-6-takeaways-from-the-2019-cost-of-a-data-breach-report/ Good links: https://github.com/RedTeamOperations/PivotSuite https://www.reddit.com/r/security/comments/cks2jd/12gb_of_powershell_malware/

Intro - Ms. DirInfosec "Anna" Call Centers suffer from wanting to give good customer service and need to move the call along. Metrics are tailored to support an environment conducive to these kinds of attacks https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering will prey on people's altruism "Pregnant woman needing help through the security door" "Person on crutches" "Delivery person with arms full" "Can't remember information, others filling in missing bits" Call Center Reps are _paid_ to be helpful. "Customer is never wrong" Creating a sense of urgency to spur action Real-life scenario: "bob calls asking about status of an order" Questions: What were you doing for training prior to these calls? (it's alright if you weren't doing anything) :) Pre-training audio (#1 and #2) What was their reaction about the calls received? Did the training take the first time? What difficulties did you have after the first training? 'Getting better Audio' (#3) Fake calls? Show examples? Talk about the training, what kind of training: Post audio (#4 and #5) How did your call center reps handle the training? For a business standpoint, what had to be changed to accommodate the new processes https://www.pindrop.com/blog/tackling-113-fraud-increase-call-centers-webinar-recap/ https://www.bai.org/banking-strategies/article-detail/beating-crooks-at-call-center-fraud @consultingCSO on twitter Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec