BrakeSec Education Podcast

BrakeingDownIR show #10 GrumpySec appearance? https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887 https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618 https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ "Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.' Retpoline = "Return Trampoline" "That's because when using return operations, any associated speculative execution will 'bounce' endlessly." https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html Cool site (Andrei) *long time podcast supporter* UndertheWire.tech - powershell wargame --- PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6 https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/ https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/ Caveats:Network connection you're on must be set to "private", not public WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr) https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/ http://time.com/5349896/23andme-glaxo-smith-kline/ http://thunderclap.io/ https://int3.cc/products/facedancer21 - USB Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bsides Seattle recap (Bryan) New phishing technique to bypass email filters- https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/ https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships Use after free in Linux kernel: https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/ https://www.webopedia.com/TERM/U/use-after-free.html https://cwe.mitre.org/data/definitions/416.html https://www.acodersjourney.com/top-20-c-pointer-mistakes/ https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html https://nvd.nist.gov/vuln/detail/CVE-2019-8912 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/ https://www.owasp.org/index.php/DOM_Based_XSS CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Google Cloud Platform - tip tricks, stuff ms. berlin learned Layer 8 conference - Rhode Island'' I was wrong…..cycles don't sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/ Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

SpecterOps Class: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902 https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448 https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/ https://liliputing.com/2019/02/mozillas-project-fission-brings-site-isolation-to-firefox-spectre-and-meltdown-protection.html https://capsule8.com/blog/exploiting-systemd-journald-part-1/ Segue from systemd/journald into: "Super daemon for all daemons" Replaced things like sysvinit, rc.d, and even inetd Lennart Poettering and Kay Sievers Systemd (PID1) Configured using only text files .service .device .swap .timer (.service file of the same time must exist) 'Transient timers can be created' https://wiki.archlinux.org/index.php/Systemd/Timers /etc/systemd/system/foo.timer [Unit]Description=Run foo weekly and on boot[Timer] OnBootSec=15minOnUnitActiveSec=1w [Install] WantedBy=timers.target Logs are in binary format Cgroups - control groups Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes Bound by the same criteria Used a lot of places (hadoop, k8s, docker, LXC) http://without-systemd.org/wiki/index.php/Arguments_against_systemd https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/ https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/ http://0pointer.de/blog/projects/systemd.html https://en.wikipedia.org/wiki/Systemd Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html ShmooCon discussion Bsides Leeds discussion @largeCardinal @bsidesLeeds https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244 https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police https://www.cnbc.com/2019/01/28/apple-facetime-bug-lets-you-listen-even-if-someone-doesnt-answer.html https://www.news5cleveland.com/news/local-news/oh-cuyahoga/trio-of-current-and-former-officials-indicted-in-cuyahoga-county-corruption-probe https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BIO: Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF's KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O'Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London. Liz Rice (@lizrice on Twitter) https://www.lizrice.com/ https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341 https://www.forbes.com/sites/adrianbridgwater/2018/07/23/shift-happens-why-your-software-needs-to-shift-left/#41aac6047f8c https://www.cloudops.com/2018/10/takeaways-from-liz-rice-pop-up-meetup-on-container-security/ https://thenewstack.io/cloud-native-security-patching-with-devops-best-practices/ https://changelog.com/gotime/56 - podcast with Liz https://kubernetes-security.info - co-author of O'Reilly Kubernetes security book https://www.slideshare.net/Docker/dont-have-a-meltdown - Liz Rice/Justin Cormack slides https://www.bbc.com/news/technology-41753022 - NHS ransomware issue in 2017 https://docs.docker.com/config/containers/container-networking/ - docker portmapping https://techbeacon.com/9-practical-steps-secure-your-container-deployment If security needs to "Shift Left", what can devs do to accommodate the change? Everyone will have to make adjustments, not just security… right? Reverse uptime… Forgotten data? Test Driven Development Why do we need security as far left? "We don't patch, we just push a fix, " "We'll fix it in production…" Or we pump more resources to overcome perf issues Is there time for code reviews? "We don't need change management…" https://testssl.sh - @drwetter Automation: How does security that solve security issues? Do Microservices solve everything? What don't they solve? What does security need to embrace to make the shift less painful? What does development need to embrace to make the shift less painful? Cause security wants to get in there… There are already DevSecOps processes a-plenty and many . Why aren't companies adopting them? Maturity? Lack of resources? Negligent devs - how can you ignore the news of breaches? Setting Goals "Start Small" - what's an example of a small goal? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

intro CFP for Bsides Barcelona is open! https://bsides.barcelona Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of "do's and don'ts" Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn't make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of "do's and don'ts" Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn't make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

Join the combined forces of: Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/) Bill Gardner from the "RebootIt! podcast" https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2 Ms. Berlin and Bryan Brake for the end of the year podcast! BrakeSec Podcast = www.brakeingsecurity.com RSS: https://www.brakeingsecurity.com/rss

Mike Samuels https://twitter.com/mvsamuel https://github.com/mikesamuel/attack-review-testbed https://nodejs-security-wg.slack.com/ Hardening NodeJS Speaking engagement talks: A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009 Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781 What is a package: (holy hell, why is this so complicated?) A package is any of: a) a folder containing a program described by a package.json file b) a gzipped tarball containing (a) c) a url that resolves to (b) d) a @ that is published on the registry with © e) a @ that points to (d) f) a that has a latest tag satisfying (e) g) a git url that, when cloned, results in (a). https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 https://blog.risingstack.com/node-js-security-checklist/ https://www.npmjs.com/package/trusted-types https://github.com/WICG/trusted-types/issues/31