BrakeSec Education Podcast

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events! Thanks to our Patrons! Gonna be at Derbycon, come see us! Congrats to our Derbycon Ticket CTF winners! Winner: @gigstaggart 2nd Place: @ohai_ninja 3rd Place: @SoDakHib Mr. Boettcher's Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t Ms.Berlin's Challenge: potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7 Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN Mr. Brake's Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8 Update on Mental Health GoFundMe: http://www.derbycon.com/wellness Thanks to the #Derbycon organizers for their time and patience on answering the questions posed. Missing event issues: https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement https://github.com/palantir/windows-event-forwarding https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/ https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/ https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/ http://bpatty.rocks/blue_team/weffles.html https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/ Some issues with missing events… Everyone is affected by this! WEF & PowerBI is good for small installations. Any GPOs involved? Can it be done on a server by server basis? Can an attacker simply disable the service once initial access is achieved? Pros and Cons of feeding the WEF output to a MapReduce system? Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog? Need a config? Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff... https://www.malwarearchaeology.com/logging/ Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

CTF information: Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!) Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site. View the page, submit the flags, leave everything else alone... Derbycon Auction - starts September 8th at 9am Pacific Time Slack only - Opening bid is $175 Increments of $25 only 100% goes to Chris Sanders' "Rural Technology Fund" https://ruraltechfund.org/donate/ Amanda's mental health workshop - AWESOME! http://www.derbycon.com/wellness/ https://www.gofundme.com/derbycon-mental-health-amp-wellbeing Mandy Logan - hacking her way out of a coma! https://www.gofundme.com/hacking-recovery-brainstem-stroke https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html https://art-of-lockpicking.com/single-pin-picking-skills/ Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr) Tools: Tension Wrench Picks Parts of lock: Cylinder Driver Pins Key Pins Springs Sites: https://toool.us/ https://art-of-lockpicking.com/how-to-pick-a-lock-guide/ - This is a good guide if you can get past the ADs Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/ https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/ https://twitter.com/InfoSystir/status/1032343381328973827 #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Post-Hacker Summercamp IppSec Walkthroughs Brakesec Derbycon ticket CTF - Drama - (hotel room search gate) AirconditionerGate Personal privacy Ask for ID Call the front desk Use the deadbolt - can be bypassed Plug the peephole with TP Hotel rooms aren't secure (neither are the safes) Probably the most hostile environment infosec people go into to try and be secure/private https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/ This is the company behind a sort-of threat intel site (vulnDB) The original marketing site I figured it was marketing… it smacked of a 'buy our product' site\, but we don't have to mention vulnDB https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/ Based on study by Juniper Research https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS Amanda giving a talk at Diana Initiative Derbycon Talk - mental health Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2 http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/ https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/ https://blogs.technet.microsoft.com/secadv/2018/01/22/parsing-dns-server-log-to-track-active-clients/ https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelo #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com https://en.wikipedia.org/wiki/Mojave_phone_booth https://www.tripsavvy.com/the-mojave-phone-booth-1474047 https://www.dailydot.com/debug/mojave-phone-booth-back-number/ https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/ https://twitter.com/mojavefonebooth https://www.google.com/maps/place/Mojave+Phone+Booth/@35.2873088,-115.6911087,3155m/data=!3m1!1e3!4m5!3m4!1s0x80c587e7172e7259:0xbc30709b3558dd90!8m2!3d35.2856782!4d-115.6844312 https://www.theatlantic.com/technology/archive/2017/02/object-lesson-phone-booth/515385/ http://deathvalleyjim.com/cima-cinder-mine-mojave-national-preserve/ https://twitter.com/_noid_?lang=en https://www.monoprice.com/product?p_id=8136&gclid=CjwKCAjwy_XaBRAWEiwApfjKHuwvafwlgj6K3bNw6Qoy06i0KlXrTcPu8RLUSnhdEur5Y8PlVNaB1hoClJoQAvD_BwE http://www.mojavephonebooth.com/ - movie based on the phone booth itself, not the book #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Stories and topics we covered: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ https://osquery.io/ https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698 Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery. Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including: @icssec @bethayoung @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr We started talking about malware, and we ended up discussing a new channel in the BrakeSec Slack on #threatHunting. Appears there's a lot of information out there on the topic, so much so, that SANS is having a whole conference around it. https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018 @icssec @bethayoung @bryanbrake @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks @sysopfb @killamjr

Ben Caudill @rhinosecurity Spencer Gietzen @spengietz Rhino Security - https://rhinosecuritylabs.com/blog/ AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ What is the difference between this and something like Scout or Lynis? Is it a forensic or IR tool? How might offensive people use this tool? What is possible when you're using this as a 'redteam' or 'pentesting' tool? S3 bucket perms? Security Group policy fails Some of the hardening policies for Security groups? RDS? Where are you speaking… BSLV? DefCon? https://aws.amazon.com/whitepapers/aws-security-best-practices/ https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf https://aws.amazon.com/whitepapers/ https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/ https://aws.amazon.com/blogs/security/how-to-enable-mfa-protection-on-your-aws-api-calls/ Slack Patreon Bsides Springfield Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs @cydefe CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development https://www.heroku.com/ www.exploit-db.com BrakeSec DerbyCon @dragosinc dragos.com DNS Enumeration: https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md DNS Tools: https://dnsdumpster.com/ https://tools.kali.org/information-gathering/theharvester DNS Tutorial https://www.youtube.com/watch?v=4ZtFk2dtqv0 (A cat explains DNS) https://pentestlab.blog/tag/dns-enumeration/ DNS Logging detailed DNS queries and responses can be beneficial for many reasons. For the first and most obvious reason is to aid in incident response. DNS logs can be largely helpful for tracking down malicious behavior, especially on endpoints in a DHCP pool. If an alert is received with a specific IP address, that IP address may not be on the same endpoint by the time someone ends up investigating. Not only does that waste time, it also gives the malicious program or attacker more time to hide themselves or spread to other machines. DNS is also useful for tracking down other compromised hosts, downloads from malicious websites, and if malware is using Domain Generating Algorithms (DGAs) to mask malicious behavior and evade detection. NOTE: However if a Microsoft DNS solution (prior to server 2012) is in use, according to Microsoft, "Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed." From Server 2012 forward DNS analytic logging is much less resource intensive. If the organization is using BIND or some DNS appliance, it should have the capability to log all information about DNS requests and replies. How difficult has that become with the advent of GDPR and whois record anonymization? Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens. news stories referenced: https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/ https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/ https://en.wikipedia.org/wiki/Insider_threat https://en.wikipedia.org/wiki/Insider_threat_management Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec