BrakeSec Education Podcast

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here: 2017-040 #infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like. One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms. We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties. Direct Show Download: http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3 ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale, And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec Show Notes: Mr. Boettcher gave a talk (discuss) http://DETSec.org Brakeing Down Incident Response Podcast Amanda's class (starts 4 february, $100 for 4 sessions, $50 for early video access) I need to mention HITB Amsterdam David's Resume Review -- Bsides Nash Resume Review SANS SEC504 Mentor course Guest: Nicolas Valcarcel Twitter: @nxvl Possible News to discuss: https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/ Mechanical Turk https://www.mturk.com/ CircleCi 2.0 https://circleci.com/docs/2.0/ TaskRabbit https://www.taskrabbit.com/ Historically: https://en.wikipedia.org/wiki/The_Turk Expensify using Amazon Mechanical Turk https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ FTA: ""I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I'm looking at someone's Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter." https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/ "About those tasks, they're called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work." "Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings." Kind of like a Yelp for HIT reviewers? Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties? Is it an acceptable risk? Privacy questions to ask for companies that employ ML/AI tech? Are they using Mturk or the like for training their algos? Are they using Master level doers for processing? Nxvl links: Securely Relying on the Crowd (paper Draft): https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/ How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/ The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/ How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/ AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/ Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/

John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes extortion or blackmail. We go over some of the things he's found, and discuss how we could address these issues. Ms. Berlin's course "Disrupting the Kill Chain" is planned to start on the 5th of February, and will be 4 sessions, with new material if you've seen her workshop at previous conferences. The cost of the class will be $100 USD for access to our Zoom webex. If you'd like to gain access to the videos we'll have for the class, you can buy access to them for $50 USD. Sign up with our Paypal link: Paypal -- When paying, if you want us to send you a different email from your Paypal email, please add it to the 'NOTE' section during your payment. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2018-002-John_Nye-Healthcares-biggest_issues-ransomware.mp3 #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3 The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware). Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D ) We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and mitigation of them, and debate why the patching was handled in such a poor manner. We also discuss a news story about a school that spent an exorbitant amount of money to remove a trojan that Mr. Boettcher (@boettcherpwned) and Mr. Gough (@hackerhurricane) believe to be very simply handled. We talk about the need for state and local governments and institutions to have a some way to call for breaches or 'cyber' crisis that would have a no-blame assistance helpline. I did a quick video, which has a demonstration of Dave Kennedy's security tool "Pentester Framework" (PTF). There's even a video of the demo on our Youtube Channel (https://youtu.be/sIc1ljkwE5Q) Finally, we discuss our upcoming training with Ms. Berlin (@infosystir) "Disrupting the Cyber Kill Chain", which will start the first week of February and go for 4 weeks. More details next week! #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". ---Show Notes--- Music change Couldn't remember where I got the other music Little more news than we used to Try to shy away from news everyone will talk about Brakeing Down Incident Response (BD-IR) podcast Hosted by Mr. Boettcher and Michael Gough Vendor talks Sponsors (provisionally) News: http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/ https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/ https://www.tripwire.com/state-of-security/latest-security-news/school-district-spend-314k-rebuilding-servers-malware-attack/ Upcoming Training: Amanda? - Cyber KillChain training Dates: Feb 5-26 Mondays at 9:30pm (4 - 1 hour) Matt Miller - Reverse Engineering course More advanced, still working on details with him (no promises yet) Michael Gough - Malware Archaeology Austin - Feb or March - 1 Day Logging training - see AustinISSA.Org Houston - April 3rd - 1 Day - HouSecCon Preparing and Responding to an endpoint incident, what to configure, and look for Tulsa - April 11-12th - 2 Days - BSides Oklahoma Introduction to responding to an endpoint incident, Malware Discovery, what to configure, and look for Job postings on our Slack Sr. Manager, Vuln Mgmt, Amazon (Herndon, VA) Michael Fourdraine @mfourdraine has several positions on his team in Bellevue, WA He's on Twitter (https://twitter.com/mfourdraine) or join us in our Slack Many positions he has will relocate you to lovely Bellevue, WA MG just posted "James Avery Information Security Manager" Teaching a mentor course in Seattle (SEC504) starting March 1st. Sign up: https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Great if you work a job where you get called a lot Less likely to have to get up during class and walk away… Bit of a technical discussion - PTF (pentester framework) Setup, install software Lighter than Kali Works on debian, ubuntu, pretty much any linux Slack Invite only Slack bot died A new link every month is a bit of a PITA Being popular invites bots… would like to reduce that risk by broadcasting an invite Friend of mine was invited to speak on "A man's view of women in technology" O.o (http://www.cmhwit.org/) " John ---- Actually, my plan at this point is to interview several of the successful woman I know in technology, followed by personal observations of how I've seen them become well respected leaders in the field."

As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content. Please enjoy! And please seek out these podcasts and have a listen! Slight warning: some rough language People and podcasts in attendance: Tracy Maleef (@infosecSherpa) Purple Squad Security Podcast (@purpleSquadSec) - John Svazic (@JohnsNotHere) Advanced Persistent Security (@advpersistsec) - Joe Gray (@C_3PJoe) Danny Akacki (@dakacki) - RallySec Podcast (@rallysec) Nate L (@gangrif) - Iron Sysadmin Podcast (@ironsysadmin) *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training . The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount".

Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks. While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news. Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices. We also went back and discussed some highlights of the DFIR hierarchy show last week (https://brakesec.com/2017-041) and some of the real world examples of someone who has seen it on a regular basis. Jay's insights are something you shouldn't miss Finally, Ms. Berlin went to New Zealand and gave a couple of talks at Bsides Wellington (@bsideswlg). She interviewed Chris Blunt (https://twitter.com/chrisblunt) and "Olly the Ninja" (https://twitter.com/Ollytheninja) about what makes a good con. Direct Link: https://brakesec.com/2017-042 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec From our friends at Hack In the Box Amsterdam: "We are gearing up for the Hack In The Box Amsterdam 2018, which is now on its 9th edition, and will take place between the 9th and 13th April at the same venue as last year, the Grand Krasnapolsky hotel in the center of Amsterdam: https://conference.hitb.org/hitbsecconf2018ams/ The list of trainings is already published and looking as awesome as ever: https://conference.hitb.org/hitbsecconf2018ams/training . The CFP is open and the review board is already hard at work with the first submissions." "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 9 and 13 April 2018. The Call For Papers is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". --Show Notes-- https://github.com/int0x80/githump http://ptrarchive.com/ https://hunter.io/ https://www.data.com/ https://techcrunch.com/2017/11/27/ios-jailbreak-repositories-close-as-user-interest-wanes/ https://securelist.com/unraveling-the-lamberts-toolkit/77990/

Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals. DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack. In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ' #DFIR hierarchy of needs'. We discuss everything that is needed to build out a proper DFIR program. Mr. Boettcher discusses with us the latest #malware trends, using existing compromised emails to spread using threaded emails. Direct Download Link: https://brakesec.com/2017-041 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec --Show Notes-- Malware report https://www.lastline.com/labsblog/when-scriptlets-attack-excels-alternative-to-dde-code-execution/ https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html https://github.com/swannman/ircapabilities - DFIR Hierarchy Based on Maslow's Hierarchy of needs: https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs Requirements must be met before you can move on. It's not perfect, but gives a general idea of how needs should be met.

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world. Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews. Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way. Direct Link: https://brakesec.com/2017-040 *NEW* we are now on Spotify!: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at https://brakesec.com/Dec2017BrakeSlack or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ---Show Notes--- Agenda: Trip report from Amanda to New Zealand Did we talk about Amanda's appearance on PSW? Discuss last week's show about custom training Comments? Suggestions for custom training solutions? https://www.sans.org/mentor/class/sec504-seattle-01mar2018-bryan-brake Expensify - https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy How is this different than like a medical transcriptionist? Don't you go in and modify the receipts yourself? Or is that a feature you can force? It's a privacy issue. Hotel receipts, boarding passes, even medical receipts Turn off 'smart scan'? Many companies like using it, and some will only accept smart scanned receipts Fat fingering receipts isn't 'cool' Snap a photo, move along Expensify is global, and could have wide reaching effects for this new 'feature'... Expensify used Mechanical Turk, a 'human intelligence tasks' Micropayments to do menial tasks Example of why periodic review of your 3rd parties is necessary New 'features' = new nightmares Privacy requirements change Functionality not in alignment with your business goals Apple 'passwordless root' http://appleinsider.com/articles/17/11/29/apple-issues-macos-high-sierra-update-to-fix-password-less-root-vulnerability HIgh Sierra before today (29 November 2017) had the ability to login as root with no password… That is a problem… Original Tweet: https://twitter.com/lemiorhan/status/935578694541770752 It also works on remote services, like ARD (apple remote desktop), and file shares… Rolling IR Was it necessary? Serious, yes Was discovered two weeks prior https://forums.developer.apple.com/thread/79235 Dev (chethan177) on the forum "didn't realize it was a security issue" Easy enough fix (Bryan IR story) Open Terminal Sudo passwd root Change password Do you trust users to do that? Not across a large enterprise

This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday. I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training. Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR585: Advanced Smartphone Forensics" Take a listen and we hope you enjoy it! Direct Link: https://brakesec.com/2017-039 RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ---Show notes (from Bryan and JB)--- Ms. Berlin in New Zealand Mr. Boettcher with the family Training What makes us despise training so much? Cookie cutter Scenarios do not match environments Speaking is a little too perfect Flash based UI is horrible Outdated Easy questions Infosec training is worse 2 hours of training each year Not effective Why not make your own? Been doing it at work No more than 7 minutes Custom made Tailored for your own company Do you training like a talk at a con Time limit: 7 (no more than 10 minutes) Create some slides (5-7 slides) Do it on a timely topic Recent tabletop exercise results Recent incident response Phishing campaign Script or no-script required Sometimes talking plainly can be enough https://screencast-o-matic.com/ - Windows (free version is 7 minutes long) Quicktime - OSX (free) (Screenflow) Handbrake (convert to MKV or MP4) Microphone (can use internal microphones if you have a quiet place) [begin notes: SANS Berlin REMOTE segment]corresp. JB reach jb at(@cherokeejb_) on brakesec slack, twitter, & infosec.exchange--link to all trainers and info from archive SANS Berlin 2017 https://www.sans.org/event/berlin-2017/--pre-NetWars chat with the SEC 503 class:-what do you like about SANS conference-european privacy laws, even country to country!-biggest priority for next year: building a SOC, working together with sales, asset management, constant improvement, password reuse--special BrakeSec members only cameo--"bring your own device" interview with an Information Security/forensics professionalpassword elimination or no reuse--interview with Heather Mahalik (@HeatherMahalik)Bio https://www.sans.org/instructors/heather-mahalik-"game over" whatsapp, unpatched android, other known-historically weak tools as "assume breach of mobile"-interesection of network forensics and mobile-open source tools and the lack of, how to judge your tools-Heather's recent blog-getting into mobile, decompiling, etc.-number one topic for next year: encryption for Andriod 8 Oreo, iOS 12-"most popular android is still v4.4"Heather's blog we mentionedhttp://smarterforensics.comlink to the book Heather mentioned:https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/ --link to blog mentioned, jb's initial reflections on SEC 503https://www.linkedin.com/pulse/whaaaa0101-0000-0011t-aka-extracting-files-out-pcaps-foremost JBs blog main link, or if you're not a fan of linkedinhttps://cherokeejb.blogspot.de/ small featured music clips used with permission from YGAM Records, Berlin"Ж" by the artist Ōtone (Pablo Discerens), (c)(p)2016 Get it for free or donate at http://ygam.bandcamp.com !book club EMEA!:message JB or David (@dpcybuck) or any of us on brakesec slack if you want to take part in the book club conversations live, but can't make the main call ! ---[end segment]

Direct Link: https://brakesec.com/2017-038 Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team. So I asked him on, and we went over the highlights of his talk. Some of the topics included: Discussing with management your manpower issues Who to include in your team Communication between teams RSS: https://brakesec.com/BrakesecRSS Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite Join our #Slack Channel! Sign up at http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec ----SHOW NOTES: Amanda's appearance on PSW Building an AppSec Team - Michael de Libero (@noskillz) https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\ https://www.owasp.org/index.php/OWASP_AppSec_Pipeline https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett Need link to Michael's slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing Random Notes from Mike: Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. "security health" Role of management Managing a "remote" team Handling incoming requests from other teams How do you sell a company on having an appsec team if they don't have one? If you have an existing 'security team', how easily is it to augment that into an appsec team? Can you do job rotation with some devs? Do devs care enough to want to do code audits "That's not in my job description" Skills needed in an appsec team Does it depend on the tech used, or the tech you might use? Internal security vs. consultants Intro to RE course with Tyler Hudak Bsides Wellington speaker Amanda Berlin

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3 We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this. We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you could suffer gaps in coverage of your anti-virus/EDR software, unable to patch systems properly and even make it easier for lateral movement. Finally, we discuss our recent "Introduction to Reverse Engineering" course with Tyler Hudak (@secshoggoth), and Ms. Berlin's upcoming trip to New Zealand. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.slack.com/join/shared_invite/enQtMjY2NDAyMzgxNjAwLWFjZTc1YzVlYWExM2U5ZjhiNDYwZTIzN2UxNjM1OWIwYzBkMjgzYmY4ZjA2MzViNzQ2ZTUzMGQ2YWYwYWY3NTM or DM us on Twitter, or email us. #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: Oreilly con report Malware report from Mr. Boettcher DDE (Dynamic Data Exchange), all the rage https://en.wikipedia.org/wiki/Windows_2.0 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf http://home.bt.com/tech-gadgets/computing/10-facts-about-windows-2-11364027546216 https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/ Why asset management? Know what's in your environment CIS Top 20...no wait, it's the TOP THREE of the 20. It all builds on this… Know what's in your environment http://www.open-audit.org/ https://metacpan.org/pod/App::Netdisco <- NetDisco (great for network equipment) Where do you store that data? Or is it just enough to know where to get it? Systems you can pull asset data from: Patching systems Chef WSUS FIM systems Tripwire DLP systems Vuln Scanners AV/EDR management router/switch tables DNS Asset management systems are a gold mine for an attacker Names IPs email addresses Coverage gaps in these systems will cause you to lose asset visibility http://www.businessinsider.com/programmer-automates-his-job-2015-11