BrakeSec Education Podcast

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection. What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update? After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure. Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated. Direct Download: http://traffic.libsyn.com/brakeingsecurity/2017-029-windows_updates_clobbers_security__settings_CIS_hardening_needs_an_update.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --SHOW NOTES-- Gough says 'something is bad about CIS' CIS benchmarks need revamping -- BrBr /var, /var/log in separate partitions? Password to access grub? Disable root login to serial pty? Many cloud instances and VMs don't have serial ports (not in a traditional sense) What's the use case for using them? What problem will they solve? Misconfiguration? Proper logging? NTP sources? So many, dilution possible SCAP OVAL STIG (complex as well) CIS Infosec: how do we get IT past the "that's good enough", as many customers and compliance frameworks want to see 'hardening' done. What is a good baseline? Write your own? How do we tell them that it's not going to stop 'bad guys' ( or anyone really)? It's not 'security', and it's technically not even 'best practices' anymore (not all of it, anyway) On windows, they are needlessly complicated and cause more problems Roles have to be created "backup admin" Can cause unintended issues https://twitter.com/HackerHurricane/status/898629567056797696 https://twitter.com/HackerHurricane/status/892838553528479745 Category Sub Category 7/2008 8.1 2012 Win-7 Win-8.1 WLCS ThisPC Notes Detailed Tracking Process Termination NA NA NA NA NA S/F S Object Access File Share NA NA NA NA NA S/F S/F Object Access File System NA NA NA F NA S S/F Object Access Filtering Platform Connection NA NA NA NA NA S S Object Access Filtering Platform Packet Drop NA NA NA NA NA NA NA Log Sizes: ------------- Security - 1 GB Application – 256MB System – 256MB PowerShell/Operational – 512MB – 1 GB v5 Windows PowerShell – 256MB TaskScheduler – 256MB Log Process Command Line (5) (5) (5) (5) (5) Yes Yes ------------------------------------------------------------------------------------------------------------------------- PowerShell Logging v5 (5) (5) (5) (5) (5) Yes Yes ------------------------------------------------------------------------------------------------------------------------- TaskScheduler Log (5) (5) (5) (5) (5) (1) Yes ----------------------------------------------------------------------------------------------------------------- (5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that. We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house could look like it was coming from your home network. We discuss the public disclosure of Carbon Black's architecture and seeming sharing of customer events to 3rd parties... it's not all black and white, and we discuss those here. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---SHOW NOTES--- Twitter discussion - https://twitter.com/Computerworld/status/894611609355603968 http://www.computerworld.com/article/3214146/microsoft-windows/it-s-time-to-check-your-windows-machines-and-temporarily-turn-off-automatic-update.html [sic] "tons of problems with Automatic Update patches so far this year" [sic] "if you're savvy enough to be reading this, you should consider turning Auto Update off, too" Advocating disabling auto-updates in an OS is reckless. Home networks for majority of users is completely flat One Vlan (e.g. 192.168.1.0/24) 'Savvy' = technical Which many of our users are not Probable scenario: Bad guy targets you or family through a phish. They gain access to family computers, and pivot through those to your office computer Blue teamers: suggest backups and backup options to keep their data safe and allow them to feel safer with automatic updates enabled, and VLANs if possible Typically enterprises will hold off a few days or a week to push out Windows patches; Auto-updates are controlled. The twitter guy said that in more recent Windows versions, WU take precedence over WSUS… need to confirm that… -- brbr Confirmed… you can override WU… https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/ http://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html http://www.csoonline.com/article/3214487/security/pentest-firm-calls-carbon-black-worlds-largest-pay-for-play-data-exfiltration-botnet.html#tk.twt_cso --this-- not because of title, but because of people jumping to conclusions (example of irresponsible disclosure) Agreed… that shiz is damaging -- brbr NoStarch TCP guide - https://www.nostarch.com/tcpip.htm IPV4 -https://en.wikipedia.org/wiki/IPv4 [graphic of IPv4 header from wikipedia article] IHL - size of the header (minimum of 5) DSCP - has to do with traffic shaping and QoS ECN - notifies the network of congestion and allows infrastructure to implement congestion controls to compensate Must be supported by both ends, and completely optional to enforce Total Length - total size of the packet Identification - interesting field, you can use it to hide data (Covert_TCP), otherwise, it's used for 'used for uniquely identifying the group of fragments of a single IP datagram" https://github.com/tcstool/Fireaway http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3 Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to the right conclusion. What is required to get a useful algorithm, and how much or little human interaction is required? We also discuss a bit of history with her, how IDS/IPS were just dumber versions of machine learning, with 'tweaks' being new Yara or snort rules to tell the machine what to allow/disallow. Finally, we discussed how people who are doing our 2017 DerbyCon CTF, instructions on how to win are in the show, so please take a listen. RSS: http://www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ show notes what is the required amount of data required to properly train the algorithms how do you ensure that the training data is clean (or perhaps how do you determine what causes a false positive or negative) Xoke Soru: "why are you trying to make skynet and kill us all? Do you hate humanity?" Who will ML replace? Who in security? Ask why people get confused between AI and Machine learning, and where the fine line is between the two or is one actually a subset of the other. Basically.. "in what way/how do you see ML being used in an offensive capacity in the future (or now)" https://en.wikipedia.org/wiki/Artificial_neural_network https://en.wikipedia.org/wiki/Machine_learning https://en.wikipedia.org/wiki/Portal:Machine_learning https://www.slideshare.net/allyslideshare/something-wicked-78511887 https://www.slideshare.net/allyslideshare/201209-a-million-mousetraps-using-big-data-and-little-loops-to-build-better-defenses https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/61751 O'Reilly Conference 31 October Mick douglas class Derbycon CTF Book club Patreon slack

Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3 GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data is managed, maintained, catalogued, and shared. This week we invited Ms. Wendy Everette Knox (@wendyck) to come in and discuss some of the issues that might hit companies. We also discuss how GDPR and the exit (or not) of the UK from the #European #Union will affect data holders and citizens of the UK. If your company is preparing for the #GDPR mandate, check out the show notes for a lot of good info. ALSO, If you are looking for a ticket to #derbycon 2017, you need to listen to this show, because it has all the info you need to get started. The info is also in the show notes, including the form you need to post your flag information. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---Show Notes:---- The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Would it be better if companies stored less data, or de-anon it to the point where a breach Massive fines for breaches. Usually some percentage of profits… (up to 4% of annual global turnover or €20 Million (whichever is greater)) "Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33)." Is 72 hours for notification realistic? For massive breaches, 72 hours is just enough time to contain Right to be forgotten (not realistic): "A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[19][20] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data " GDPR full text: http://ec.europa.eu/newsroom/document.cfm?doc_id=45631 Good intro: https://www.taylorwessing.com/globaldatahub/article-the-data-protection-principles-under-the-gdpr.html Controversial topics: http://www.eugdpr.org/controversial-topics.html Key Changes: http://www.eugdpr.org/key-changes.html Difficulty of doing GDPR in the cloud https://hackernoon.com/why-gdpr-compliance-is-difficult-in-the-cloud-9755867a3662 US businesses largely ignoring GDPR http://www.informationsecuritybuzz.com/expert-comments/us-businesses-ignoring-gdpr/#infosec Fears of breach cover-up (due to massive fines 'up to 4% of profits') http://tech.newstatesman.com/news/gdpr-cover-ups-security From the UK ICO, 12 steps to take now to prepare for GDPR https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (has a nice infographic on p. 2) https://www.auditscripts.com/ CTF for derby ticket Level 1- The internet is a big place :) I've hidden 3 flags out on it and it's your job to see how many you can find. I'll give you a few hints to start. Company Name = Big Bob's Chemistry Lab There's something illegal going on, find out what!! Submit flags here https://goo.gl/forms/iUEVHNuSYr34OZA22

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3 The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innovating or people think negatively of them. So this week, we invited Ms. Magen Wu (@tottenkoph), and Danny (@dakacki) and we discuss some coping mechanisms at things like conferences, and if you work at home, like a lot of consultants and researchers do... -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat and Defcon https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html ------- Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --Show Notes-- Chris Sanders: Cult of Passion http://chrissanders.org/2017/06/the-cult-of-passion/ Exercise Start playing ingress or Pokemon Go, just to get out and gamify activity Reduce alcohol consumption Defcon : Friends of Bill W. Agent X : 3/5K events at Defcon Critics comments You won't please everyone, so don't try Spend time away from infosec Family, friends Hobbies If you are in a job with 'secrets', find someone to talk to Another person with the same 'secrets' or similar job https://www.scientificamerican.com/article/gut-second-brain/ @DAkacki (what is your podcast @rallysec) Da667's book [I love murder]@tottenkoph @jimmyvo @andMYhacks (works with Jimmy) @infosecmentors

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3 Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class. Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it? We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage? Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show. -------- Jay Beale's Class "aikido on the command line: hardening and containment" JULY 22-23 & JULY 24-25 AT BlackHat and Defcon https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html ------- Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --- Show Notes: AppArmor SELinux Privilege Escalation - InGuardians Murderboard Port Knocking (Single Pack Authorization) OSSEC ModSecurity Linux Containers Jess frizelle -bane Dan walsh - selinux Selinux troubleshoot daemon https://en.wikipedia.org/wiki/System_call "In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system." OpenBSD pledge(2): https://man.openbsd.org/pledge.2 https://www.raspberrypi.org/products/raspberry-pi-2-model-b/ Suhosin https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html @inguardians @jaybeale www.inguardians.com ---- What are you doing at Black Hat and Def Con? Training class at Black Hat - 2 days Def Con Workshop - ModSecurity and AppArmor - 4 hours Packet Hacking Village Workshop - Container security Vapor Trail at Def Con Labs (Larry and Galen) Dancing my butt off?

Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3 This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later? Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ --SHOW NOTES-- 10 immutable laws of Security administration: https://technet.microsoft.com/library/cc722488.aspx Really great stuff On This Page Law #1: Nobody believes anything bad can happen to them, until it does Law #2: Security only works if the secure way also happens to be the easy way Law #3: If you don't keep up with security fixes, your network won't be yours for long Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with Law #5: Eternal vigilance is the price of security Law #6: There really is someone out there trying to guess your passwords Law #7: The most secure network is a well-administered one Law #8: The difficulty of defending a network is directly proportional to its complexity Law #9: Security isn't about risk avoidance; it's about risk management Law #10: Technology is not a panacea https://www.linkedin.com/in/scott-culp-cissp-8b69572a/ http://thehackernews.com/2017/06/hacker-arrested-for-hacking-microsoft.html https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory auditpol - https://technet.microsoft.com/en-us/library/cc731451(v=ws.11).aspx https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings https://technet.microsoft.com/en-us/library/cc677002.aspx - Microsoft Security compliance Manager https://www.databreaches.net/irony-when-blackhats-are-our-only-source-of-disclosure-for-some-healthcare-hacks/ https://www.databreaches.net/leak-of-windows-10-source-code-raises-security-concerns/ https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

Due to popular demand, we are adding the extra content from last week's show as a standalone podcast. Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly. One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments. So we got to discussing how you might go about it in your local hometowns. Many of us live in smaller towns, with numerous small businesses that either don't know to secure their #POS #terminals (for example), or office information not in a file cabinet. They may also just assume their outsourced IT company is doing that job, which could open them up to liability if something occurred. So we discuss ways to reach out, or get involved with your local community. Secondly, we talk about software vulnerabilities found in the #CWE and the '7 Pernicious Kingdoms' which are the way some people have classified vulnerabilities. We one of the kingdoms, and how it is useful if you want to classify vulns to developers. Finally, after the show, Mr. Boettcher and Mr. Michael Gough, who has been on the show previously discusses some #ransomware and why it's such a popular topic of discussion. (stay after the end music) Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 5 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 1 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus.mp3 #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing. We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them? We also discuss Hector's involvement with the TV show "Outlaw Tech". Who approached him, why he did it, why it's not CSI:Cyber or "Scorpion" and how it discusses the techniques used by bad guys. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-020-Hector_monsegur_DNS_research_OSINT.mp3 #RSS: www.brakeingsecurity.com/rss Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ ---------- Show notes: going beyond DNS bruteforcing and passively discovering assets from public datasets??? Very interested in hearing about this Straight OSINT, or what? Hxm: Over at RSL (Rhino Sec Labs), one of the research projects I'm working on is discovery of assets (subdomains) while minimizing footprint (dns bruteforcing). Datasets include things like: Data from the certificate transparency project (https://www.certificate-transparency.org/) rDNS and forward dns dataset from https://scans.io/ Sonar Scans - Rapid7 Sublist3r: https://github.com/aboul3la/Sublist3r And other datasets that are out there Crime Flare https://krebsonsecurity.com/tag/crimeflare-com/ -> crimeflare.com Discuss why brute forcing DNS leaves such a heavy footprint for blue team forensics How cloud providers like CloudFlare, and others, do not take advantage of DNS bruteforcing error messages Special shout out to Ryan Sears @ CaliDog Security for his research into this field https://en.wikipedia.org/wiki/Markov_chain Smart DNS Bruteforcing - https://github.com/jfrancois/SDBF Training gained from internal phishing campaigns Does it breed internal mis-trust? Recent campaign findings Why do it if we know one account is all it takes? Because we know it's a 'win' for security? Outlaw Tech on Science Channel What's it about? (let's talk about the show) The show itself is on the Science channel (Discovery) The aim of the program is to discuss the technology behind many of the biggest crimes (heists, el chapo's communication network, etc) And how I play a part in it https://www.spoofcard.com/ https://www.sciencechannel.com/tv-shows/outlaw-tech/ Rhinosecuritylabs.com http://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 - "Estonia buoys cyber security with world's first data embassy" - interesting https://www.digitalcommerce360.com/2017/05/31/eclinicalworks-will-pay-feds-155-million-settle-false-claims-charges/ -- holy shit -- Reminds me of the whole emissions scandal from a couple of years back. http://www.roadandtrack.com/new-cars/car-technology/a29293/vehicle-emissions-testing-scandal-cheating/ http://securewv.com/cfp.html OneLogin/Docusign breaches OneLogin: https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/ Docusign: https://www.inc.com/sonya-mann/docusign-hacked-emails.html http://www.spamfighter.com/News-20916-DocuSign-Data-Hack-Resulted-in-Malware-Ridden-Spam.htm Crowdfunding to buy shadowbroker exploits ended: https://threatpost.com/crowdfunding-effort-to-buy-shadowbrokers-exploits-shuts-down/126010/ China's Cybersecurity Law: https://lawfareblog.com/chinas-cybersecurity-law-takes-effect-what-expect Facial recognition for plane boarding: http://money.cnn.com/2017/05/31/technology/jetblue-facial-recognition/index.html Keybase.io's Chrome plugin -- Game changer? https://chrome.google.com/webstore/detail/easy-keybaseio-encryption/bhoocemedffiopognacolpjbnpncdegk/related?hl=en