Podcast

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

Episodes

  • 2019-014-Tesla fails encryption, Albany and Sammamish ransomware attacks.

    Apr 15 2019

    Announcements: WorkshopCon Training with SpecterOps and Tim Tomes www.workshopcon.com redteam operations with SpecterOps PWAPT with Tim Tomes   Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019   Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time. https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/ ...more

  • 2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2

    Apr 07 2019

    Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize t...more

  • 2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1

    Apr 01 2019

    Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/   Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.   https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application securi...more

  • 2019-011-part 2 of our interview with Brian "Noid" Harden

    Mar 24 2019

      Log-MD story     SeaSec East meetup     Gabe (county Infosec guy) https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/ New Slack Moderator (@cherokeeJB) Shoutout to “Jerry G”   Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please   Any chance you can tag @workshopcon. SpecterOps and...more

  • 2019-010-Zach_Ruble-building_a_better_cheaper_C2_infra

    Mar 18 2019

    Shout-out to Thomas…     Tried to meetup while at SEA comic-con Patreon Log-MD Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?) 4 podcasts? SpecterOps Training / workshopCon  - https://www.workshopcon.com/events Zach Ruble- @sendrublez C2 infra using Public WebApps TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it... C2 Basics     Local HTTPd server (bashfile)     Python scrapes web server 3 components -Servers -Communication ...more

  • 2019-009- Log-MD story, Noid, communicating with Devs and security people-part1

    Mar 12 2019

    Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)     SeaSec East meetup     "Gabe"   https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/   New Slack Moderator (@cherokeeJB) Shoutout to “Jerry G”   Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407 www.Workshopcon.com/events and that we're looking for BlueTeam trainers please   Any chance you can...more

  • 2019-008-windows retpoline patches, PSremoting, underthewire, thunderclap vuln

    Mar 04 2019

    BrakeingDownIR show #10 GrumpySec appearance? https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887 https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618 https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ “Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time stat...more

  • 2019-007-bsides_seattle_recap-new_phishing_vector-Kernel_use_after_free_vuln

    Feb 25 2019

    Bsides Seattle recap (Bryan) New phishing technique to bypass email filters- https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/ https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships Use after free in Linux kernel: https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/ https://www.webopedia.com/TERM/U/use-after-free.html https://cwe.mitre.org/data/definitions/416.html https://w...more

  • 2019-006: CSRF, XSS, infosec hypocrites, and the endless cycle

    Feb 18 2019

    https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/     https://www.owasp.org/index.php/DOM_Based_XSS CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)   Google Cloud Platform - tip tricks, stuff ms. berlin learned   Layer 8 conference - Rhode Island’’ I was wrong…..cycles don’t sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/     Check out our Store on Teep...more

  • 2019-005: Security Researcher attack, disabling SPECTER, and Systemd discussion

    Feb 11 2019

    SpecterOps Class:  https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-boston-june-2019-tickets-54970050902     https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html   Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448   https://www.zdnet.com/article/linux-kernel-gets-anoth...more

  • 2019-004-ShmooCon, and Bsides Leeds discussion, Facetime bug (with update), a town for ransom

    Feb 04 2019

    Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html   ShmooCon discussion   Bsides Leeds discussion   @largeCardinal @bsidesLeeds https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244   https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple   https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police   https://www.cnbc.com/2019/01/2...more

  • 2019-003-Liz Rice, creating processes to shift security farther left in DevOps

    Jan 28 2019

      BIO: Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter and kube-bench. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle, and co-author of the O’Reilly Kubernetes Security book. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, ...more

  • 2019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman

    Jan 22 2019

    intro CFP for Bsides Barcelona is open! https://bsides.barcelona Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or s...more

  • 2019-001: OWASP IoT Top 10 discussion with Aaron Guzman

    Jan 14 2019

    Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of “do’s and don’ts” Sub-projects? Embedded systems, car ...more

  • 2018-045: end of the year podcast!

    Dec 27 2018

    Join the combined forces of: Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/) Bill Gardner from the "RebootIt! podcast" https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2   Ms. Berlin and Bryan Brake for the end of the year podcast! BrakeSec Podcast = www.brakeingsecurity.com RSS: https://www.brakeingsecurity.com/rss

  • 2018-044: Mike Samuels discusses NodeJS hardening initiatives

    Dec 18 2018

    Mike Samuels https://twitter.com/mvsamuel https://github.com/mikesamuel/attack-review-testbed https://nodejs-security-wg.slack.com/ Hardening NodeJS   Speaking engagement talks: A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009 Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781 What is a package...more

  • 2018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure

    Dec 11 2018

    Adam Baldwin (@adam_baldwin) Director of Security, npm   https://foundation.nodejs.org/ https://spring.io/understanding/javascript-package-managers   Role in the NodeJS project     Advisory? Active role? Maintain security modules?     Are there any requirements to being a dev?     Are there different roles in the NodeJS environment?     Is there any review of system sensitive packages? (or has that ship sailed…)   Discussion of timeline from NodeJS security team     When were you notified? (or ...more

  • 2018-042-Election security processes in the state of Ohio

    Dec 03 2018

    Where in the world is Ms. Amanda Berlin?     Keynoting hackerconWV   Election Security   Cuyahoga County:   Intro: Jeremy Mio (@cyborg00101 Name? Why are you here?   Discussing Ohio does election operations.     Walk through the process Pre-Elections Elections Night Post Elections   All about the C.I.A. Votes must be confidential Votes must not be compromised (integrity) Voting should be available and without outage   Did a tabletop exercise with all counties in Ohio (impressive!)     Gamified, ...more

  • 2018-041: part 2 of Kubernetes security insights w/ ian Coldwater

    Nov 26 2018

    @IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware   She’s working on speaking schedule for 2019   How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss - Alice Gol...more

  • 2018-040- Jarrod Frates discusses pentest processes

    Nov 19 2018

    Jarrod Frates Inguardians @jarrodfrates “Skittering Through Networks” Ms. Berlin in Germany - How’d it go?     TinkerSec’s story:  https://threadreaderapp.com/thread/1063423110513418240.html   Takeaways Blue Team: - Least Privilege Model - Least Access Model     “limited remote access to only a small number of IT personnel” “This user didn't need Citrix, so her Citrix linked to NOTHING” “They limited access EVEN TO LOCAL ADMINS!” - Multi-Factor Authentication - Simple Anomaly Rule Fires     “Fin...more

  • 2018-039-Ian Coldwater, kubernetes, container security

    Nov 12 2018

    Ian Coldwater- @IanColdwater  https://www.redteamsecure.com/ *new gig*   So many different moving parts Plugins Code Hardware She’s working on speaking schedule for 2019 How would I use these at home?     https://kubernetes.io/docs/setup/minikube/   Kubernetes - up and running     https://www.amazon.com/Kubernetes-Running-Dive-Future-Infrastructure/dp/1491935677   General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes   https://twitter.com/alicegoldfuss ...more

  • 2018-038-InfosecSherpa, security culture,

    Nov 05 2018

    @InfoSecSherpa   I have two talks coming up: Empathy as a Service to Create a Culture of Security at the Cofense Submerge conference Deep Dive into Social Media as an OSINT Tool at the H-ISAC Fall Summit (Health Information Sharing and Analysis Center)       *Shameless Plug* My Nuzzel newslettershttps://nuzzel.com/InfoSecSherpa https://nuzzel.com/InfoSecSherpa/cybersecurity-africa News stories - Biglaw Firm Hit With Cybersecurity Incident Earlier This Month (Published: 29 October 2018 | S...more

  • 2018-037-iWatch save man's life, Alexa detects your mood, and post-derby discussion

    Oct 22 2018

    Health & Tech? https://arstechnica.com/gadgets/2018/10/amazon-patents-alexa-tech-to-tell-if-youre-sick-depressed-and-sell-you-meds/   https://hackaday.io/project/151388-minder (774 results for “health” on hackaday)   (def don’t need to talk about, but still funny AF) https://hackaday.io/project/11407-myflow   https://9to5mac.com/2017/12/15/apple-watch-saves-life-managing-heart-attack/   https://www.adheretech.com/ Privacy implications? Microsoft healthcare initiative - https://enterprise.micr...more

  • 2018-036-Derbycon 2018 Audio with Cheryl Biswas and Tomasz Tula

    Oct 15 2018

    Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there. This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website... Cheryl's Track talk: http://www.irongeek.com/i.php?page=videos/...more

  • 2018-035-software bloat is forever; malicious file extensions; WMIC abuses

    Oct 01 2018

    Pizza Party Link - https://www.eventbrite.com/e/brakesec-derbycon-pizza-meetup-tickets-50719385046   News stories-   Software/library bloat   http://tonsky.me/blog/disenchantment/   https://hackernoon.com/how-it-feels-to-learn-javascript-in-2016-d3a717dd577f   https://gbhackers.com/hackers-abusing-windows-management-interface-command-tool-to-deliver-malware-that-steal-email-account-passwords/     https://hackerhurricane.blogspot.com/2016/09/avoiding-ransomware-with-built-in-basic.html   http...more

  • 2018-034-Pentester_Scenario

    Sep 25 2018

    Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bd...more

  • 2018--033-Chris_Hadnagy-SE-OSINT-vishing-phishing-book_interview-pt2

    Sep 15 2018

    Part 2 of our interview with Chris Hadnagy Discuss more about his book, best ways to setup your pre-text in an engagement how you might read someone on a poker table a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch” and we talk about “innocent lives foundation”, something near and dear to Chris' heart. We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it physical engagemen...more

  • 2018-032-chris Hadnagy, discusses his new book, OSINT and SE Part 1

    Sep 08 2018

    Christopher Hadnagy Interview: Origin story connoisseur  of moonshine Social Engineering: The Science of Human Hacking 2nd Edition Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9 SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/ Chris’ Podcast: https://www.social-engineer.org/podcast/   SECTF at Derby (contestants are chosen)       Remembering - attention to detail     Remembering details     Can be the difference between success and failure Social ...more

  • 2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!

    Sep 01 2018

    We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!   Thanks to our Patrons! Gonna be at Derbycon, come see us!   Congrats to our Derbycon Ticket CTF winners! Winner:  @gigstaggart 2nd Place: @ohai_ninja 3rd Place: @SoDakHib   Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=165...more

  • 2018-030: Derbycon CTF and Auction info, T-mobile breach suckage, and lockpicking

    Aug 26 2018

    CTF information:     Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)     Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site. View the page, submit the flags, leave everything else alone...   Derbycon Auction - starts September 8th at 9am Pacific Time     Slack only -         Opening bid is $175         Increments of $25 only     100% goes to Chri...more

  • 2018-029-postsummercamp-future_record_breached-vulns_nofix

    Aug 17 2018

    Post-Hacker Summercamp   IppSec Walkthroughs Brakesec Derbycon ticket CTF -   Drama - (hotel room search gate)   AirconditionerGate   Personal privacy   Ask for ID   Call the front desk   Use the deadbolt - can be bypassed   Plug the peephole with TP         Hotel rooms aren’t secure (neither are the safes)             Probably the most hostile environment infosec people go into to try and be secure/private   https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabil...more

  • 2018-028-runkeys, DNS Logging, derbycon Talks

    Aug 09 2018

    HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS   Amanda giving a talk at Diana Initiative Derbycon Talk - mental health Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2   http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/   https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/   https://blogs.technet.microsoft.com/secadv/2018/01/22/parsing-dns-server-log-...more

  • 2018-027-Godfrey Daniels talks about his book about the Mojave Phonebooth

    Aug 01 2018

    Godfrey Daniels - author of "Adventures with the Mojave Phone Booth" on sale at mojavephoneboothbook.com   https://en.wikipedia.org/wiki/Mojave_phone_booth https://www.tripsavvy.com/the-mojave-phone-booth-1474047   https://www.dailydot.com/debug/mojave-phone-booth-back-number/   https://www.npr.org/2014/08/22/342430204/the-mojave-phone-booth   https://www.reddit.com/r/UnresolvedMysteries/comments/7wjq4a/cipher_broadcast_the_mojave_phone_booth_is_back/   https://twitter.com/mojavefonebooth   ...more

  • 2018-026-insurers gathering data, netflix released a new DFIR tool, and google no longer gets phished?

    Jul 27 2018

    Stories and topics we covered: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/   https://osquery.io/   https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates   https://medium.com/netflix-techblog/netflix-sirt-releases-diffy-a-differencing-engine-for-digital-forensics-in-the-cloud-37b71abd2698   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: http...more

  • 2018-025-BsidesSPFD, threathunting, assessing risk

    Jul 19 2018

    Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery. Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others, including: @icssec @bethayoung @ViciousData @killianditch @fang0654 @SunnyWear @awsmhacks ...more

  • 2018-024- Pacu, a tool for pentesting AWS environments

    Jul 11 2018

    Ben Caudill @rhinosecurity Spencer Gietzen @spengietz   Rhino Security - https://rhinosecuritylabs.com/blog/   AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/   What is the difference between this and something like Scout or Lynis?   Is it a forensic or IR tool?   How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?   S3 bucket perms?   Security Group policy fail...more

  • 2018-023: Cydefe interview-DNS enumeration-CTF setup & prep

    Jul 02 2018

    Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs     @cydefe CTF setup / challenges of setting up a CTF. Beginners & CTFs Types tips/tricks Biggest downfalls of CTF development   https://www.heroku.com/ www.exploit-db.com   BrakeSec DerbyCon     @dragosinc dragos.com   DNS Enumeration: https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md   DNS Tools: https://dnsdumpster.com/ https://tools.kali.org/information-gatherin...more

  • 2018-022-preventing_insider_threat

    Jun 26 2018

    After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens.   news stories referenced: https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/   https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/   https://en.wikipedia.org/wiki/Insider_threat   https://en.wikipedia.org/wiki/Insider_threat_management     Join ou...more

  • 2018-021-TLS 1.3 discussion, Area41 report, wireshark goodness

    Jun 20 2018

    Area41 Zurich report Book Club - 4th Tuesday of the month https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf   https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet TLS_DHE_RSA_AES_256_GCM_SHA256   TLS = Protocol DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)     Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_se...more

  • 2018-020: NIST's new password reqs, Ms. Berlin talks about ShowMeCon, Pwned Passwords

    Jun 13 2018

    https://nostarch.com/packetanalysis3  -- Excellent Book! You must buy it.   DetSEC mention   ShowMe Con panel and keynote   SeaSec East standing room only. Crispin gave a great toalk about running as Standard user   Bsides Cleveland -   https://www.passwordping.com/surprising-new-password-guidelines-nist/ 1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck https://twitter.com/troyhunt/status/1006266985808875521 https://1password.com/sign...more

  • 2018-019-50 good ways to protect your network, brakesec summer reading program

    Jun 06 2018

    Ms. Berlin’s mega tweet on protecting your network   https://twitter.com/InfoSystir/status/1000109571598364672   Utica College CYB617     I tweeted “utica university” many pardons   Mr. Childress’ high school class Laurens, South Carolina   Probably spent as much as a daily coffee at Starbucks… makes all the difference.   CTF Club, and book club (summer reading series)   Patreon SeaSec East   Showmecon Area41con bsidescleveland Here are 50 FREE things you can do to improve the security of mos...more

  • 2018-018-Jack Rhysider, Cryptowars of the 90s, OSINT techniques, and hacking MMOs

    May 30 2018

    https://darknetdiaries.com/   Jack Rhysider Ok I think these topics should keep us busy for a while. Topics for discussion: Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital   The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https:...more

  • 2018-017- threat models, vuln triage, useless scores, and analysis tools

    May 23 2018

    Vuln mgmt tools CVE scores suck.   Threat modeling is good.   Forces  you to know your environment   https://en.wikipedia.org/wiki/Kanban   https://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.html   https://twitter.com/lnxdork/status/998559649271025664 https://www.google.com/search?q=house+centipede&rlz=1C5CHFA_enUS759US759&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiypKyfpZjbAhWJjlkKHd0lASYQ_AUICigB&biw=1920&bih=983 https://googleprojectzero.blogspot.com/2015/03/expl...more

  • 2018-016- Jack Rhysider, DarkNet Diaries, and a bit of infosec history (Part 1)

    May 15 2018

    Converge Detroit Jack Rhysider- Podcaster, DarkNet Diaries https://darknetdiaries.com/   Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/ https://www.youtube.com/watch?v=eFVBz_ATAlU - when anonymous attacks your hospital   The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet? https://www.rapid7.com/db/vulnerabilities/te...more

  • 2018-015-Data labeling, data classification, and GDPR issues

    May 07 2018

    GDPR will affect any information system that processes or will process people… like it or not.   Derby Tickets     CTF and auction Keynote     Converge Detroit I’ll be at nolacon too Boettcher     Recap BDIR #3 https://blog.netwrix.com/2018/05/01/five-reasons-to-ditch-manual-data-classification-methods/ https://blog.networksgroup.com/data-loss-prevention-fundamentals   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spot...more

  • 2018-014- Container Security with Jay Beale

    Apr 29 2018

        Container security   Jay Beale  @inguardians , @jaybeale   Containers What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we’ve had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don’t keep the im...more

  • 2018-013-Sigma_malware_report, Verizon_DBIR discussion, proper off-boarding of employees

    Apr 20 2018

    Report from Bsides Nash - Ms. Berlin New Job Keynote at Bsides Springfield, MO Mr. Boettcher talks about Sigma Malware infection.   http://www.securitybsides.com/w/page/116970567/BSidesSpfd **new website upcoming** Registration is coming and will be updated on next show (hopefully) DBIR -https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf   VERIS framework http://veriscommunity.net/   53,000 incidents   2,216 breaches?!   73% breaches were by outsiders  ...more

  • 2018-012: SIEM tuning, collection, types of SIEM, and do you even need one?

    Apr 11 2018

    Bryan plays 'stump the experts' with Ms. Berlin and Mr. Boettcher this week... We discuss SIEM logging, and tuning... How do SIEM deal with disparate log file types? What logs should be the first to be gathered? Is a SIEM even required, or is just a central log repo enough? Which departments benefit the most from logging? (IT, IR, Compliance?)   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakese...more

  • 2018-011: Creating a Culture of Neurodiversity

    Apr 04 2018

    Megan Roddie discusses being a High functioning Autistic, and we discuss how company and management can take advantage of the unique abilities of those with high functioning autism. Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-011.mp3   Matt Miller's Assembly and Reverse Engineering Class: Still can sign up! The syllabus is here:  https://drive.google.com/open?id=1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0     SHOW NOTES:   Link to Megan’s slides  Megan Roddie (@megan_roddie ...more

  • 2018-010 - The ransoming of Atlanta, Facebook slurping PII, Dridex variants

    Mar 27 2018

      Matt Miller’s #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd     Stories: https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/ ...more

  • 2018-009- Retooling for new infosec jobs, sno0ose, Jay Beale, and mentorship

    Mar 19 2018

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3 Topics discussed: How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs. Best methods to retool yourself if you are trying to move to a new industry Why 'hitting the ground running' isn't the sign of an immature organization... Matt Miller’s #Assembly and #Reverse #Engineering class $150USD for ea...more

  • BDIR-001: Credential stealing emails, How do you protect against it?

    Mar 12 2018

    BDIR Episode - 001 Our guests will be: Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry Topic of the Day: CREDENTIAL STEALING EMAILS WHAT CAN YOU DO   Join us for Episode-001, our guest will be: Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry Topic of the day will be: "CREDENTIAL STEALING EMAILS WHAT CAN YOU DO" Show Notes: Introductions Introduce our Guest Martin Brough Twitters - @HackerNi...more

  • 2018-008- ransomware rubes, Defender does not like Kali, proper backups

    Mar 12 2018

    https://www.auditscripts.com/free-resources/critical-security-controls/ Thanks to Slacker Ben Chung, who heard about this from John Strand...   BsidesIndy report - Amanda Bsides Austin - Brian   Log_MD 2.0 - www.log-md.com   https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/ https://itsfoss.com/kali-linux-debian-wsl/ https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-pack...more

  • 2018-007- Memcached DDoS, Secure Framework Documentation, and chromebook hacking

    Mar 05 2018

    Topics: Secure Framework documents Modifying chromebooks so you can use Debian/Ubuntu Memcached is the new DDoS hotness Announcement of the next BrakeSec Training Class (see Show Notes below for more info) Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https...more

  • 2018-006- NPM is whacking boxes, code signing, and stability of code

    Feb 26 2018

    Topics on today's show: NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems? Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it. Using code without testing - N...more

  • 2018-005-Securing_your_mobile_devices_and_CMS_against_plugin_attacks

    Feb 14 2018

    Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3 Topics: Discussion of Ms. Berlin's course CAPEC discussion RTF malware MS Office A Phishing story... Mobile Supply Chain Security CMS Supply Chain Security Ms. Berlin’s course - recap of 2nd session   Brakeing Down IR -date?   Any malware of note? Upgrade your Office!  Just double-clicked, used rtf and document never opened, just the script ran.   Supply chain isn’t just Hardware…...more

  • 2018-004 - Discussing Bsides Seattle, and Does Autosploit matter?

    Feb 05 2018

    Show Notes: https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing Topics Discussed: New tool : AutoSploit - Does it lower the bar? How should Blue teamers be using Shodan? Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about.    ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to...more

  • BDIR-000 ; The Beginning

    Jan 29 2018

    Here is the inaugural episode of the "Brakeing Down Incident Response"   Please check it out!   BDIR Episode - 000 Our guests will be: Dave Cowen - Forensic Lunch Podcast and G-C Partners Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering Topic of the Day: WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER? "Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR" SHOW NOTES: h...more

  • 2018-003-Privacy Issues using Crowdsourced services,

    Jan 27 2018

    Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here:  2017-040 #infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like. One of our Slack members (@nxvl) ca...more

  • 2018-002-John_Nye-Healthcare's_biggest_issues-ransomware

    Jan 20 2018

    John Nye (@EndisNye_com) is the VP of Cybersecurity Strategy at healthcare consultancy #CynergisTek. He's in the process of writing a whitepaper about the issues that are still plaguing healthcare. While every industry in the world has to deal with #security issues, the stakes are highest, and most personal, in healthcare. Because healthcare data is highly sensitive, a breach can cause major problems for the individual and #healthcare organization — in addition to embarrassment and sometimes ext...more

  • 2018-001- A new year, new changes, same old trojan malware

    Jan 12 2018

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-001-A_new_year-new_changes-same_old_malware.mp3 The first show of our 2018 season brings us something new (some awesome new additions to our repertoire), and something old (ransomware). Michael Gough is joining us to discuss a new a partnership with BrakeSec Podcast (you'll have to listen to find out, or wait a few weeks :D ) We discuss #Spectre and #meltdown vulnerabilities, wonder about the criticality of the vulnerabilities and miti...more

  • 2017-SPECIAL005-End of year Podcast with podcasters

    Dec 23 2017

    As is tradition (or becoming around here) we like to get a bunch of podcasters together and just talk about our year. No prognostications, a bit of silliness, and we still manage to get in some great infosec content. Please enjoy! And please seek out these podcasts and have a listen! Slight warning: some rough language People and podcasts in attendance: Tracy Maleef (@infosecSherpa) Purple Squad Security Podcast (@purpleSquadSec) - John Svazic (@JohnsNotHere) Advanced Persistent Security (@advpe...more

  • 2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio

    Dec 16 2017

    Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks. While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well as some recent news.  Google released an 0day for Apple iOS, and we talk about how jailbreaking repos seem to be shuttering, because there have not been as many as vulns found to allow for jailbreaking iDevices. We also went back and discussed some ...more

  • 2017-041- DFIR Hierarchy of Needs, and new malware attacks

    Dec 08 2017

    Maslow's Hierarchy of needs was developed with the idea that the most basic needs should be satisfied to allow for continued successful development of the person and the community inevitably created by people seeking the same goals. DFIR is also much the same way in that there are certain necessary basics needed to ensure that you can detect, respond, and reduce possible damage inflicted by an attack. In my searching, we saw a tweet about a #github from Matt Swann (@MSwannMSFT) with just such a ...more

  • 2017-040-Expensify_privacy_issues-Something_is_rotten_at_Apple

    Nov 30 2017

    With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world. Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews. Our second story ...more

  • 2017-039-creating custom training for your org, and audio from SANS Berlin!

    Nov 23 2017

    This week is a bit of a short show, as Ms. Berlin and Mr. Boettcher are out this week for the holiday.   I wanted to talk about something that I've started doing at work... Creating training... custom training that can help your org get around the old style training.   Also, we got some community audio from one of our listeners! "JB" went to a SANS event in Berlin, Germany a few weeks ago, and talked to some attendees, as well as Heather Mahalick (@HeatherMahalik), instructor of the FOR585 FOR58...more

  • 2017-038- Michael De Libero discusses building out your AppSec Team

    Nov 15 2017

    Direct Link: https://brakesec.com/2017-038   Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team. So I asked him on, and we went over the highlights of his talk. Some of the topics included: Discussing with management your manpower issues Who to include in your team Communi...more

  • 2017-037 - Asset management techniques, and it's importance, DDE malware

    Nov 08 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-037-asset_management.mp3 We started off the show talking to Mr. Boettcher about what DDE is and how malware is using this super legacy Windows component (found in Windows 2) to propogate malware in MS Office docs and spreadsheets. We also talk about how to protect your Windows users from this. We then get into discussing why it's so important to have proper asset management in place. Without knowing what is in your environment, you cou...more

  • 2017-036-Adam Shostack talks about threat modeling, and how to do it properly

    Oct 29 2017

    Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeli...more

  • 2017-SPECIAL004- SOURCE Conference Seattle 2017

    Oct 22 2017

    After last year's SOURCE Conference, I knew I needed to go again, not just because it was a local (Seattle) infosec conference, but because of the caliber of speakers and the range of topics that were going to be covered. I got audio from two of the speakers at the SOURCE conference (@sourceconf) on Twitter Lee Fisher and Paul English from PreOS Security about UEFI security and methods to secure your devices  https://preossec.com/   Joe Basirico discusses the proper environment to get the best o...more

  • 2017-035-Business_Continuity-After_the_disaster

    Oct 16 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-035-business_continuity-After_the_disaster.mp3   We are back this week after a bit of time off, and we getting right back into it... What happens after you enact your business continuity plan? Many times, it can cause you to have to change processes, procedures... you may not even be doing business in the same country or datacenter, and you may be needing to change the way business is done. We also talk a bit about 3rd party vendor rev...more

  • 2017-SPECIAL003-Audio from Derbycon 2017!

    Oct 07 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL003-Derbycon_audio.mp3 Mr. Boettcher, Ms. Berlin, and I went to Derbycon. In addition to the podcast with podcasters we did during the 3 days, I managed to grab another whole hour of audio from various people at the conference, just to give you an idea of the vibe of the conference, in case you were unable to attend.   We talked to the FOOOLs (http://www.bloomingtonfools.org/), and how they have done the lockpick village for the...more

  • 2017-034-Preston_Pierce, recruiting, job_descriptions

    Oct 02 2017

    *Apologies for the continuity this was recorded before we went to Derbycon 2017.*   Preston Pierce is a recruiter. We wanted to have him on to discuss some issues with our industry. So we had him on to discuss hiring practices, how a recruiter can help a company recruiter better talent, and how to stop companies looking for the 'unicorn' candidate. Preston is a great guy and we learned a lot about how the recruiting process works, and how Preston's company work differently from other, less reput...more

  • 2017-SPECIAL002-Derbycon-podcast with podcasters (NSF Kids/Work)

    Sep 27 2017

    Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-SPECIAL002-Derbycon-Podcast_with_podcasters.mp3   SUPER NOT SAFE for kids (and probably adults, come to think of it). Really this is just us riffing about derbycon (and I really love @oncee, and wished I'd gone to his stable talk (which you can listen/watch here: http://www.irongeek.com/i.php?page=videos/derbycon7/s07-the-skills-gap-how-can-we-fix-it-bill-gardner) We actually did talk about the skills gap, resume workshop held at Derb...more

  • 2017-033- Zane Lackey, Inserting security into your DevOps environment

    Sep 17 2017

    Zane Lackey (@zanelackey on Twitter) loves discussing how to make the DevOps, and the DevSecOps (or is it 'SecDevOps'... 'DevOpsSec'?) So we talk to him about the best places to get the most bang for your buck getting security into your new DevOps environment. What is the best way to do that? Have a listen... Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-033-Zane_Lackey_inserting_security_into_your_DevOps.mp3 RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  https://www.y...more

  • 2017-032-incident response tabletops, equifax breach

    Sep 12 2017

    Everyone should be doing incident response tabletops, even if it's not a dedicated task in your organization. It allows you to find out what you might be lacking in terms of processes, manpower, requirements, etc. This week, we discuss what you need to do to get ready for one, and how those should go in terms of helping your organization understand how to handle the aftermath. And in case you've been under a rock, #equifax was breached.  143 million credit records are in the ether. We discuss th...more

  • 2017-031-Robert_Sell-Defcon_SE_CTF-OSINT_source

    Sep 04 2017

    This week, we met up with Robert Sell to discuss competing in the DefCon Social Engineering CTF. You're gonna learn how he prepared for the competition, and learn about some of the tactics you could use to compete in future SE CTF events. Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-031-Robert_Sell-Defcon-SE-CTF.mp3     RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw #iTunes Store Link:  https://itunes.apple.com...more

  • 2017-030-Vulnerability OSINT, derbycon CTF walkthrough, and bsides Wellington!

    Aug 29 2017

    This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg. We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3    Ms. Berlin is going to be at Bsides Wellington!  Get your Tickets NO...more

  • 2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware

    Aug 20 2017

    This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection. What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, sc...more

  • 2017-028-disabling WU?, Comcast wireless hack, and was it irresponsible disclosure?

    Aug 12 2017

     This week went in a different direction from what we normally do. We discussed some news, a twitter conversation about someone from the 'ahem' "media" that suggests that you disable Windows Update on your home devices. We discuss the pros and mostly cons of doing that, and alternatives to protect your home and work devices from that. We talked about the Comcast Xfinity applicances and how they have a vulnerability that could make it appear that traffic created by people outside of your house co...more

  • 2017-026-Machine_Learning-Market Hype, or infosec's blue team's newest weapon?

    Aug 03 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-026-Ally_miller_machine-learning-AI.mp3 Ally Miller (@selenakyle) joined us this week to discuss Machine Learning and #Artificial #Intelligence. It seems like every new security product employs one or both of these terms. She did the keynote at Bsides Las Vegas on topics of #Machine #Learning and #Behavioral #Economics. We asked Ms. Miller to join us here to discuss what ML and AI are, how algorithms work to analyze the data to come to...more

  • 2017-025-How will GDPR affect your Biz with Wendyck, and DerbyCon CTF info

    Jul 22 2017

    Direct Link:http://traffic.libsyn.com/brakeingsecurity/2017-025-How-GDPR-affects-US-Biz-with-Wendyck-Derbycon2017-CTF-info.mp3   GDPR (General Data Protection Regulation) is weighing on the minds and pocketbooks of a lot of European companies, but is the US as worried? If you read many of the news articles out there, it ranges from 'meh' to 'OMG, the sky, it is falling". GDPR will cause a lot of new issues in the way business is being done, not just in the realm of security, but in the way data ...more

  • 2017-024-infosec_mental_health_defcon_contest-with-rand0h-and-tottenkoph

    Jul 16 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-024-mental_health_podcast-with-Rand0h-and-tottenkoph.mp3 The infosec industry and the infosec culture is so diverse, with many different points of view, many different thoughts and opinions, and many of us deal with our own internal demons, like addictions, mental afflictions like depression or bipolar disorders. And 'imposter syndrome' is another thing that seems to add to the mix, making some believe they have to be constantly innova...more

  • 2017-023-Jay_Beale_Securing Linux-LXC-Selinux-Apparmor-Jails_and_more

    Jul 10 2017

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3   Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class.  Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it...more

  • 2017-022-Windows Hardening, immutable laws of security admins, and auditpol

    Jul 03 2017

    Direct Link to Download: http://traffic.libsyn.com/brakeingsecurity/2017-022-windows_and_AD_Hardening.mp3 This week, we discuss hardening of windows hosts, utilizing CIS benchmarks. We talk about the 'auditpol' command. And we dredge up from the ancient times (2000) the Microsoft article from Scott Culp "The 10 Immutable Laws of Security Administration". Are they still applicable to today's environment, 17 years later?     Brakesec also announces our "PowerShell for Blue Teamers and Incident Res...more

  • 2017-SPECIAL- Michael Gough and Brian Boettcher discuss specific ransomware

    Jun 30 2017

    Due to popular demand, we are adding the extra content from last week's show as a standalone podcast.   Michael Gough (@hackerHurricane) and Mr. Boettcher (BrakeSec Co-Host, and @boettcherpwned) sit down and discuss the popularity of ransomware as a topic They discuss what email attachments to block, how to test your own email gateway, and what controls you should implement to help defend against the #petya #notpetya ransomware.

  • 2017-021-small_biz_outreach-614con-prenicious_kingdoms-ransomware-bonus

    Jun 22 2017

    This week, we discussed Ms. Berlin's recent foray to CircleCityCon, 614con (@614con), and her recent webinars with O'Reilly. One topic we discussed this week was how to reach out to small businesses about information security. Mr. Boettcher (@boettcherpwned) had just came from a panel discussion about an initiative in Austin, Texas called "MANIFEST", which sought to engage small business owners with #information #security professionals to help them secure their environments. So we got to discuss...more

  • 2017-020-Hector_Monsegur_DNS_OSINT_Outlaw_Tech_eClinicalWorks_fine

    Jun 14 2017

    Hector Monsegur (@hxmonsegur on Twitter) is a good friend of the show, and we invited him to come on and discuss some of the #OSINT research he's doing to identify servers without using noisy techniques like DNS brute forcing.   We also discuss EclinicalWorks and their massive fine for falsifying testing of their EHR system, and implications for that. What happens to customers confidence in the product, and what happens if you're already a customer and realize you were duped by them?   We also d...more

  • 2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

    Jun 06 2017

      This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues. We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.   ------- Upcoming BrakeSec Podcast training: Ms. Sunny Wear - Web App Security/OWASP 14 June - 21 June - 28 June at 1900 Eastern (1...more

  • 2017-018-SANS_course-EternalBlue_and_Samba_vulnerabilities-DerbyCon contest details

    May 30 2017

    We discuss SANS courses, including the one I just took (SEC504). How did I do in class? You can listen to the show and find out. Since it's been a few weeks, we also discuss all the interesting WannaCry reports, the ease at which this vulnerability was exploited, and why would a company allow access to SMB (tcp port 445) from the Internet? We discuss some upcoming training that we are holding starting 14 June. Ms. Sunny Wear will be doing 3 sessions discussing the use of Burp, and showing how to...more

  • 2017-017-Zero_Trust_Networking_With_Doug_Barth,_and_Evan_Gilman

    May 09 2017

     Zero trust networking may be a foreign concept to you, but Google and others have been utilizing this method of infrastructure and networking for quite a while now. It stands more traditional networking on it's head by not having a boundry in the traditional sense. There's no VPN, no ACLs to audit, no firewall to maintain... Sounds crazy right? Well, it's all about trust, or the lack of it. No one trusts anyone without a proper chain of permission. Utilizing 2FA, concepts of port knocking, and ...more

  • 2017-016-Fileless_Malware, and reclassifying malware to suit your needs

    May 02 2017

     Malware is big business, both from the people using it, to the people who sell companies blinky boxes to companies saying that they scare off bad guys. The latest marketdroid speak appears to be the term 'fileless malware', which by definition...   FTA: “Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer fo...more

  • 2017-015-Being a 'security expert' vs. 'security aware'

    Apr 27 2017

    This week, we have a little story time. Developers should be aware of the kinds of vulnerabilities their code can be attacked with. XSS, Buffer overflows, heap overflows, etc should be terms that they understand. But is it enough that they are 'aware' of them, and yet seem to do nothing? Or should they be experts in their own particular area of development, and leave infosec people to deal with more generic issues? We discuss the pros and cons of this argument this week, as well as how the idea ...more

  • 2017-014-Policy_writing_for_the_masses-master_fingerprints_and_shadowbrokers

    Apr 20 2017

    So, I (Bryan) had a bit of a work issue to discuss. It has become one of my myriad jobs at work to write up some policies. In and of itself, it's not particularly fun work, and for whatever reason, this is causing me all kinds of issues. So this week we take a quick look at why I'm having these issues, if they are because I don't get it, or because the method I must follow is flawed. After that, we add on to last week's show on #2FA and #MFA (http://traffic.libsyn.com/brakeingsecurity/2017-013-M...more

  • 2017-013-Multi-factor Auth implementations, gotchas, and solutions with Matt

    Apr 13 2017

    Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token. We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Softwar...more

  • 2017-012-UK Gov Apprenticeship infosec programs with Liam Graves

    Apr 05 2017

    One of our Slackers (people who hang with us on our Slack Channel) mentioned that he was writing exam materials for one of the programs created by the UK Government to train high school and/or people headed to university in skills without the traditional 4 year education track. I was very intrigued by this, since we don't appear to have anything like this, outside of interning at a company, which means you're not considered a full-time employee, have no benefits, and there's no oversight about w...more

  • 2017-011-Software Defined Perimeter with Jason Garbis

    Mar 29 2017

    We talked with Jason Garbis this week about Software Defined Perimeter (SDP). Ever thought about going completely without needing a VPN? Do you think I just made a crazy suggestion and am off my medications? Google has been doing it for years, and organizations like the Cloud Security Alliance are expecting this to be the next big tech innovation. So much so, that they are already drafting version 2 of the SDP guidelines. So after talking with a friend of mine about how they were trying to imple...more

  • 2017-010-Authors Amanda Berlin and Lee Brotherston of the "Defensive Security Handbook"

    Mar 22 2017

    Our very own Ms. Berlin and Mr. Lee Brotherston (@synackpse), veteran of the show, co-authored an #O'Reilly book called the "Defensive Security Handbook" We talk with Amanda and Lee (or Lee and Amanda :D ) about why they wrote the book, how people should use the book, and how you can maximize your company's resources to protect you. The best thing is that you can pick up the ebook right now! It's available for pre-order on Safari books (Link), or pre-order on Amazon.com (Link) Hope you enjoy! Di...more

  • 2017-009-Dave Kennedy talks about CIAs 'Vault7', ISC2, and Derbycon updates!

    Mar 14 2017

    Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA). This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers. To help us, we asked Mr. Dave Kennedy  (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSN...more

  • 2017-008-AWS S3 outage, how it should color your IR scenarios, and killing the 'whiteboard' interview

    Mar 06 2017

    If you were under a rock, you didn't hear about the outage that #Amazon #Web Services (#AWS) suffered at the hands of sophisticated, nation-state... wah?  "an authorized #S3 team #member using an established #playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended." Well... oka...more

  • 2017-007- Audio from Bsides Seattle 2017

    Mar 01 2017

    Bryan had the pleasure of attending his 3rd Bsides Seattle a few weeks ago. Lots of great speakers, great discussion. We have 3 interviews here this week: Justin Case (@jcase) discusses some of his talk about hacking the Google Pixel, an HTC produced phone. We discuss why Android gets the 'insecure' moniker by the media, and whether it's warranted or not. Next, Sam Vaughn (@sidechannel_org) talks about setting up the Crypto Village, why he does it, and what you can learn by solving these puzzles...more

  • 2017-006- Joel Scambray, infosec advice, staying out from in front of the train, and hacking exposed

    Feb 19 2017

    Joel Scambray joined us this week to discuss good app design, why it's so difficult, and what can be done to fix it when possible. Joel also co-authored many of the "Hacking Exposed" series of books. We ask him about other books that could come from the well known series. We also ask about why the #infosec person often feels like they need to protect their organization to the expense of our own position (or sanity) and how we as an industry should be not 'in front of the train', but guiding the ...more

  • 2017-005-mick douglas, avoid bad sales people, blue team defense tools

    Feb 14 2017

    Mick Douglas is always great to have on. A consummate professional, and blue team advocate for years now, he teaches SANS courses designed to help defenders against the forces of the red team, pentesters, and even bad actors. But this week, we have a different Mr. Douglas.  This week, he's here to talk about sales tactics, #neuro #linguistic #programming, leading the question, and other social engineering techniques that salespeople will do to get you to buy maybe what your company doesn't need,...more

  • 2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware

    Feb 06 2017

    This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software. Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors. We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD ---------- HITB announcement: “Ticket...more

  • 2017-003-Amanda Berlin at ShmooCon

    Jan 29 2017

    Amanda Berlin attended Shmoocon this year, and sat down with a few people. She discussed a bit with John about what HackEd is about (http://hackeducate.com/) Amands writes: "I had an amazing time at my 3rd #Shmoocon. I was able to interview a handful of really cool people working on several different types of infosec education. I was able to watch a few talks, spend some time in the lockpick village, as well as go to Shmoocon Epilogue. It’s always amazing to watch people talk about what they ar...more

  • 2017-002: Threat Lists, IDS/IPS rules, and mentoring

    Jan 21 2017

    In your environment, you deal with threats from all over the world. Many groups out there pool resources to help everyone deal with those #threats. Some come in the form of threat #intelligence from various intelligence companies, like #Carbon #Black, #FireEye, and #Crowdstrike. But what if your company cannot afford such products, or are not ready to engage those types of companies, and still need need protections? Never fear, there are open source options available (see show notes below). Thes...more

  • 2017-001: A New Year, malware legislation, and a new cast member!

    Jan 12 2017

    We start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender). We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and try t...more

  • 2016-051: Steps to fixing risks you found, and the State of the Podcast

    Dec 25 2016

    It's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner. I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps. We also discuss some the previous episodes of the year, some rece...more

  • 2016-050: Holiday Spectacular with a little help from our friends!

    Dec 21 2016

    Brakesec Podcast joined: Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec) Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec) And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also get to hear...more

  • 2016-049-Amanda Berlin, the art of the sale, and Decision making trees

    Dec 15 2016

     "Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters. A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to convince ...more

  • 2016-048: Dr. Gary McGraw, Building Security into your SDLC, w/ Special guest host Joe Gray!

    Dec 03 2016

    As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the  Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information). Gary walks us through the 7 Ki...more

  • 2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems

    Nov 28 2016

    Just a quick episode this week... As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM) We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so. Finally, I d...more

  • 2016-046: BlackNurse, Buenoware, ICMP, Atombombing, and PDF converter fails

    Nov 21 2016

    This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS ...more

  • 2016-044: Chain of Custody, data and evidence integrity

    Nov 07 2016

    During a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc. This podcast was not meant to turn you into an expert, but instead to go over the finer points of the pr...more

  • 2016-043: BSIMMv7, a teachable moment, and our new Slack Channel!

    Nov 01 2016

      **Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.** Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing. We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that mak...more

  • 2016-042-Audio from Source Seattle 2016 Conference

    Oct 24 2016

    Join us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier. I was able to interview a number of people from the conference. You can see a partial list of them here: http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights Interviewed Chip McSweeney from O...more

  • 2016-041- Ben Johnson, company culture shifts, job descriptions, cyber self-esteem

    Oct 17 2016

    Ben Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry. Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community. We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to make your...more

  • 2016-040: Gene_Kim, Josh_Corman, helping DevOps and Infosec to play nice

    Oct 10 2016

    If you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great. If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out. But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to discuss how ...more

  • 2016-039-Robert Hurlbut, Threat Modeling and Helping Devs Understand Vulnerabilities

    Oct 04 2016

    Join us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws. We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers and mana...more

  • 2016-038-Derbycon Audio and 2nd Annual Podcast with Podcasters!

    Sep 28 2016

    Mr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast.  It is truly a labor of love and something that we hope everyone can learn something from. We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensics-af-i...more

  • 2016-037: B1ack0wl, Responsible Disclosure, and embedded device security

    Sep 14 2016

    Have you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in? This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users...  We also find out how B1ack0wl learned his stock and trade. https://www.exploit-db.com/exploits/40332/ Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening to the fi...more

  • 2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson

    Sep 11 2016

    Nick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs.  During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere. Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/ So, we wanted to h...more

  • 2016-035-Paul Coggin discusses the future with Software Defined Networking

    Sep 06 2016

    Paul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN) Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer.  Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications. And there's more good...more

  • 2016-034: Sean Malone from FusionX explains the Expanded Cyber Kill Chain

    Aug 28 2016

    Another great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking. In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts. This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems or networ...more

  • 2016-033: Privileged Access Workstations (PAWs) and how to implement them

    Aug 22 2016

    Bill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled)  Here is the synopsis of his talk that you can now see at DerbyCon: Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other techn...more

  • 2016-032-BlackHat-Defcon-Debrief, Brakesec_CTF_writeup, and blending in while traveling

    Aug 15 2016

    Co-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp" Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare for the...more

  • 2016-031:DFIR rebuttal and handling incident response

    Aug 08 2016

    A couple of weeks ago, we discussed on our show that not all incident response events required digital forensics.  We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on. Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter...more

  • 2016-030: Defending Against Mimikatz and Other Memory based Password Attacks

    Jul 31 2016

    In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table. When improperly configured, the passwords are stored in memory, often in plain text.   This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks.   Links to blogs: https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft http://blog.gojho...more

  • 2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...

    Jul 25 2016

    Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough. Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go. This week, I sat d...more

  • 2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec, and SCADA headaches

    Jul 17 2016

    Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3) I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understan...more

  • 2016-027: DFIR conference, DFIR policy controls, and a bit of news

    Jul 10 2016

    Mr. Boettcher is back!  We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required. We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts. Platypus:  http://sveinbjorn.org/platypus...more

  • 2016-026-powershell exfiltration and hiring the right pentest firm

    Jul 03 2016

     Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil. Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet). Ty...more

  • 2016-025-Windows Registry, Runkeys, and where malware likes to hide

    Jun 27 2016

    The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups).  This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself. We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions. And no podcast about Wind...more

  • 2016-024: Kim Green, on CISOaaS, the Redskins Laptop, and HIPAA

    Jun 20 2016

    We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company.  She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role. Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that thei...more

  • 2016-023- DNS_Sinkholing

    Jun 13 2016

    Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet.  You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning.  What do you do? In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to  or through a honey network that can be used to further analyze things like #infection vectors, #p...more

  • 2016-022: Earl Carter dissects the Angler Exploit Kit

    Jun 06 2016

    Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware.  This week we sit down with him to understand the #Angler EK. He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even g...more

  • 2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence

    May 29 2016

    Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc). We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry. Ben discusses with us the Layered Approach to EDR: 1. Hunting 2. Automation 3. Integration 4. Retrospection 5. Patterns of Attack/Detection 6. indic...more

  • 2016-020-College Vs. Certifications Vs. Self-taught

    May 21 2016

    Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better? We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well. Dr. Miller is also spearheading a new cybersecurity degree track ...more

  • 2016-019-Creating proper business cases and justifications

    May 16 2016

    Procurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization. We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include: 1. Aligning business goals and operational goals 2. How to discuss ROI with management 3. Getting actionable information for business requirements from affected parties 4. Steering yourself away from conf...more

  • 2016-018-software restriction policies and Applocker

    May 09 2016

    Windows has all the tools you need to secure an OS, but we rarely use them.  One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install. We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restricting...more

  • 2016-017-The Art of Networking, Salted Hashes, and the 1st annual Podcast CTF!

    May 02 2016

    You might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning. We also brainstorm ideas on how people in our community keep their sk...more

  • 2016-016-Exploit Kits, the "Talent Gap", and buffer overflows

    Apr 25 2016

    Angler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come. We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get better...more

  • 2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior

    Apr 16 2016

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3 iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2 Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing You open the flash animation, click click click, answer 10 security questions that you...more

  • 2016-014-User_Training,_Motivations,_and_Speaking_the_Language

    Apr 08 2016

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2 Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion. What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a language b...more

  • 2016-013-Michael Gough, the ISSM reference model, and the 5 P's

    Mar 26 2016

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3 iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2 We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2...more

  • 2016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure

    Mar 19 2016

    Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3 Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2 Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site? Application logic flaws are often insidious and not easy to find. they require often a bit of work to byp...more

  • 2016-011-Hector Monsegur, deserialization, and bug bounties

    Mar 14 2016

    Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3 iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2 Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same ...more

  • 2016-010-DNS_Reconnaissance

    Mar 07 2016

    DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook.  This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important.  We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS i...more

  • 2016-009-Brian Engle, Information Sharing, and R-CISC

    Feb 29 2016

    We've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center.  "Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website To lear...more

  • 2016-008-Mainframe Security

    Feb 22 2016

    This week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us. Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. They've...more

  • 2016-007-FingerprinTLS profiling application with Lee Brotherston

    Feb 14 2016

    We first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this.  We do a bit of history about #TLS, and the versions from 1.0 to 1.2 Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific applica...more

  • 2016-006-Moxie_vs_Mechanism-Dependence_On_Tools

    Feb 08 2016

    This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism Moxie: noun   "force of character, determination, or nerve."   Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your ent...more

  • 2016-005-Dropbox Chief of Trust and Security Patrick Heim!

    Jan 30 2016

    Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics. We discussed a number of topics: Cloud migrations What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration? We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additio...more

  • 2016-004-Bill_Gardner

    Jan 24 2016

    BrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster... We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more!   Bill's Twitter: https://www.twitter.com/oncee Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607145&...more

  • 2016-003-Antivirus (...what is it good for... absolutely nothing?)

    Jan 18 2016

    #Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971. This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them.  And what options do you have if you don't want to use anti-virus? We also argue about whether it's just a huge industry selling snak...more

  • 2016-002-Cryptonite- or how to not have your apps turn to crap

    Jan 11 2016

    This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap. Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo? We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". A...more

  • 2016-001: Jay Schulmann explains how to use BSIMM in your environment

    Jan 03 2016

    #Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks.  For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program.   Jay Schulman's #website: https://www.jayschulman.com/ Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id9945503...more

  • 2015-054: Dave Kennedy

    Dec 27 2015

    Dave Kennedy does a lot for the infosec community. As owner/operator of 2 companies (Binary Defense Systems and Trusted Security), he also is an organizer of #DerbyCon and active contributor to the Social Engineering ToolKit (#SET).  You can also find him discussing the latest hacking attempts and breaches on Fox News and other mainstream media outlets. But this time, we interview Dave Kennedy because he has been elected to the ISC2 board. He will be serving a 3 year term with Wim Remes (who we...more

  • 2015-053: 2nd annual podcaster party

    Dec 22 2015

    This week, we went off the tracks a bit with our friends at Defensive Security Podcast, and PVC Security Podcast. We discussed a bit of news, talked about how our podcasts differ from one another, the 'lack of infosec talent', and sat around talking about anything we wanted to. Sit back with some eggnog, and let your ears savor the sounds of the season.  Many thanks to Andrew Kalat, Jerry Bell, Edgar Rojas, Paul Jorgensen, and co-host Brian Boettcher for getting together for some good natured f...more

  • 2015-052: Wim Remes-ISC2 board member

    Dec 17 2015

    I got a hold of Mr. Wim Remes, because he was elected to the ISC board in November 2015.  Recent changes to the CISSP included changing the long-standing 10 domains down to 8 domains, plus a major revamp to all of them. I wanted to know what Mr. Remes' plans were for the coming term, how the board works, and how organizations like ISC2 drive change in the industry. I also asked Wim how he is trying to ensure that CISSP and the other certs are going to remain current and competitive. This is a ...more

  • 2015-051-MITRE's ATT&CK Matrix

    Dec 10 2015

    #MITRE has a Matrix that classifies the various ways that your network can be compromised. It shows all the post-exploitation categories from 'Persistence' to 'Privilege Escalation'. It's a nice way to organize all the information. This week, Mr. Boettcher and I go over "#Persistence" and "#Command and #Control" sections of the Matrix.  Every person who attacks you has a specific method that they use to get and keep access to your systems, it's as unique as a fingerprint. Threat intelligence c...more

  • 2015-049-Can you achieve Security Through Obscurity?

    Dec 04 2015

    That's the question many think is an automatic 'yes'.  Whether your Httpd is running on port 82, or maybe your fancy #wordpress #module needs some cover because the code quality is just a little lower than where it should be, and you need to cover up some cruft This week, Mr. Boettcher and I discuss reasons for obscuring for the sake of #security, when it's a good idea, and when you shouldn't #obscure anything (hint: using #ROT-14, for example) #encryption #infosec Show Notes:  https://docs.g...more

  • 2015-048: The rise of the Shadow... IT!

    Nov 27 2015

    Cheryl Biswas gave a great talk last month at Bsides Toronto.  I was intrigued by what "Shadow IT" and "Shadow Data" means, as there appears to be some disparity. Why can't you write policy to enforce standards? As easy as it sounds, it's quickly becoming a reason young talented people might skip your company. Who wants to use Blackberries and Gateway laptops, when sexy new MacBook Airs and iPhone 6S exist? This also leads to the issue of business data being put on personal devices, which as an...more

  • 2015-047-Using BSIMM framework to measure the maturity of your software security lifecycle

    Nov 21 2015

    Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours... We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically... BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/   Direct Link: http://traffic.libsyn.com/brakeing...more

  • 2015-046: Getting Security baked in your web app using OWASP ASVS

    Nov 10 2015

    During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product.   During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this.  It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ...more

  • 2015-045: Care and feeding of Devs, podcast edition, with Bill Sempf!

    Nov 04 2015

    When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand. It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It ...more

  • 2015-044-A MAD, MAD, MAD, MAD Active Defense World w/ Ben Donnelly!

    Oct 30 2015

    It's a madhouse this week! We invited Ben Donnelly (@zaeyx) back to discuss a new software framework he's crafted, called #MAD Active Defense. Ben wants to make Active Defense simple enough for even the busiest blue teamer. The interface takes it design from other well known #software frameworks, namely #Metasploit, #REcon-ng, and even a bit of #SET, he said. We even did a quick demo of MAD, discussed the tenets of #Active #Defense, and talked about a little skunkworks project of Ben's that yo...more

  • 2015-043: WMI, WBEM, and enterprise asset management

    Oct 22 2015

    WMI (Windows Management Instrumentation) has been a part of the Windows Operating system since Windows 95. With it, you can make queries about information on hosts, locally and even remotely. Why are we talking about it? It's use in the enterprise and by admins is rarely used, but it's use in moving laterally by bad actors is growing in it's use.  It's highly versatile, able to be scripted, and can even be used to cause triggers for when other programs run on a system.  Mr. Boettcher and I sit...more

  • 2015-042: Log_MD, more malware archaeology, and sifting through the junk

    Oct 14 2015

    Just before #Derbycon, we invited Michael Gough (@hackerhurricane) to join us on the #podcast.  For the last 3-4 months, my co-host Brian and he were engaged in the creation of a software tool that would make #log #analysis of #windows systems quicker, and together they have achieved that with "Log-MD", short for Log Malicious Discovery. For hosts infected with #Malware and #bots, they always leave a fingerprint of what they are doing behind. This software takes your system, configures it to g...more

  • Derbycon Audio - post-Derby interviews!

    Oct 10 2015

    In our last bit of Derbycon audio, I discussed DerbyCon experiences with Mr. Boettcher, Magen Wu (@tottenkoph), Haydn Johnson (@haydnjohnson), and Ganesh Ramakrishnan (@hyperrphysics).  We find out what they liked, what they didn't like, and you get a lot of great information about packing for a con, things you can do to improve your convention going experience. Hopefully, you'll hear the amount of fun we had, and find the time to go to a convention. There are literally hundreds, many only few ...more

  • Derbycon - A podcast with Podcasters! *explicit*

    Sep 30 2015

    Mr. Boettcher and I attended Derbycon, and while he was out attending talks, I got invited to do a podcast with some of the other podcasts who were there.  Special thanks to Edgar Rojas, Amanda Berlin, Jerry Bell, Andrew Kalat, Paul Coggin, Tim DeBlock, and everyone else at our recording.  We have a bit more audio that we will post this month, including a discussion of a tool Mr. Boettcher and Michael Gough collaborated on to make windows malware analysis easier to do.

  • 2015-040; Defending against HTML 5 vulnerabilities

    Sep 21 2015

    Last week, we discussed with Shreeraj Shah about HTML5, how it came into being and the fact that instead of solving OWASP issues, it introduces new and wonderful vulnerabilities, like exploiting locally stored web site info using XSS techniques, and doing SQLI on the new browser WebSQL. So this week, it's all about defensive techniques that you can use to educate your developers against making mistakes that could get your company's web application on the front page of the news paper.

  • 2015-039: Hazards of HTML5

    Sep 14 2015

    Shreeraj Shah (@shreeraj on Twitter) came on this week to give us a run-down of some of the issues with HTML5? How can a new standard actually be worse than something like Flash? And why would a standard not address existing OWASP issues, and even create new issues, like the ability of a browser to have a database inside of it managing everything? This week we discuss HTML5 history, some of the pitfalls, and discuss some of the new technologies found in HTML5 that will create more headaches for...more

  • 2015-038-Influence Vs. Mandate and Guardrails vs. Speedbumps

    Sep 07 2015

    When we wanted to have Martin Fisher on, it was to discuss 'Security Mandate vs. Security Influence'. We wanted to discuss why companies treat compliance as more important, and if it's only because business requires it to be done. And if infosec is a red headed stepchild because they often don't have the guidance of a compliance framework.   But it ended up going in another direction, with Martin discussing infosec leadership, and how we as agents of infosec should be 'guardrails' instead of '...more

  • 2015-037-making patch management work

    Aug 31 2015

    Once you find a vulnerability, how do you handle patching it? Especially when devs have their own work to do, there are only so many man hours in a sprint or development cycle, and the patching process could take up a good majority of that if the vuln is particularly nasty. One method is to triage your patches, and we discuss that this week with Mr. Boettcher. We also talk about how our respective company's handle patching of systems. We also discuss what happens when compensating controls run...more

  • 2015-036: Checkbox security, or how to make companies go beyond compliance

    Aug 24 2015

    Checkbox Security... checklists required to follow by compliance people and many security people have to fall in line, because they often have no choice. But what if there was a way to use compliance requirements to get beyond the baseline of PCI/SOCII/HIPAA, and get to be more secure? Megan Wu (@tottenkoph), Mr. Boettcher, and I spent a bit of time discussing just that. We discuss basic issues with compliance frameworks, how to get management to buy-in to more security, and even how you can g...more

  • 2015-035: Cybrary.it training discussion and Bsides Austin Panel

    Aug 16 2015

    After last week's discussion of end-user training in the SANS top 20 security controls, we realized that it would be great to discuss how a company involved in training does proper training.   So we hit up our sponsor at Cybrary.it to discuss their end-user security training track and how companies can use it to help their employees to be more secure in their workplace.   We end the podcast with a bit of audio from the Bsides Austin blue/red panel Mr. Boettcher moderated. He asked them about...more

  • Flashback: 2014-001_Kicking some Hash

    Aug 15 2015

    For long time listeners of the podcast, back when Brian and I wanted to do the podcast, we were working at the same company, and the first podcast we did was on hashes.    Bob story: Bob was getting tired of explaining what MD5, SHA1, SHA2 were to developers, so as we were developing our idea for the podcast, this was the first episode we had. Mr. Boettcher had several ideas for podcasts prior to. I was actually gonna go it alone, but wanted him to join me. Thankfully, he broached the idea of...more

  • 2015-034: SANS Top20 Security Controls #9 - CTFs - Derbycon dicsussion

    Aug 10 2015

    End User training.  Lots of companies have need of regular security training. Many treat it as a checkbox for compliance requirements, once a year.  With the way training is carried out in many organizations, is it any wonder why phishing emails still get clicked, passwords still get compromised, and sensitive information is still leaked. We discuss methods to make training more effective, and how to make people want to do training. Finally, we dicsuss Capture-The-Flag competitions, and why it...more

  • 2015-033: Data anonymization and Valuation, Privacy, and Ethical medical research

    Aug 03 2015

    Katherine Carpenter is a privacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.   This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.   email contact: ca...more

  • 2015-032: Incident response, effective communication, and DerbyCon Contest

    Jul 26 2015

     In an incident response, the need for clear communication is key to effective management of an incident. This week, we had Mick Douglas, DFIR instructor at SANS, and Jarrod Frates, who is a pentester at InGuardians, and has great experience handling incidents. Find out some roles in an incident response (the Shadow, the event coordinator, the lead tech), and how companies should have an IR plan that handles various 'incident severities'. Jarrod updates us on "TheLab.ms" and how you might like ...more

  • 2015-031: Fab and Megan-High_Math-Psychology_and Scarves

    Jul 18 2015

    Strap yourselves in ladies and Gentlemen.  With Mr. Boettcher gone on "vacation" this week, I needed some help with the podcast, and boy did we pick a doozy.  If you're a fan of Turing Complete algorithms, frankly, who isn't ;) , we had Ms. Fabienne Serrière (@fbz) and Ms. Magen Wu (@tottenkoph) who discuss higher order math and psychology on our podcast this week. We also discuss a little project management and even talk about why proper survey sizes and getting a good cross-section is importa...more

  • 2015-030: Bsides Austin panel Discussion (Red Team vs. Blue Team)

    Jul 13 2015

    My podcast co-host Brian Boettcher, along with Kate Brew, an Austin, TX based security blogger, headed up this panel called "Red Team Vs. Blue Team". The idea was to ask people from various sides of the aisles (attackers and defenders) pressing questions about how the industry operates. Infosec heavyweights like Kevin Johnson (@secureideas), Mano Paul (@manopaul), Josh Sokol (@joshSokol), made this a very excellent podcast...   We hope you enjoy!

  • 2015-029: Big Brown cloud honeyblog with @theroxyd

    Jul 06 2015

    Roxy, who we interviewed a few months ago on our podcast about hackerspaces, is back with us this week to discuss a project she is working on, called 'Big Brown Cloud'. If you've ever wanted to setup your own fake blog and send people to it to gain information on possible attacks, you've come to the right place.     We also get an update on the hackerspace that Jarrod, Sean, and Roxy were getting setup a few months ago. They've come a long way, and they are about to move into their new facilit...more

  • 2015-028: using log analytics to discover Windows malware artifacts

    Jun 29 2015

    In this podcast, you'll learn about: Log analytics software that can be used to parse system logs for naaty malware Detecting Malware artifacts learn about windows directory locations looking for indicators like packing, changed hashes, etc Tips for capturing malware using tools like RoboCopy Learn about what code caves are and how malware hides inside them (http://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves)   SANS DFIR poster - https://www.sans.org/security-reso...more

  • 2015-027- detecting malware in Windows Systems with Michael Gough

    Jun 22 2015

    Michael Gough joined us again to discuss malware detection techniques on Windows systems. We talk about how you can modify Powershell's defaults to allow for better logging potential. Also, we find out some hidden gems that pretty much guarantee to let you know that you've been infiltrated.  Stay for the powershell security education, and you also learn some new terminology, like "Malware Archaeology", Malwarians, and 'Log-aholic', to name a few...

  • 2015-026- Cloud Security discussion with FireHost

    Jun 14 2015

    This week, we discuss various methods of enabling companies to move applications to cloud based platforms.  We discuss containers, like Docker, and how various hosting services handle converting businesses from a traditional data centers to a secure. cloud based entity. We even discuss securing the data in the cloud, preventing bad guys from accessing it, as well as the cloud provider themselves, who can be served with a subpeona to hand over data. Brakeing Down Security would like to thank F...more

  • 2015-025: Blue Team Army, Powershell, and the need for Blue team education

    Jun 08 2015

    With last week's revelation from Microsoft that they will support SSH, understanding powershell has become more important than ever as a tool to be used by blue teamers, both for adminstration, and to understand how bad guys will use it for nefarious deeds on your network.   Part 2 of our interview with Mick Douglas discusses a bit more about the DEV522 class that he teaches for SANS, and why it seems that blue team (defenders) are not getting the training they should.  By being deficient in n...more

  • 2015-024: Is a good defense the best offense? Interview w/ Mick Douglas!

    May 31 2015

    We had the opportunity to discuss with Mick Douglas the fact that there is a stigma of blue team always being on the losing end of the security. Is it because there are more tools for the pentesters or bad guys, or that it takes a massive IT budget to be secure? We don't believe so... Great insights into how a blue team can protect their network.

  • 2015-023_Get to know a Security Tool: Security Onion!

    May 26 2015

    Having a more secure network by deploying tools can be no easy task. This week, we show you a tool, Security Onion, that can give you an IDS and log analysis tool in less than 20 minutes.  http://blog.securityonion.net/p/securityonion.html

  • 2015-022: SANS Top 25 Critical Security Controls-#10 and #11

    May 17 2015

    When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from. Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.  

  • 2015-021: 24 Deadly Sins: Command injection

    May 10 2015

    We continue our journey on the 24 Deadly Programming Sins. If you listened to last week's podcast, we introduced the book we were using as a study tool: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 This week is on command injection. We first discussed command injection as part of our OWASP Top 10 for 2013, but you'll be surprised just how easy devs compile conditions that allow for command injection into their code as well.

  • 2015-020 - Deadly Programming Sins - Buffer Underruns

    May 03 2015

    Code Audits are a necessary evil. Many organizations resort to using automated tools, but tools may not find all issues with code. Sometimes, you need to take a look at the code yourself.  Mr. Boettcher and I begin going through the book "24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them" What we covered this week is "buffer overruns", we discuss what they are, and how they occur. Get ready for a crash course in code audits. The book is not required, but it definitely ...more

  • 2015-018- How can ITIL help you flesh out your infosec program?

    Apr 26 2015

    When you're faced with major projects, or working to understand why your IDS fails every day at the same time, there must be a way to work that out. Or when you must do the yearly business continuity failover, you need a process oriented framework to track and ensure changes are committed in a sane, orderly manner. ITIL is a completely versatile, flexible framework that scales with your organization. You can also use it with your software development lifecycle. You can use it to enhance major p...more

  • 2015-017: History of ITIL, and integrating Security

    Apr 18 2015

    Much of InfoSec and Compliance is all about processes, procedures, controls, audits, and the proper management of all of these.  To do so, you need a proper framework to make these as seamless as possible. ITIL is one of these types of frameworks. We introduce Mr. Tim Wood on the podcast, who has over 20 years of ITIL experience and began ITIL implementations in banks and Healthcare systems in the United Kingdom. He currently works with different industries to change culture and make an ITIL a ...more

  • 2015-016: Special Interview: Cybrary.it

    Apr 07 2015

    Special interview this week! On the heels of their uber successful KickStarter campaign, we brought co-founder Ryan and one of the technical editors Anthony in to discuss what Cybrary is. We also discuss ways you can leverage it in your own business to get quality security awareness training, as well as train up your employees on infosec topics that can benefit your company and employees. You can find out more at http://www.cybrary.it

  • 2015-015: 2015 Verizon PCI report

    Apr 04 2015

    It's that time of year again...  when all the reports come out that shows how various industries did over the last year. Brakeing Down Security went over the results of the Verizon PCI report.  Did companies do worse this year, or could they have actually improved? Listen to our analysis, and what companies can do to learn from this, and how you can use this report to help get a leg up when your QSA comes calling.    http://www.verizonenterprise.com/pcireport/2015/   Pay IRS using "Snapcard...more

  • 2015-014-SANS Top 20 Controls - #12 and #13

    Mar 28 2015

    We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges.  Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work.     https://www.sans.org/media/critical-security-controls/CSC-5.pdf     http://www...more

  • 2015-013-Hackerspaces and their sense of community

    Mar 21 2015

    We invited the organizers of the "TheLab.ms", a Dallas, Texas based hacker/makerspace on the podcast to talk about why they wanted to start a makerspace, the costs and plans to setup a hacker space, and some of the things you can do with a makerspace. We also understand the sense of community and the learning environment gained from these places.  If you are looking to start a 'space in your area, or looking to understand why they are needed in a community, you'll want to listen to Roxy, Sean, ...more

  • 2015-012-Fill In podcast with Jarrod and Lee!

    Mar 15 2015

    Mr. Boettcher went on vacation and was volunteering for Austin Bsides this week, and I needed to do a podcast, so I enlisted the aid of Lee Brotherston and Jarrod Frates discuss some important topics.  We discuss the seemingly short talent pool for IT/IS positions.  We talk about the ROWHAMMER vulnerability and how it may affect your organization. Additionally, we talk about how the NTP protocol is being maintained by one person and what can be done to help with that, as it is a critical piece o...more

  • 2015-011- Why does BeEF and metadata tracking keep I2P developers up at night?

    Mar 07 2015

    In our continuing discussion with Jeff and "Str4d", we got right to the heart of the matter: Privacy and anonymity.   If you're trying to remain anonymous, what steps do the devs of I2P use to keep themselves as anonymous as possible.  We also touch on what the "Browser Exploitation Framework", and why it scares the heck out of Jeff.   Finally, I ask them if there is any real 'good' sites on I2P, because of how the media seems to latch on to any story where we hear the bad things of any anon...more

  • 2015-010 - How can you use I2P to increase your security and anonymity?

    Feb 28 2015

    Mr. Boettcher got a hold of the developers and maintainers of the anonymizing network "I2P". We talked with "str4d" and "Jeff" this week. In Part 1 of the interview, we discuss the technical aspects of I2P, how it functions, how 'Garlic routing' works, and how the flood Fill servers allow for I2P to function effectively. In the final segment, we discuss form factors, specifically if I2P is available for embedded systems like Raspberry Pi. If you find Tor not to your liking, give I2P a try... ...more

  • 2015-009-Part 2 with Pawel Krawczyk

    Feb 21 2015

    The second part of our interview with Pawel discussed Content management systems, and how you can integrate CSP in Drupal, Django, and the like. Content managers, you'll want to listen to this, especially about how CSP can help you secure the content on your systems, as well as protect customers from web based attacks using the sandboxing functions of CSP Pawel's Blog = ipsec.pl Pawel's CSP builder app = cspbuilder.info Quick Guide to CSP: http://content-security-policy.com/    

  • 2015-008- Make your web Apps more secure with Content Security Policy (part 1)

    Feb 16 2015

    Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.   We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it. If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.   https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-...more

  • 2015-007-SANS_Top20_14and15--Proving_Grounds_Microcast with Megan Wu!

    Feb 10 2015

    Extra special treat this week!  We do a continuation of our review of the Top 20 Security Controls, in which we do #14 and #15, which all of you will find very interesting.   But the real reason we are posting this today is the Call for Papers and Call for Mentors for the Bsides Las Vegas Proving Grounds! We invited Magen Wu (@tottenkoph) on to discuss. If you've ever asked yourself "I'd like to give a talk, but they'd never put me on"  NOW IS YOUR CHANCE! :) This is a great opportunity if yo...more

  • 2015-006- Is your ISP doing a 'man-in-the-middle' on you?

    Feb 07 2015

    During our research with Lee Brotherston, who we had on last week for our podcast on threat modeling, we got to listen to one of his talks about how his ISP in Canada was actively doing a Man-in-Middle injection of a banner into sites that he visited.     We were intrigued, and also gobsmacked (I can say that, right?) about the brashness of an ISP not apparently understanding the security implications of this, so we had him back on totalk about the finer points of his research.  The bad news? ...more

  • 2015-005: Threat Modeling with Lee Brotherston

    Feb 01 2015

    Threat Modeling... ranks right up there with Risk Assessments in importance...  You gotta figure out how the applications you're creating or the systems you're engineering are secure.  It really takes knowing your application and really, knowing the enemies/factors that can cause your application to fail, from santizing inputs on a web app, to making sure that your code doesn't have use-after-free bugs. Brakeing Down Security talked about conducting threat modeling and application reviews with ...more

  • 2015-004-SANS Top 20: 20 to 16

    Jan 25 2015

    Mr. Boettcher and I went over the bottom 5 of the SANS Top 20 security controls that businesses should implement. When put into the right order, you should be able to have an environment that is able to withstand most any attack. We also talk about 5 'Quick Fixes' that will put you on the right track with becoming more secure.   You may be surprised at what is considered a priority...  have a listen: (QR code links to the mp3)   Show notes: https://docs.google.com/document/d/1JuRJ-RPTmw50pT...more

  • All About Tor

    Jan 17 2015

    Brakeing Down Security tackles the 'Deep Web' this week... yep, we talk about Tor. If you don't have a lot of experience with this or wonder how it works, we give you a little history and help you understand the traffic flow works.   We even give you some advice on de-identification and things you shouldn't allow when traveling the Deep Web, like Javascript, Flash, and Java.   Show Notes: https://docs.google.com/document/d/1vBI_bg_0RzF_sSNMj84xQpEZGUrxtAkB8SxZ08MzUi0/edit?usp=sharing     ...more

  • Episode 2: Big Trouble in Small Businesses

    Jan 10 2015

    Security's the same, the world around...  and is a necessity in businesses of all sizes, from the mega-corporations, all the way down to the business with 10 employees in a garage in suburbia. This week, Mr. Boettcher and I discuss security in small businesses. What is needed to make security part of the culture of a new company. We discuss some open source tools to ensure that networks are monitored properly, logs are collected, collated, and analyzed. And better yet, these are on the cheap, w...more

  • 2015-001- "unhackable" or "attacker debt"

    Jan 04 2015

    This is a quick little podcast I did without Mr. Boettcher about a Twitter discussion that occurred when Dr. Neil Degrasse Tyson mentioned that we should just make computers 'unhackable'. The first episode of the 2015 season of Brakeing Down Security is here!   Tweet from Dr. Neil Degrasse Tyson                         https://twitter.com/neiltyson/status/551378648578916353 Rebuttal from Kevin Johnson                           https://twitter.com/secureideas/status/551510885441998848 ...more

  • Is Compliance running or ruining Security Programs?

    Dec 26 2014

    We at Brakeing Down Security world headquarters don't understand the concept of 'End of the Year' podcast, so consider this the "End-End of the Year" podcast. We talked about the order of things... whether Compliance is a detriment to Security, and who should be running who.   So pull up a glass of eggnog, grabbing another cookie, and put another log on the fire, cause Brakeing Down Security is throwing out one more for the year!  Happy Holidays... all of them... :)

  • Brakeing Down/Defensive Security Mashup!

    Dec 21 2014

    It's a Super Deluxe sized Brakeing Down Security this week... It's something you've dreamed of forever (or not), but Jerry Bell and Andrew Kalat from Defensive Security Podcast stopped by and we made ourselves a podcast baby... Boy, was it ugly :) I'm just kidding, we had a great time discussing some news, and going over what we learned... and any good end-of-year podcast must have predictions...   We also discussed Sony, caused it's huge news of the year, and talked about Target, because we ...more

  • Tyler Hudak (@secshoggoth) Discusses incident respose, and DIY malware research

    Dec 15 2014

    This week, Tyler gave us a great deal of information on where to start if you wanted to become a malware researcher. He also gave us websites where you can get malware and ways to analyze it.  We asked Tyler what blue teams can do when they are infected, and he gave us some excellent advice... I also recite some prose from a classic horror author, so come for the malware, stay for the prose! :) ***NOTE: I guess now would be a good time to mention that many of the links below have unsafe softw...more

  • Tyler Hudak discusses malware analysis

    Dec 08 2014

    Tyler Hudak (@secshoggoth) came to discuss with us the process of doing analysis on malware binaries. We talk about MASTIFF, his malware framework.  We also discuss how to gain information from malware program headers, and some software that is used to safely analyze it. Helpful Links: Ida Pro: https://www.hex-rays.com/products/ida/ Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Mastiff White Paper: http://digital-forensics.sans.org/blog/2013/05/07/mastiff-fo...more

  • Part 2 w/ Ben Donnelly -- Introducing Ball and Chain (making password breaches a thing of the past)

    Dec 01 2014

    Last week, we talked with Ben Donnelly about ADHD (Active Defense Harbinger Distro). But Ben isn't a one trick pony, oh no... this young punk is trying to solve fundamental problems in the business industry, in particular securing passwords.  That's why he's been working with Tim Tomes (@lanmaster53)invented 'Ball and Chain', which is a large (>2TB) file that can be used to help generate passwords and entropy.         Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybe...more

  • Active Defense and the ADHD Distro with Ben Donnelly

    Nov 22 2014

    We snagged an interview with Benjamin Donnelly, a maintainer of the Active Defense Harbinger Distribution (ADHD). version 0.60   A thoroughly enjoyable conversation with a new up-and-coming security professional. He's the future, and he is already contributing a lot of great info to the infosec industry.   Part 1 is all about ADHD, next week, we discuss his talk about a project he's working on that will remove the threat of password breaches using 'Ball and Chain'.  And it's all open source....more

  • WebGoat install video with Mr. Boettcher!

    Nov 20 2014

    My man Mr. Boettcher posted up a video on how to install OWASP's WebGoat Vulnerable web application! He walks you through WebGoat 5.4, and even gives you some tips on solving issues that he'd found.  And to make it even easier, he's given you some instructions below. Hope you enjoy, especially if you've had issues setting up WebGoat in the past.     Webgoat 5.4 instructions========================1. search google and download the war file             (From Bryan: Here's the link -- https:/...more

  • Active Defense: It ain't 'hacking the hackers'

    Nov 18 2014

    Active Defense... It conjures images of the lowly admin turning the tables on the evil black hat hackers, and giving them a dose of their own medicine by hacking their boxes and getting sweet, sweet revenge... But did you know that kind of 'revenge' is also rife with legal rammifications, even bordering on being illegal?? This week, Mr. Boettcher and I tackle this prickly subject, and discuss some software you can use to 'deter, prevent, and dissuade' potential bad guys...  ADHD Training (cour...more

  • Interview Part 2 with Paul Coggin: Horror stories

    Nov 09 2014

    If you think Halloween was scary, Paul Coggin gives us another reason to curl up in the fetal position as he goes explains Lawful Intercept, and Route Maps. And what's worse, your 3rd party auditors are starting to get the tools that will make you address network protocol issues.   Lots of great material here below in our show notes, including some tools (free) that you can use to get yourself schooled on network protocols   http://www.zdnet.com/researcher-describes-ease-to-detect-derail-and...more

  • Interview with Paul Coggin (part 1)

    Nov 03 2014

    One of the talks my colleague got to see was Paul Coggin's talk about Internetworking routing and protocols.  In this interview, we dicsuss some tools of the trade, how MPLS isn't secure, and why you should be doing end-to-end encryption without allowing your VPN or circuit provider to do it for you... If you have any interest in network security, including the higher order network protocols like BGP, MPLS, ATM, etc...  You'll want to check out his DerbyCon talk, and our interview...   Paul's...more

  • Learning about SNMP, and microinterview with Kevin Johnson

    Oct 25 2014

    In an effort to educate ourselves for an upcoming interview, we sat down and talked about SNMP (Simple Network Management Protocol). We get into the basics, the ins and outs of the protocol, the different tools that use (or exploit) SNMP, and we talk about how to better secure your SNMP implementation. YOu should listen to this, because next week's interview will knock your socks off. :) Finally, We end with a DerbyCon interview Mr. Boettcher snagged with our friend Mr. Kevin Johnson about how ...more

  • Keep Calm and take a tcpdump! :)

    Oct 20 2014

    Tcpdump is just one of the tools that will make troubleshooting network issues, or testing applications, or even finding out what traffic is being generated on a host all that much easier.  This podcast is to help you understand the Tcpdump program, and how powerful it is...   http://danielmiessler.com/study/tcpdump/ http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/ http://www.amazon.com/TCP-Illustrated-Vol-Addis...more

  • Part 2 with Jarrod Frates - how pentesting is important

    Oct 13 2014

    Part 2 of our interview with Jarrod Frates (FRAY-tes). We ask him about the value that a pentest can create, the way that that 'perfect' pentest can change culture and help create dialogue. Also, we talk about how to take your automated testing info and then shift gears to manual testing... when to stop doing automated testing, and do the manual testing. Hope you enjoy, have a great week!       Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin Mac...more

  • DerbyCon report and Shellshock news

    Oct 06 2014

    We went a little off the beaten path this week. I wanted to talk to Mr. Boettcher about his experience at DerbyCon, and we ended up having another friend of ours who also attended DerbyCon, Jarrod Frates, join us for a bit of discussion. We discussed several talks, and even spent a little bit of time talking about ShellShock and it's larger implications for those programs that are ubiquitous, yet are not being audited, like bash.  (The llama graphic will make more sense next week...) :) http://...more

  • Marcus J. Carey Interview Part 2 - China, IP, coming cyber war

    Sep 29 2014

    We finished up our odyssey with Marcus J. Carey this week.  We picked his brain about how he feel about China, the coming cyberwar, and what kinds of tools he uses in his toolbox (hint: he doesn't use Kali). We also talk a bit about the entitlement of people, and what makes folks in poorer countries turn to hacking. We really enjoyed hearing his take on certifications and education. He's a Ruby nut, but suggests that people learn Python. He also talks about how he teaches people about security....more

  • Video: Using GPG and PGP

    Sep 28 2014

    This month, I wanted to go over a piece of software that seems to give a lot of people problems. In business, there is always a need for sending secure communications, whether because a client asked for it, or because sending sensitive information unencrypted could result in loss of profit, competitve edge, reputation, or all of the above.   This month's tutorial is on setting up PGP or GPG to be able to be more secure when sending emails. I show you commands that allow you to create public/pr...more

  • Marcus J. Carey, FireDrillMe, and the Rockstars of Infosec

    Sep 22 2014

    Marcus J. Carey, a security research and software developer came on to talk to us about FireDrill.me, a tool used to help people work out their Incident Response muscles.  He is also the creator of threatagent.com. Marcus is well known in Security circles, and after we talked to him about FireDrill and ThreatAgent, we got his opinion of other subjects that interested us in the Infosec industry. Marcus is a man of his own mind, and he certainly did not disappoint. Hope you enjoy Part 1 of our co...more

  • Mr. Boettcher interviewed Ed Skoudis!

    Sep 15 2014

    While I'm stuck at work, Mr. Boettcher went to the Austin Hackformers and snagged an interview with Mr. Ed Skoudis, of InGuardians and of the SANS Institute, a top flight training academy.  He is to be one of the keynote speakers at DerbyCon this year. He gives us a peek about his keynote, and Mr. Boettcher asks his thoughts on the industry as a whole, SCADA security, Mr. Skoudis' opinion on Infosec as a whole.   Hackformers Austin: http://www.hackformers.org/ Ed Skoudis bio: http://www.sans....more

  • Malware, Threat Intelligence, and Blue Team talks at cons -- with Michael Gough Pt.2

    Sep 08 2014

    We're back with part 2 of our discussion with Michael Gough.  Not only do we discuss more about malware, but we also ask Michael's opinion on how commercialized conventions like Black Hat and Defcon have gotten, how good threat intelligence feeds are, and why there aren't more defensive talks at cons. Michael is currently slated to give a talk on logging at DerbyCon September 24th, 2014 on how logging can help to mitigate malware infections.   Intro "Private Eye", transition "Mining by Moonli...more

  • Malware, and Malware Sentinel -- with Michael Gough Pt.1

    Sep 01 2014

    Brian and I managed to get an interview with Michael Gough. If you remember, Michael was on to discuss Malware infections back in February, and we decided it was time to check up on him and his newly named 'Malware Sentinel'. This is part 1, where we discuss some of the recent malware infections, and where you need to look for new file creation, and what you can be looking for in your windows logs that are excellent indicators of malware compromise.   Windows logging cheat sheet - http://snipe...more

  • Reconnaissance: Finding necessary info during a pentest

    Aug 25 2014

    I had a healthy debate with Mr. Boettcher this week about the merits of doing recon for a pentest. Mr. Boettcher is a heavy duty proponent of it, and I see it as a necessary evil, but not one that I consider important.  We hash it out, and find some common ground this week. People search links: Spokeo - http://www.spokeo.com/ Pipl - https://pipl.com/   Sec Filings site: http://www.sec.gov/edgar/searchedgar/webusers.htm   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Ho...more

  • Mr. Boettcher made a thing! Setting up a proper Debian install!

    Aug 23 2014

    Mr. Boettcher made a thing!  He created a video that highlights how to install Linux securely in a VM.  His next video will be how to setup OWASP's WebGoat to test for vulnerable web apps.  He noticed that documentation is a bit sparse, and often contradictory, so he wanted to help other folks who are having issues to get a proper install.   You will need an Network Install ISO of Debian, and you will need either VMware Player or Workstation. His notes are below... Enjoy! Secure the Goat #1 ...more

  • Ratproxy and on being a better Infosec Professional

    Aug 18 2014

    This week, we go into a proxy program called "Ratproxy", discussed it's ins and outs.  Plus, Mr. Boettcher and I have a discussion about how we as infosec people should work with developers and IT professionals to provide them training and understanding of security concepts. https://code.google.com/p/ratproxy/ http://blog.secureideas.com/2012/07/how-to-setup-ratproxy-on-windows.html         Ratproxy icon courtesy of honeytech and flicker Intro "Private Eye", transition "Mining by Moonlig...more

  • Introduction to Nmap, Part 2

    Aug 10 2014

    Here is Part 2 of our video for understanding the basics of Nmap.  I discuss some of the logging output, the scripts found in Nmap, and the output that Nmap gives you for reporting or comparison later.   I really did want to go more into the Lua portion of the scripting engine, and perhaps make a simple script, but time constraints halted that. I hope to get more adept at video creation and hopefully editing, to make a more concise video tutorial. Nmap target specifications: http://nmap.org/b...more

  • Risk Management discussion with Josh Sokol - Part 2

    Aug 10 2014

    This week we take some time to talk about risk management with Josh Sokol.  This is part 2 from our interview with him last week... We talk some more about Simple Risk from the POV of Risk Management, as well as the licensing/modification of Simple Risk. Mr. Boettcher and Josh discuss the merits of Qualitative vs. Quantitative Risk Analysis, and which one is better... We also discuss NIST 800 series guidelines, and how he used those to excellent effect in Simple Risk. Josh also discusses OWAS...more

  • Interview with creator of Simple Risk, Josh Sokol! (Part 1)

    Aug 04 2014

    Josh Sokol is on the International OWASP board of directors in addition to being the Information Security Program Owner at National Instruments in Austin, Texas. This week, he sat down with Brakeing Down Security to talk about Simple Risk, his homebrew application that assists people and organizations in managing their business risk, and at a much nicer cost that other GRC applications (it's free!) Check out Part 1 below. If you're at BlackHat 2014 this year, he will be showcasing it at Arsenal!...more

  • Flashback: Sqlmap - a little how-to, and getting your developers involved in using it.

    Jul 28 2014

    This is a flashback from July 2015.  Mr. Boettcher and I discussed SQLMAP, a tool that can automate the process of pentesting databases and even registries on Windows.  We discuss some functions of the program and why developers should get training on these. Mr. Boettcher and I talk about how Infosec professionals should help to educate QA and Developers to be able to look at their processes and incorporate security testing, using tools like sqlmap in the Software lifecycle.   SQLMAP links ...more

  • Part 2 with Georgia Weidman!

    Jul 21 2014

    It only gets better in Part 2 of our Interview with Georgia Weidman, Author, Security Researcher and Creator of the Smartphone Pentesting Framework.   She talks about how people underestimate the mobile platform for pentesting purposes, and we even find out that in addition to Teaching a class on exploit development at BlackHat this year, she's going to be helping a great organization overseas. We also got her talking about some do's and don'ts of pentesting! ;) Please enjoy!   Georgia's b...more

  • Nmap (pt1)

    Jul 14 2014

    So, I uploaded this little tutorial of nmap, a very nice tool I use on a regular basis, both at home and at work. I did some basic scans, showed off the command line and the Windows 'Zenmap' version, as well as discussed some regularly used switches. The next video I do about nmap will discuss more switches, the Nmap Scripting Engine (NSE), and how to format reports and the output nmap provides.     Nmap icon courtesy of livehacking.com

  • Part 1 with Author and Mobile Security Researcher Georgia Weidman!

    Jul 14 2014

    We have a real treat the next two weeks.  Author and Mobile Security Researcher Georgia Weidman, who we also found out will be providing exploit development training at Black Hat this year. She is the author of an awesome book "Penetration Testing: A Hands-On Introduction to Hacking" (http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641/ref=sr_1_1?ie=UTF8&qid=1405304124&sr=8-1&keywords=georgia+weidman) She sat down with us over Skype and gave a nice talk about ...more

  • Establishing your Information Security Program - Part 2

    Jul 07 2014

    This is the continuation of our podcast from last week with Phil Beyer. We started out talking about risk registers, and we end the podcast with a little Q&A about positions in companies (Chief Risk Officer, Chief Data Protection Officer), and whether these positions are useful.    Risk registers - http://en.wikipedia.org/wiki/Risk_register   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons...more

  • Establishing your Information Security Program - Part 1

    Jun 30 2014

    Establishing an Information Security program can make or break an organization. So what do you need to get that started?  We have friend of the show Phil Beyer come in and discuss with us the five steps of the creation of an Information Security Program.  Join us for Part 1, and next week, we'll finish up with a little Q&A, as well as what a 'risk register' is.             Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons...more

  • OWASP Top Ten: 1-5

    Jun 23 2014

    We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.  Find out what makes the Top 5 so special.       http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation http://oauth.net/2/ - Great information on OAUTH 2.0.       Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/...more

  • OWASP Top Ten: Numbers 6 - 10

    Jun 16 2014

    As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these. So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard. ...more

  • Talk with Guillaume Ross - Part 2 (all things cloud)

    Jun 09 2014

    This is part 2 of our podcast interview with Guillaume Ross, Infosec professional who is well versed with the intricacies of various cloud architectures, whether they are IaaS, PaaS, or SaaS.  This part of the podcast discussed how contracts are established, and we ask if smaller cloud providers have a chance against behemoths like Google, Amazon, and Microsoft.   Links brought up during the interview:   Rich Mogull's $500 Epic fail - https://securosis.com/blog/my-500-cloud-security-screwup ...more

  • It all goes in "the cloud" (Part 1)

    Jun 01 2014

    Brian and I interviewed Mr. Guillaume Ross (@gepeto42), an Information Security professional who helps organizations get themselves situated into cloud based solutions. We get a better understanding of why people would want to put their info into the 'cloud' and how they are different than traditional co-lo and datacenters.   Guillaume's Blog: http://blog.binaryfactory.ca/   AWS (amazon) Security Best Practices WhitePaper: http://aws.amazon.com/whitepapers/aws-security-best-practices/ Amazo...more

  • Video 2: BONUS!!!! Kismet Video!

    May 27 2014

    As promised, I am posting a video I made explaining how to setup Kismet to do wireless scans. The only pre-requisites you need are Vmware (it will work the same in VirtualBox), and a VM of Kali linux. The only real difference is the message that asks where the wireless adapter should connect to. It's my first attempt editing a video, so please be kind

  • Wireless scans with Kismet and Aircrack-ng

    May 26 2014

    Mr. Boettcher and I had a great time this week.  We talked all about doing wireless audits for PCI using Kismet and Aircrack-ng, and talked about some capabilities of both.   Alfa AWUS051NH (works in Kali/Backtrack) (no sponsor link): http://www.amazon.com/gp/offer-listing/B002BFO490/ref=dp_olp_0?ie=UTF8&condition=all kismetwireless.net  Using Karma with a pineapple to fool clients into connecting unencrypted: http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html Tutori...more

  • PGP and GPG -- protect your data

    May 18 2014

    Sharing information between people and organizations can be a sensitive issue, especially if the information being shared is of mutual importance.  This week, we break down PGP and it's open source cousin GPG.  We discuss how last week's podcast about hashing, encoding, and encryption are all bundled up neatly with PGP, and give you some examples of software you can use on Mac, Windows, and Linux.   GPG4Win - http://www.gpg4win.org/ GPG Suite (Mac OS) - https://gpgtools.org/ public PGP key ...more

  • clearing up some terminology (hashing, encryption, encoding)

    May 13 2014

    Ever heard someone mention AES Encoding, or MD5 Encryption?   Many people in IT, Infosec, and Software development get confused about what Hashing, Encrypting, and Encoding.  We hack through the definition forest, looking for that Sequoia of understanding. We also talk about Symantec's remarks that 'Antivirus is dead' and 'not a moneymaker', and what that means to the industy as a whole.   "Enkrypto" is the program I mentioned in the podcast.  It would appear that either s/he fixed it.  Sti...more

  • Browsing more Securely

    May 05 2014

    This week, we find ways to increase security when browsing the EWW (Evil Wide Web). We give a shout-out to WhiteHatSec's Aviator browser as a way for everyone to have an eleveated security posture with very little configuration required. And Mr. Boettcher and I talk about some of the plugins we use to make ourselves more secure. And Mr. Boettcher surprises me with his proclivities toward farmyard animals.   Aviator Browser: https://www.whitehatsec.com/aviator/ Sandboxie: http://www.sandboxi...more

  • Mandiant 2014 threat report

    Apr 28 2014

    Mandiant put out their 2014 Threat Report, and we got into all the meaty goodness.  From the Syrian Electronic Army, Iran, and China's APT1 and APT12. Find out if the bad guys are getting smarter, or if we are just making it easier for them? Have a listen and find out.     Mandiant 2014 report (registration required):  http://connect.mandiant.com/m-trends_2014       Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Lice...more

  • Episode 13 - 2014 Verizon PCI Report

    Apr 21 2014

    Since 2006, Verizon has put out their yearly PCI report.  We break it down, and discuss the merits of the report.   2014 Verizon Report: www.verizonenterprise.com/resources/reports/rp_pci-report-2014_en_xg.pdf           Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Episode 12, Part 2 of our interview with Phil Beyer!

    Apr 15 2014

    This is Part 2 of our interview with Phil Beyer.  We asked him about the difference between mentoring and coaching, and we end the podcast talking about influence, the types of influence and ways to gain influence.             Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Special Report: Heartbleednado-apoco-geddon

    Apr 14 2014

    Whois for heartbleed was registered 5 April 2014 by Marko Laasko:   Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: HEARTBLEED.COMRegistry Domain ID: 1853534635_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdate Date: 2014-04-05 15:13:33Creation Date: 2014-04-05 15:13:33Registrar Registrati...more

  • Episode 11, Part 1: Interview with Phil Beyer

    Apr 07 2014

    This week, we're leaving the Infosec track a bit, but this interview may be more important to being a person's development as a good Infosec person. We interviewed Mr. Phil Beyer, Director of Information Security for the Advisory Board Company.  In addition to being a past president of the Capitol of Texas ISSA Chapter, he co-founded the Texas CISO Council, a regional steering committee composed of security leaders from private industry and the public sector. He recently gave a talk at Bsides ...more

  • Video1: quick renaming shortcut with Sed

    Apr 04 2014

    I take a few minutes to explain a quick mass renaming shortcut using sed I use when I have multiple files that I need to rename.  I used the example of spaces in filenames, but you can use this to append a name to multiple files. Another way to easily change files is to use the 'tr' command. You can change a filename from all lowercase to all uppercase letters, or even remove non-printable characters from filenames.   Take a look, please leave feedback.  I know there are other ways using awk,...more

  • Phil Beyer's talk at Bsides Austin

    Mar 31 2014

    We are pleased to be the only podcast to have audio of the talk Phil Beyer gave at Bsides Austin!  It is a very informative talk about leadership, not just in Information Security, but how to be a leader in any field you do.   Breaking Down Security will also carry a 2 part interview with Phil. The first will post on the 6th of April, and the 2nd part will be on the 13th of April. Phil uploaded the slides of this presentation at Bsides Austin at http://www.slideshare.net/pjbeyer/choose-to-lea...more

  • Episode 10: IDS/IPS

    Mar 31 2014

    We discuss IDS and IPS, why they are needed, and why they get a pass on how easily they are bypassed, and why AV gets all the press...           Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/      

  • Episode 9: Framework for Improving Critical Infrastructure Cybersecurity

    Mar 24 2014

    This week, we got into some discussion about frameworks, and the different types of frameworks available (regulatory, "best practice", and process improvement) We also looked at the new "Framework for Improving Critical Infrastructure Cybersecurity" ratified and released last month. Does it meet with our high expectations? You'll just have to listen and find out.   http://www.nist.gov/cyberframework/       Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" create...more

  • Episode 8: Why a simple password is not so simple...

    Mar 18 2014

    Cracking great show this week!  Mr. Boettcher and I got all into authentications methods, why they don't always work, and what can we do to make passwords more secure, using Mike Murray's method of 'Passphrases' over passwords...   Finally, we talked about some adventure Mr. boettcher had with a friend's malware infection (it wasn't me, I promise!).  He took what we learned from @hackerhurricane (Michael Gough) and is actively doing forensics on it.     http://daleswanson.org/things/passwor...more

  • Episode 7, Part 2 with Kevin Johnson from SecureIdeas!

    Mar 09 2014

    This is the Part 2 of our Interview with Kevin Johnson.  During our interview, we followed him down the rabbit hole.  We learned how to default rulesets in ANY rules based hardware solution sucks.  We learned that being a security professional is more than just a fancy title.  And finally, we learned that Kevin is a huge fan of Star Wars.   DB Visualizer --  http://www.dbvis.com/   Good article on how homomorphic encryption works: http://www.americanscientist.org/issues/pub/2012/5/alice-and...more

  • Episode 7, Part 1 - Kevin Johnson of SecureIdeas!

    Mar 04 2014

    During our SEC542, GIAC Web App Pentesting course, we got the pleasure and honor of sitting down with Kevin Johnson from SecureIdeas on who he is, how Samurai WTF came into being, and why we should be doing licensing for proper ethcial hackers.   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Episode 6 - Malware Interview with Michael Gough (Part 2)

    Feb 24 2014

    This is part 2 of our Interview with Malware researcher Michael Gough.  We talk about mobile device malware, and how the Sniper Forensic Toolkit, differs from Tripwire.   Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/ "Infectedpc_primary.jpg is from bugsrepair.com

  • Episode 6 - Malware Interview Michael Gough (Part 1)

    Feb 17 2014

    This week, we are excited to have Michael Gough, a local malware researcher from Mi2Security on with us to talk about types of malware, infection vectors, some of the tools that users have available to them to detect and prevent malware.  We also discuss who gains from malware infections, the 'bad guys', and even the AV/Malware detection companies.  We also talk about how his software program "Sniper Forensic Toolkit" would detect malware.   Intro "Private Eye", transition "Mining by Moonlight...more

  • Episode 5 - Interview with Frank Kim

    Feb 10 2014

    This week, we interviewed Frank Kim, an instructor from SANS, talks about developers methods, the challenges of getting developers to code securely, and the efforts to create a culture of secure coding. Intro "Private Eye", transition "Mining by Moonlight", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Episode 4: Origin stories, and talking about reconnaissance

    Feb 03 2014

    All superheroes have an origin story, Brian and I are not super, but we have a great origin story.  This week's podcast is about how we made it into the Infosec industry, and we also discuss the value of research from an OS point of view.  We also talk about mentoring and assistance for those looking to get into the InfoSec world. Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/lice...more

  • Episode 3 - Alerts, Events, and a bit of incident response

    Jan 27 2014

    In this issue, we talked about upcoming podcasts with Michael Gough from MI2 Security discussing malware, and this week we get into everything about alerts, why they are important, types of alerts, levels that can occur, and even a bit of incident response in handling alerts. Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Episode 2 -- Feeling Vulnerable? - Vulnerability scanners - Go Exploit Yourself

    Jan 20 2014

    This week Bryan and Brian talk about the uses, and sometimes pitfalls, of vulnerability scanners. Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

  • Episode 1: Kicking some Hash!

    Jan 15 2014

    In this inaugural episode, Bryan and Brian discuss the history of hashes, how hashes are used and how to make them more secure. Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/