Listen Now

Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/   @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness   https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers   Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/   https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”   https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false    NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?   Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs.   Revert: https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)   Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

@pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.” https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false  NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent - Human Subjects | NSF - National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127   Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454  Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks - E Hacking News - Latest Hacker News and IT Security News https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/   Samy Kamkar - NAT Slipstreaming v2.0 Slack and Discord are Being Hijacked by Hackers to Distribute Malware - E Hacking News - Latest Hacker News and IT Security News   Texan's alleged Amazon bombing effort fizzles: Militia man wanted to take out 'about 70 per cent of the internet' • The Register   Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com   https://twitter.com/k8em0/status/1381258155485585409 https://twitter.com/alisaesage/status/1380797761801445376?s=20 infosecCampout 2021   Hackers Who Paint WWHF  Way west https://pastebin.com/2eYY6trD (for training students) @lintile @infosecroleplay

Reparations.tech *Public Safety Coordinators-Field Operations (Road Incidents)-Specialized Buildings (The Library, Medical Facilities, CCR)*Public Safety OfficersA. Discuss Training-SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards. [IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness(?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues -Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedIn Garrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Bios for guests   Reparations.tech *Public Safety Coordinators -Field Operations (Road Incidents) -Specialized Buildings (The Library, Medical Facilities, CCR) *Public Safety Officers A. Discuss Training -SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards.[IN CYBER: Frameworks for Physical Security --->     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don't Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness (?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues-Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam - Wikipedia Crime Scene: The Vanishing at the Cecil Hotel - Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedInGarrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security - Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)

In this episode: knowing your audience - discussing the IR impact how did this happen? how deep do you want to tailor your potential discussion? Every level must be asking "what, when, why, how?", not just those in the trenches does the level of incident mean that communication scales accordingly? And much more!   Dr. Catherine J. Ullman (@investigatorchi) Incident Response communications Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester   Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog Security Advisory | SolarWinds Family Educational Rights and Privacy Act (FERPA)   It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?  How do you toe the line between oversharing and nothing at all? In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dr. Catherine J. Ullman (@investigatorchi)   Incident Response communications   Reminders: Patreon Jeff T. just became a $2 patron! Accepted to CircleCityCon on IR communications! Bsides Rochester Security B-Sides Rochester   Spoke at SeaSec meetups: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog   Security Advisory | SolarWinds   Family Educational Rights and Privacy Act (FERPA) It’s important to share necessary information with senior level people and higher ups, but is there a thing as ‘oversharing’?  How do you toe the line between oversharing and nothing at all?   In higher Ed, are you beholden to different disclosure requirements than businesses? What is Server Side Request Forgery (SSRF)? | Acunetix 13 Beautiful Tools to Create Status Pages for your Business (geekflare.com) Laying communication groundwork Status pages (notifying users) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn’t for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works. Link to YouTube Channel → thefluffy007 - YouTube thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud The Mobile App Security Company | NowSecure owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub Rana Android Malware (reversinglabs.com) These 21 Android Apps Contain Malware | PCMag Android Tamer  -Android Tamer The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd Android Debug Bridge (adb)  |  Android Developers Goal: discussing best practices and methods to reverse engineer Android applications Introduction to Java (w3schools.com) JavaScript Introduction (w3schools.com) Introduction to Python (w3schools.com) Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages) GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida) Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub Reverse-Engineering - YobiWiki Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io) GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator Background: **consider this a primer for any class you might teach, a teaser, if you will**   Why do we want to be able to reverse engineer APKs and IPKs?  Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code. What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application. When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?  Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively. Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?  When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?   Lab setup IntroToAndroidSecurity VM Android Emulator Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks Methodology Decompile the application - can use a tool titled - Apktool (free) Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located. Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning -  Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit.  Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

@thefluffy007 A Bay Area Native (Berkeley) I always tell people my computer journey started at 14, but it really started at 5th grade (have a good story to tell about this) Was a bad student in my ninth grade year - almost kicked out of high school due to cutting. Had a 1.7 GPA. After my summer internship turned it around to a 4.0. Once I graduated from high school, I knew I wanted to continue on the path of computers. Majored in Computer Science Graduated with Bachelors and Masters in Computer Science. Graduate Certificate in Information Security and Privacy. Minor in Math. Interested in security from a Yahoo! Group on Cryptography. Liked how you can turn text into gibberish and back again. Became interested in penetration testing after moving to Charlotte, and moonlighted as a QA while a full-stack developer. Co-workers did not want me to test their code because I would always find bugs. Moved into penetration testing space. Always had an interest in mobile, but never did mobile development and decided it wasn’t for me Became interested in bug bounties and noticed that mobile payouts were higher. At this time also completed SANS 575 - Mobile Device Security and Ethical Hacking. Realized the barrier to entry was VERY (almost non-existent) low in Android as it’s open source. Started to learn/expand mobile hacking on my own time The threat exposure is VERY high with mobile hacking. As you have a web app component, network component, and phone component. I always reference a slide from Secure Works.   Link to YouTube Channel → thefluffy007 - YouTube   thefluffy007 – A security researchers thoughts on all things security – web, mobile, and cloud   The Mobile App Security Company | NowSecure   owasp-mstg/Crackmes at master · OWASP/owasp-mstg · GitHub   Rana Android Malware (reversinglabs.com)   These 21 Android Apps Contain Malware | PCMag   Android Tamer  -Android Tamer   The Diary of an (Inexperienced) Bug Hunter - Intro to Android Hacking | Bugcrowd   Android Debug Bridge (adb)  |  Android Developers   Goal: discussing best practices and methods to reverse engineer Android applications   Introduction to Java (w3schools.com)   JavaScript Introduction (w3schools.com)   Introduction to Python (w3schools.com)   Frida • A world-class dynamic instrumentation framework | Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Frida can be used with JavaScript, and Python, along with other languages)   GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)   Android APK crackme: owasp-mstg/0x05c-Reverse-Engineering-and-Tampering.md at master · OWASP/owasp-mstg · GitHub   Reverse-Engineering - YobiWiki   Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. (ibotpeaches.github.io)   GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.   IntroAndroidSecurity download | SourceForge.net ←- link to my virtual machine and Androidx86 emulator   Background: **consider this a primer for any class you might teach, a teaser, if you will**   Why do we want to be able to reverse engineer APKs and IPKs?  Android APKS (Android Packages) holds the source code to the application. If you can reverse this you will essentially have the keys to the kingdom. Developers and companies (if they’re proprietary) will add obfuscation - a technique to make the code unreadable to thwart reverse engineers from finding out their code.   What are some of the structures and files contained in APKs that are useful for ppl analyzing binaries? Android applications have to have a MainActivity (written in Java). This activity is the entry point to the application. Android applications also have an AndroidManifest.xml file which is the skeleton of the application. This describes the main activity, intents, service providers, permissions, and what Android operating system can run the application.   When testing apps for security, how easy is it to emulate security and physical controls if you’re not on a handset?  Pretty easy. You can use an emulator. I must forewarn though - you will need A LOT of memory for it to work effectively.   Are there ever any times you HAVE to use a handset? An app that tests something like Android’s Safetynet and won’t run without it? Do they ever want perf testing on their apps? Was thinking about how you check events in logs, battery drain, using apps on older Android/iOS versions?    When organizations or developers ask you to test an app, is there anything in particular in scope? Out of scope? How do progressive web apps differ than a more traditional app?   Lab setup IntroToAndroidSecurity VM Android Emulator   Tools to use Why use them? (free, full-featured) Setup and installation OS-specific tools? Tools used - Frida, Jadx-GUI (or command line), text editor. All of these items are free. No setup required if using my virtual machine :-) These apps are OS specific if you choose Linux or Windows. Callbacks Methodology Decompile the application - can use a tool titled - Apktool (free) Look “under the hood” of the application - Jadx-GUI (Graphical User Interface) or Jadx-CLI (command line) Connect your emulator/device using Android Debug Bridge (adb) Get version of Frida on device Look online to find correct version of Frida **this is important** Start to play around with the tool and see if you receive error messages/prompts. Can then go back to code that was reverse engineered and see where it’s located.   Best practices Leave no stones unturned! Meaning you might see something that seems too rudimentary to work - and yet it does. Cert pinning -  Typical issues seen Hard-coded passwords, data that is not being encrypted in rest or transit.      Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Links to discussed items: Yandex Employee Caught Selling Access to Users' Email Inboxes (thehackernews.com) Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple | Threatpost Google pitches security standards for 'critical' open-source projects | SC Media (scmagazine.com)   Google’s approach to secure software development and supply chain risk management | Google Cloud Blog https://vectr.io/ https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html https://www.blumira.com/careers/?gh_jid=4000142004 sec evangelist @blumira Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub   Feel free to add anything you like Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)   GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:  Number of Successful Logons – from security audits.  Number of Unsuccessful Logons – from security audits.  Number of Virus Infections during a given period.  Number of incidents reported.  Number of security policy violations during a given period.  Number of policy exceptions during a given period.  Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords.  Number of incidents.  Cost of monitoring during a given period – use your time tracking system if you have one. 6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com) Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?” The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.    DNS over HTTPs  DNS over HTTPS - Wikipedia

Ronnie Watson (@secopsgeek) Youtube: watson infosec - YouTube watsoninfosec (Watsoninfosec) · GitHub Wazuh - fork of OSSEC (Migrating from OSSEC · Wazuh · The Open Source Security Platform)   GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Implementing a Network Security Metrics Programs (giac.org) What to track. Some suggested metrics to start with:  Number of Successful Logons – from security audits.  Number of Unsuccessful Logons – from security audits.  Number of Virus Infections during a given period.  Number of incidents reported.  Number of security policy violations during a given period.  Number of policy exceptions during a given period.  Percentage of expired passwords. Number of guessed passwords – use a password cracker to test passwords.  Number of incidents.  Cost of monitoring during a given period – use your time tracking system if you have one.   6 Essential Security Features for Network Monitoring Solutions (solutionsreview.com)   Metrics of Security (nist.gov) Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Some examples of such questions include “Is our network more secure today than it was before?” or “Have the changes of network configurations improved our security posture?” The ultimate aim of security metrics is to ensure business continuity (or mission success) and minimize business damage by preventing or minimizing the potential impact of cyber incidents.    DNS over HTTPs  DNS over HTTPS - Wikipedia Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Discussion on Mergers and acquisitions processes On being acquired, but also if you’re acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com) Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org) The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com) Security Considerations in the Merger/Acquisition Process (sans.org) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) “We’ve been acquired by X!” First thing people think “oh no, what’s gonna happen to me.” Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

Discussion on Mergers and acquisitions processes On being acquired, but also if you’re acquiring a company Best Practices Best Practices of Mergers and Acquisitions (workforce.com)   Best Practices In Merger Integration - Institute for Mergers, Acquisitions and Alliances (IMAA) (imaa-institute.org)   The Role of Information Security in a Merger/Acquisition (bankinfosecurity.com)   Security Considerations in the Merger/Acquisition Process (sans.org) Women Unite Over CTF 3.0 (ittakesahuman.com) The 10 steps to successful M&A integration | Bain & Company Savvy Hackers Use Spearphishing to steal Wall Street M&A info (knowbe4.com) “We’ve been acquired by X!” First thing people think “what’s gonna happen to me.”   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

  Secure RPC issue -  Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (microsoft.com) Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center Elastic Search  https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks “There are those who will point to the FAQ for the SSPL and claim that the license isn’t interpreted in that way because the FAQ says so. Unfortunately, when you agree to a license you are agreeing to the text of that license document and not to a FAQ. If the text of that license document is ambiguous, then so are your rights and responsibilities under that license. Should your compliance to that license come before a judge, it’s their interpretation of those rights and responsibilities that will hold sway. This ambiguity puts your organisation at risk.” Doubling down on open, Part II | Elastic Blog  - license change affecting Elastic Search and Kibana MongoDB did something similar in 2018: mjg59 | Initial thoughts on MongoDB's new Server Side Public License (dreamwidth.org)   Hacker News Discussion: MongoDB switches up its open source license | Hacker News (ycombinator.com) @vmbrasseur:  (1) VM (Vicky) Brasseur on Twitter: "With today's relicensing to #SSPL, Elasticsearch & Kibana are no longer #OpenSource but are instead business risks: https://t.co/XNx2EMLNfH" / Twitter (1) Adam Jacob on Twitter: "Yeah, come on - how can this be "doubling down on open"? Some true duplicity here. https://t.co/rlJVnLxYwP - we're taking two widely used, widely distributed, widely incorporated open source projects and making them no longer open source. But we're doubling down on open!" / Twitter [License-review] Approval: Server Side Public License, Version 2 (SSPL v2) (opensource.org) “We continue to believe that the SSPL complies with the Open Source Definition and the four essential software freedoms.  However, based on its reception by the members of this list and the greater open source community, the community consensus required to support OSI approval does not currently appear to exist regarding the copyleft provision of SSPL. Thus, in order to be respectful of the time and efforts of the OSI board and this list’s members, we are hereby withdrawing the SSPL from OSI consideration.” (could be ‘open-source’, but negative feedback on mailing lists and elsewhere made the remove it from consideration from OSI) Open Source license requirements: The Open Source Definition | Open Source Initiative What does this mean?  If you have products that utilize ElasticSearch/MongoDB/Kibana in some way, talk to your legal teams to find out if you need to divest your org from them. These are not ‘opensource’ licenses… they are ‘source available’ It might not affect your organization and moving to SSPL might be feasible. If your product makes any changes internally to ElasticSearch,  Notable links JTNYDV  - specifically the CIS docker hardening  Twitter: @jtnydv Bug Detected in Linux Mint Virtual Keyboard by Two Kids - E Hacking News - Latest Hacker News and IT Security News https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ https://www.coindesk.com/anchorage-becomes-first-occ-approved-national-crypto-bank https://www.cnn.com/2021/01/15/uk/bitcoin-trash-landfill-gbr-scli-intl/index.html https://www.techradar.com/news/man-has-two-attempts-left-to-unlock-bitcoin-wallet-worth-dollar270-million https://www.linkedin.com/posts/amandaberlin_podcast-mentalhealth-neurodiversity-activity-6755910847148691456-Lms5 https://www.linkedin.com/posts/amandaberlin_swag-securitybreach-infosecurity-activity-6755884694501498880-yAck   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Dream Doxxed: Minecraft YouTuber Dream Doxxed Following Speedrun Controversy (screenrant.com) Def Noodles on Twitter: "STANS TAKING IT TOO FAR: Dream doxed after posting a picture of his kitchen on his 2nd Twitter account. Dream has not published statement about situation yet in his public accounts. https://t.co/QuKpIYRODQ" / Twitter Osint issues… found him by breadcrumbs and using zillow internal pics of his house. Craziness Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets - E Hacking News - Latest Hacker News and IT Security News How to Use APIs (explained from scratch) (secjuice.com)   Hackers target cryptocurrency users with new ElectroRAT malware | ZDNet   Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 | ZDNet   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

End of year podcast   Blumeria sponsorship NEWS:   IT company SolarWinds says it may have been hit in 'highly sophisticated' hack | Reuters   FireEye hacked: US cybersecurity firm FireEye hit by 'state-sponsored' attack - BBC News     https://krypt3ia.wordpress.com/ - 16 december 2020   Microsoft flexing muscle to shutdown c2: Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach - GeekWire   Little-known SolarWinds gets scrutiny over hack, stock sales (apnews.com)   FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoorSecurity Affairs   US Gov has hacked: US government agencies hacked; Russia a possible culprit (apnews.com)   Not mentioned during the podcast: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc   Not trying to spread FUD, but would infiltration by using FOSS tools be easier than Solarwinds?   Time to remove Nano Adblocker and Defender from your browsers (except Firefox) - gHacks Tech News   System oriented programming - Cloud-Sliver (cloud-sliver.com)  Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight • The Register   G’bye Flash… Adobe releases final Flash Player update, warns of 2021 kill switch (bleepingcomputer.com) IT workers worried about AI making them obsolete…  IT Workers Fear Becoming Obsolete in Cyber Roles - Infosecurity Magazine (infosecurity-magazine.com)   Vulnerabilities Found in Multiple GE Imaging Systems - Infosecurity Magazine (infosecurity-magazine.com)   Qbot malware switched to stealthy new Windows autostart method (bleepingcomputer.com) https://www.atlasobscura.com/places/encryption-lava-lamps - “The randomness of this wall of lava lamps helps encrypt up to 10 percent of the internet. “   It’s been the year of the business continuity program this year… and how agile yours is. --thoughts?   Future? Bryan: Companies that are ‘all in’ on remote work will back track. Amanda: I think we’ll see way more keep the wfh now that they realize it saves $$   heck out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

BrakeSec Sponsored Interview with Nathanael Iversen   Questions, comments, and other content goes here:   Illumio Nathanael Iversen BDS Podcast Messaging   Topic: Overview of development and deployment of micro-segmentation   Where does segmentation fit into your security strategy?  Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions. Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment. Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one.    The keys to a successful micro-segmentation deployment: As with any security control, it’s important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly: Visibility with application context Scalable architecture  Abstracted security policies Granular controls  Consistent policy framework across your compute estate Integration with security ecosystem   Preventative Cybersecurity There are three broad preventive security actions: First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team. The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key. The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more.   Potential questions: What is micro-segmentation? How long has it been around? Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls?  How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem? What does a successful micro-segmentation deployment look like?  Tell us about the common challenges people face in their micro-segmentation projects. What misconceptions do people have about micro-segmentation? What is the difference between having a proactive vs. reactive security strategy? Can you explore the ‘cost’ of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach? What does micro-segmentation adoption look like as we head into the new year? What is the future of micro-segmentation?  Segmentation of database areas? Logs?

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati

https://www.hak4kidz.com/activities/cdcedu.html Online CTF training using Cisco’s Workshop platform. They did something similar in Spring of 2020. There will be an online panel where kids can ask questions about information security. Occurs on December 12th. Check out the link for more info. Robert M. for upping his patreon to $5 Top 25 Data Security Podcasts You Must Follow in 2020 (feedspot.com) @byt3bl33d3r (Marcello Salvati) @porchetta_ind (porchetta Industries) info@porchetta.industries   Wanna sponsor CrackMapExec? Sponsor @byt3bl33d3r on GitHub Sponsors Github sponsors: GitHub Sponsors Introducing Sponsorware: How A Small Open Source Package Increased My Salary By $11k in Two Days | Caleb Porzio How is this different than shareware? “As a developer of one of these tools, you obviously start questioning your life decisions after a while. Especially after putting so much time into these projects.” Adblockers installed 300,000 times are malicious and should be removed now | Ars Technica (spent years supporting the app… the vitriol from ‘unpaid customers’ is deafening… Should be required reading for anyone wanting to open source anything.) [Announcement] Recent and upcoming changes to the Nano projects · Issue #362 · NanoAdblocker/NanoCore (github.com) Business model for typical opensource projects. Where’s the chain broken at? Devs who expect help/support for their project? “Many eyes make for less vulns” (LOL, sounds good, not true anymore --brbr) What is the ‘status quo’ of OSS infosec/hacking tool developer community (in your opinion)? Pull requests, what is ‘meaningful’ contributions? What is the definition of ‘widely-used’? Why support widely-used OSS hacking tools? (2) Marcello on Twitter: "Well also be encouraging community contributions to those same tools by giving out 1 @offsectraining training voucher per quarter to whoever submits the most meaningful pull request to any of the tools in the @porchetta_ind Discord server" / Twitter And now for something completely different... (porchetta.industries) Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP #porchetta #training #sponsorship #github #opensource #crackmapexec #byt3bl33d3r #marcelloSalvati