Info

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in iTunes
Brakeing Down Security Podcast
2017
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: March, 2016
Mar 26, 2016

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3

iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2

We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard our 2-part podcast on ITIL with Tim Wood, which is a service based solution to enable your IT and infosec initiatives to also align with your business needs.

From the ISSM whitepaper:

"organizations need to build and run an integrated service management system that addresses security and risk management as well as the regulatory compliance imposed on the agency while ensuring that agreed services are provided to internal and external customers and managed end-to-end.

For agencies and organizations to achieve meaningful service outcomes, technology and agency decision makers need to align their goals and strategies more closely while dealing with an increasing amount of technologies, threats, and regulatory compliance requirements."

We discuss the idea of the "5 P's", which are "Policy, Process, People, Products (or technology), and Proof", and how they are important to the implementation of the #ISSM reference model

Finally, we discuss a typical engagement using the ISSM model. Creation of the 7 Core components and additional using a maturity model to self-assess your company in an effort to show transparency to your internal processes.

Important links:

http://www8.hp.com/h20195/V2/getpdf.aspx/4AA2-2350ENW.pdf?ver=1.0

http://www.digitalgovernment.com/media/Downloads/asset_upload_file772_2477.pdf

https://en.wikipedia.org/wiki/Information_security_management_system

http://www.davebolick.com/SampleNewsletterHPFinancialAdvisor.pdf

http://media.govtech.net/HP_RC_08/Security_RC/ISSM_for_SLG.pdf

Integrating ITIL into infosec: http://traffic.libsyn.com/brakeingsecurity/2015-018-Integrating_infosec_with_ITIL.mp3

http://traffic.libsyn.com/brakeingsecurity/2015-017_ITIL_and_infosec.mp3

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake @hackerhurricane

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

#cobit, #cmmi, #maturity model, #ISSM, #ITIL, #Service, #management, #reference model, #ISO, #27002, #27001, CISSP, #podcast, #infosec, #compliance

Mar 19, 2016

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3

Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2

Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site?

Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.

This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles..

We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed.

http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/

http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

Mar 14, 2016

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3

iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2

Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with.

https://en.wikipedia.org/wiki/Hector_Monsegur

This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet.

Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side?

In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day...

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/

Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you...

We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

#infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

Mar 7, 2016

DNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. 

This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. 

We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how DNS is used for non-repudiation in email.

We also touch on how you can use DNS to enumerate an external network presence when you are the red team, and what you should know about to make it harder for bad actors to not use your external DNS in amplification attacks.

Finally, you can't have a discussion about DNS without talking about how to secure your DNS implementation. So we supply you with a few tips and best practices. 

Plenty of informational links down below, including links to the actual RFCs (Request for Comment) which detail how DNS is supposed to function. Think of them as the owner's manual for your car.

Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-010-DNS_Reconnaissance.mp3

#iTunes: https://itunes.apple.com/us/podcast/2016-010-dns-reconnaissance/id799131292?i=364331694&mt=2

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast

RSS FEED: http://www.brakeingsecurity.com/rss

 

On #Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969

Player.FM : https://player.fm/series/brakeing-down-security-podcast

Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

Podcast Links we used for information:

http://www.slideshare.net/BizuworkkJemaneh/dns-42357401

300+ million domains registered: https://www.verisign.com/en_US/internet-technology-news/verisign-press-releases/articles/index.xhtml?artLink=aHR0cDovL3ZlcmlzaWduLm13bmV3c3Jvb20uY29tL2FydGljbGUvcnNzP2lkPTIwMTIwNTI%3D

https://technet.microsoft.com/en-us/library/cc770432.aspx

http://security-musings.blogspot.com/2013/03/building-secure-dns-infrastructure.html

http://tldp.org/HOWTO/DNS-HOWTO-6.html

https://en.wikipedia.org/wiki/Domain_Name_System

https://en.wikipedia.org/wiki/DNS_spoofing

http://www.esecurityplanet.com/network-security/how-to-prevent-dns-attacks.html

http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/161-protocols-dns-response.html

http://www.thegeekstuff.com/2012/05/ettercap-tutorial/

https://isc.sans.edu/forums/diary/New+tricks+that+may+bring+DNS+spoofing+back+or+Why+you+should+enable+DNSSEC+even+if+it+is+a+pain+to+do/16859/

https://support.google.com/a/answer/48090?hl=en

http://www.ecsl.cs.sunysb.edu/tr/TR187.pdf

https://tools.ietf.org/html/rfc882

https://tools.ietf.org/html/rfc883

https://tools.ietf.org/html/rfc1034

https://tools.ietf.org/html/rfc1035

 

1