Brakeing Down Security Podcast

Brakeing Down Security Podcast A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today’s workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.

  • 2021-016-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part2
    by Page Glave, Amanda Berlin, Brian Boettcher, and Bryan Brake on May 5, 2021 at 5:30 am

    Updates to the Linux kernel controversy: https://lwn.net/SubscriberLink/854645/334317047842b6c3/   @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/[email protected]/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed to ensure badness   https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers   Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/   https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned—Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”   https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false    NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent – Human Subjects | NSF – National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/[email protected]om/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?   Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127 Introduction of bugs (meaningful or otherwise) caused more work for devs.   Revert: https://lkml.org/lkml/2021/4/21/454 Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu)   Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

  • 2021-015-researchers knowingly add vulnerable code to linux kernel, @pageinsec joins us to discuss -part1
    by A. Page Glave, Amanda Berlin, Brian Boettcher, and Bryan Brake on April 27, 2021 at 6:41 am

    @pageinSec on Twitter   Dan Kaminsky obit: https://www.theregister.com/2021/04/25/dan_kaminsky_obituary/   Spencer Geitzen: http://brakeingsecurity.com/2018-024-pacu-a-tool-for-pentesting-aws-environments   https://en.wikipedia.org/wiki/Milgram_experiment   https://lore.kernel.org/lkml/[email protected]/   https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021 https://www.labbott.name/blog/2021/04/21/breakingtrust.html Seems like a number of patches were added (~190) and each had to be reviewed https://twitter.com/UMNComputerSci/status/1384948683821694976 response to researchers Linux Kernel mailing list: https://lore.kernel.org/linux-nfs/YH%2FfM%[email protected]/ https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/ https://twitter.com/SarahJamieLewis/status/1384871385537908736 @sarahJamieLewis shows the change they submitted in their paper: https://twitter.com/SarahJamieLewis/status/1384876050207940608 https://twitter.com/SarahJamieLewis/status/1330671897822982144/photo/1 https://twitter.com/SarahJamieLewis/status/1384880034146574341/photo/1 https://web.archive.org/web/20210421145121/https://www-users.cs.umn.edu/~kjlu/papers/crix.pdf (appears the researcher deleted this paper from their site.) https://web.archive.org/web/20210422144500/https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf (researcher deleted this paper from their site.)“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned—Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.” https://github.com/QiushiWu/qiushiwu.github.io NSF Grant application (thank you Page!) https://www.nsf.gov/awardsearch/showAward?AWD_ID=1931208&HistoricalAwards=false  NSF IRB requirements (from 2007): https://www.nsf.gov/pubs/2007/nsf07006/nsf07006.jsp Might be more recent – Human Subjects | NSF – National Science Foundation The researchers issued an apology today 25 April: https://lore.kernel.org/lkml/[email protected]om/ *thanks to Zach Whittacker’s security mailing list..*   https://twitter.com/argvee Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset? Co-author of : https://www.amazon.com/Building-Secure-Reliable-Systems-Implementing/dp/1492083127   Introduction of bugs (meaningful or otherwise) caused more work for devs. Revert list of 190 patches (threaded): https://lkml.org/lkml/2021/4/21/454  Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (duke.edu) Is this better? Where’s the line on this? https://www.bleepingcomputer.com/news/security/emotet-malware-nukes-itself-today-from-all-infected-computers-worldwide/

  • 2021-014-Slipstreaming blocked by Chrome, Slack being used for malware, plus dork and deskjockeys!
    by Jeremy Mio, Amanda Berlin, and Bryan Brake on April 13, 2021 at 3:48 am

    Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks – E Hacking News – Latest Hacker News and IT Security News https://www.reddit.com/r/netsec/comments/jlu3cf/nat_slipstreaming/   Samy Kamkar – NAT Slipstreaming v2.0 Slack and Discord are Being Hijacked by Hackers to Distribute Malware – E Hacking News – Latest Hacker News and IT Security News   Texan’s alleged Amazon bombing effort fizzles: Militia man wanted to take out ‘about 70 per cent of the internet’ • The Register   Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits | SecurityWeek.Com   https://twitter.com/k8em0/status/1381258155485585409 https://twitter.com/alisaesage/status/1380797761801445376?s=20 infosecCampout 2021   Hackers Who Paint WWHF  Way west https://pastebin.com/2eYY6trD (for training students) @lintile @infosecroleplay

  • 2021-013-Liana_McCrea-Garrison_Yap-cecil_hotel, Elisa_Lam-physical_security-part2
    by Garrison Yap, Liana McCrea, Amanda Berlin, and Bryan Brake on April 7, 2021 at 4:57 pm

    Reparations.tech*Public Safety Coordinators-Field Operations (Road Incidents)-Specialized Buildings (The Library, Medical Facilities, CCR)*Public Safety OfficersA. Discuss Training-SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards. [IN CYBER: Frameworks for Physical Security —>     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don’t Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness(?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues -Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam – Wikipedia Crime Scene: The Vanishing at the Cecil Hotel – Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedIn Garrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security – Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS#Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

  • 2021-012-physical security discussion with @geecheethreat and @garrisony75 -pt1
    by Liana McCrea, Garrison Yap, Amanda Berlin, and Bryan Brake on March 30, 2021 at 5:02 am

    Bios for guests   Reparations.tech *Public Safety Coordinators -Field Operations (Road Incidents) -Specialized Buildings (The Library, Medical Facilities, CCR) *Public Safety Officers A. Discuss Training -SOP Creation *SOPs are very custom and dependent on the organization. There are no “NIST” standards.[IN CYBER: Frameworks for Physical Security —>     ]  *Think on your feet, many plans often get thrown out the window. *Creating policies due to unforeseen incidents -Physical Security Assessments: Fire Panels, AED, Roof Accesses  *The Checklist: Baseline configuration of the operations for a building *Locksmith Troubleshooting *Lack of Funding (Historically) + Ways to Address this In-House    Talking to Strangers: What We Should Know about the People We Don’t Know: Gladwell, Malcolm: 9780316478526: Amazon.com: Books   Situational Awareness (?) “What is Situational Awareness?”  -There’s a lack of good training to discuss their own physical security *Ph.Ds leaving car doors wide open, blaming safety officers when they mess up *Common sense is not so common *Scenarios don’t always cover every event *Dead bodies, car accidents, people streaking (lol), medical issues-Policies can be simple, like opening a car door *Need to vet whether the person is actually their car Have you seen both good and bad training on situational awareness? Does it seem to differ between physical and cyber security? Summary of the Clery Act | Clery Center“The Clery Act is a consumer protection law that aims to provide transparency around campus crime policy and statistics. In order to comply with Clery Act requirements, colleges and universities must understand what the law entails, where their responsibilities lie, and what they can do to actively foster campus safety.” C.Real Life examples of Physical Security Blunders  Death of Elisa Lam – Wikipedia Crime Scene: The Vanishing at the Cecil Hotel – Wikipedia STORY: Person called a SOC, asked to get into their car ( but not their vehicle) Performing multiple sweeps of common areas to prevent squatting  Staff “tripping” alarms  Deceased Faculty + No Sleeping Policy Working as a Team  *Escalation Management    *Police are often increase tensions when de-escalation is needed. *Working as a team *Locksmith Team + Public Safety Team *Looking for talent in unexpected places to transfer over to CyberSecurity (Build the Bridge) Lockpicking Community: [insert folks on twitter / youtube] companies heading back to work What should IT or Security think about for your businesses that may not have had people in for 6-9 months? If companies don’t have cameras or physical controls, should they think about looking at improving? Connect with Us! Liana McCrea: @GeecheeThreat (Twitter)  + LinkedInGarrison Yap: Garrisony75 (Twitter) + LinkedIn What is physical security? How to keep your facilities and devices safe from on-site attackers | CSO Online Physical security – Wikipedia 5 Ways IT Managers Can Work with Their Physical Security Counterpart (stanleysecuritysolutions.com) 12 Security Camera System Best Practices – Cyber Safe (een.com) What is Physical Security? Measures & Planning Guide + PDF (openpath.com)

Share This Information.

Leave a Reply

Your email address will not be published. Required fields are marked *