BrakeSec Education Podcast
472 episodes - English - Latest episode: 28 days ago - ★★★★★ - 98 ratingsA podcast about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security professionals need to know, or refresh the memories of seasoned veterans.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
2017-001: A New Year, malware legislation, and a new cast member!
January 12, 2017 05:27 - 43 minutes - 35 MBWe start Brakeing Down Security with a huge surprise! A 3rd member of the podcast! Amanda #Berlin (@infosystir) joins us this year to help us educate people on #security topics. During the year, she'll be getting us some audio from various conventions and giving us her perspective working as an #MSSP, as well as a blue team (defender). We start out talking about new #California #legislation about making #malware illegal. What are politicians in California thinking? We work through that and...
2016-051: Steps to fixing risks you found, and the State of the Podcast
December 25, 2016 02:42 - 41 minutes - 33.2 MBIt's the final episode of the the year, and we didn't slouch on the #infosec. Mr. Boettcher discussed what should happen when we find risk and how we handle it in a responsible manner. I also issue an 'open-letter' to C-Level. We need C-Levels to listen and accept the knowledge and experience of your people. Infosec people are often the only thing keeping a company from making the front page, and yet are still seen as speed bumps. We also discuss some the previous episodes of the year, s...
2016-050: Holiday Spectacular with a little help from our friends!
December 21, 2016 15:35 - 1 hour - 60 MBBrakesec Podcast joined: Edgar #Rojas (@silverFox) and Tracy #Maleef (@infosecSherpa) from the #PVC #Security #podcast (@pvcsec) Joe Gray (@C_3PJoe) from the Advanced Persistent Security Podcast Jerry #Bell (@maliciousLink) and Andrew #Kalat (@lerg) from the #Defensive Security podcast (@defensiveSec) And Amanda #Berlin (@infosystir) for a light-hearted holiday party. We discuss things we learned this year, and most of us refrained from making the famous "#prediction" lists. You also...
2016-049-Amanda Berlin, the art of the sale, and Decision making trees
December 15, 2016 06:20 - 56 minutes - 45.5 MB"Always Be Closing" is the mantra that Alec Baldwin's character "Blake" intones in the movie "#GlenGarry #Glen #Ross". Ironically, the film about 4 men selling was a failure in the theaters. A lot of times as #blue #teamers, we find ourselves in the sights of a #sales person, or often enough, we are inviting them into our conference rooms to find out how their widget will help save the day. There's an art to the concept of selling, honed over the past 500,000 years, since Ugg tried to con...
2016-048: Dr. Gary McGraw, Building Security into your SDLC, w/ Special guest host Joe Gray!
December 03, 2016 23:00 - 1 hour - 57 MBAs part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information). Gary walks us through th...
2016-047: Inserting Security into the SDLC, finding Privilege Escalation in poorly configured Linux systems
November 28, 2016 05:32 - 19 minutes - 15.9 MBJust a quick episode this week... As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM) We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so. Fi...
2016-046: BlackNurse, Buenoware, ICMP, Atombombing, and PDF converter fails
November 21, 2016 01:00 - 44 minutes - 35.9 MBThis week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a...
2016-044: Chain of Custody, data and evidence integrity
November 07, 2016 05:26 - 47 minutes - 37.7 MBDuring a Security Incident, or in the course of an investigation, it may become necessary to gather evidence for further use in a possible court case in the future. But if you don't have 4-10,000 dollars USD for fancy forensic software, you'll need to find methods to preserve data, create proper integrity, and have a proper custody list to show who handled the data, how it was collected, etc. This podcast was not meant to turn you into an expert, but instead to go over the finer points of ...
2016-043: BSIMMv7, a teachable moment, and our new Slack Channel!
November 01, 2016 21:20 - 1 hour - 59.4 MB**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.** Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing. We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companie...
2016-042-Audio from Source Seattle 2016 Conference
October 24, 2016 17:05 - 1 hour - 74.4 MBJoin us for a special episode this week! I (Bryan) was able to attend my first Source Seattle convention. Two days of talks, technical and non-technical, combining red/blue team concepts, as well as professional development, to help you navigate the corporate waters easier. I was able to interview a number of people from the conference. You can see a partial list of them here: http://www.sourceconference.com/single-post/2016/09/30/SOURCE-Seattle-Highlights Interviewed Chip McSween...
2016-041- Ben Johnson, company culture shifts, job descriptions, cyber self-esteem
October 17, 2016 00:59 - 1 hour - 57.2 MBBen Johnson has been around the industry for a good while, and has seen a lot of ugly things in our industry. Ben had written a recent blog post (https://www.carbonblack.com/2016/08/12/benvlog-3-negative-forces-driving-security/) detailing the issues that seem to plague many companies and many people in the infosec community. We talked about these issues in depth, and how companies and even the employees in a company can ease some of their burdens, and how they can make some changes to m...
2016-040: Gene_Kim, Josh_Corman, helping DevOps and Infosec to play nice
October 10, 2016 02:12 - 1 hour - 49.4 MBIf you work in a #DevOps environment, you're on one side of the fence... you're either with the devs, you have freedom to make changes, and everything is great. If you're on the Security and/or Compliance side, it's a desolate wasteland of watching people play fast and loose with policies, no one documenting anything, and you're seen as a 'barrier' to getting the new hotness out. But does it have to be that way? This week, we sat down with DevOps veterans Gene Kim and Josh Corman to disc...
2016-039-Robert Hurlbut, Threat Modeling and Helping Devs Understand Vulnerabilities
October 04, 2016 05:32 - 1 hour - 60.1 MBJoin us this week as Robert Hurlbut (@roberthurlbut on Twitter), is an independent consultant with over 25 years of application experience, helps us understand best methods to getting developers on the same level as security professionals with application security flaws. We also discuss some of the soft skills involved in bringing new concepts to organizations, like teaching proper coding conventions, changing up the development lifecycle, and helping to improve the skills of developers an...
2016-038-Derbycon Audio and 2nd Annual Podcast with Podcasters!
September 28, 2016 18:51 - 1 hour - 67.5 MBMr. Brian Boettcher and I had a great time at DerbyCon. We met so many people and it really was excellent meeting all the fans who came up and said "Hello" or that they really enjoyed the #podcast. It is truly a labor of love and something that we hope everyone can learn something from. We got some audio while at lunch at #Gordon #Biersch talking about log monitoring inspired by @dualcore's talk on #Anti-Forensics talk (http://www.irongeek.com/i.php?page=videos/derbycon6/310-anti-forensic...
2016-037: B1ack0wl, Responsible Disclosure, and embedded device security
September 14, 2016 01:26 - 1 hour - 61.2 MBHave you ever found a #vulnerability and wondered if it was worth the time and effort to reach back to the company in question to get the fix in? This week, we have a story with Mr. "B1ack0wl" who found a vulnerability with certain #Belkin #embedded network devices for end users... We also find out how B1ack0wl learned his stock and trade. https://www.exploit-db.com/exploits/40332/ Find out how he discovered it, and what steps he took to disclose the steps, and what ended up happening...
2016-036: MSSP pitfalls, with Nick Selby and Kevin Johnson
September 11, 2016 01:47 - 1 hour - 62.4 MBNick Selby (@nselby on Twitter) is an independent consultant who works a wide variety of jobs. During a recent engagement, he ran into an interesting issue after a company called him in to handle an incident response. It's not the client, it was with the Managed Security Service Provider (#MSSP). His blog post about the incident made big news on Twitter and elsewhere. Nick's Blog Post: https://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/ So, we wan...
2016-035-Paul Coggin discusses the future with Software Defined Networking
September 06, 2016 02:34 - 1 hour - 67.3 MBPaul Coggin is my SME when I need to know about anything network #security related. And this time, we wanted to have him on our show to discuss Software Defined Networking (#SDN) Software defined networking allows for applications to make connections, manage devices and even control the network using #APIs. It in effect allows any developer become a network engineer. Obviously this could be a recipe for disaster if the dev is not fully understanding of the rammifiications. And there's m...
2016-034: Sean Malone from FusionX explains the Expanded Cyber Kill Chain
August 28, 2016 02:37 - 1 hour - 92.2 MBAnother great #rejectedTalk we found was from Sean Malone (@seantmalone on Twitter). The Cyber Kill Chain is a method by which we explain the methodolgy of hackers and the process of hacking. In this discussion, we find Sean has expanded the #killchain, to be more selective, and to show the decision tree once you've gained access to hosts. This expanded #killChain is also effective for understanding when #hackers are attacking specific systems, like #SCADA, or other specialized systems o...
2016-033: Privileged Access Workstations (PAWs) and how to implement them
August 22, 2016 05:07 - 57 minutes - 52.7 MBBill V. (@blueteamer on Twitter) and was the 1st of a series we like to call "2nd Chances: Rejected Talks". Bill had a talk that was rejected initially at DerbyCon (later accepted after someone else cancelled) Here is the synopsis of his talk that you can now see at DerbyCon: Privileged Access Workstations (PAWs) are hardened admin workstations implemented to protect privileged accounts. In this talk I will discuss my lessons learned while deploying PAWs in the real world as well as other...
2016-032-BlackHat-Defcon-Debrief, Brakesec_CTF_writeup, and blending in while traveling
August 15, 2016 05:41 - 59 minutes - 54.9 MBCo-Host Brian Boettcher went to BlackHat and Defcon this year, as an attendee of the respective cons, but also as a presenter at "Arsenal", which is a venue designed to show up and coming software and hardware applications. We started off by asking him about his experiences at Arsenal, and how he felt about "Hacker Summer Camp" Our second item was to discuss the recent Brakesec PodCast CTF we held to giveaway a free ticket to Derbycon. We discussed some pitfalls we had, how we'll prepare f...
2016-031:DFIR rebuttal and handling incident response
August 08, 2016 01:32 - 59 minutes - 54 MBA couple of weeks ago, we discussed on our show that not all incident response events required digital forensics. We got quite a bit of feedback about that episode, so in an effort to address the feedback, we brought Brian Ventura on. Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA C...
2016-030: Defending Against Mimikatz and Other Memory based Password Attacks
July 31, 2016 23:50 - 35 minutes - 32 MBIn the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table. When improperly configured, the passwords are stored in memory, often in plain text. This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks. Links to blogs: https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft ...
2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...
July 25, 2016 22:20 - 1 hour - 75.7 MBJarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough. Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go. This week,...
2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec, and SCADA headaches
July 17, 2016 21:20 - 1 hour - 55.3 MBLong time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3) I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to und...
2016-027: DFIR conference, DFIR policy controls, and a bit of news
July 10, 2016 22:31 - 45 minutes - 41.2 MBMr. Boettcher is back! We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required. We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts. Platypus: http://sveinbjorn.org/...
2016-026-powershell exfiltration and hiring the right pentest firm
July 03, 2016 21:33 - 1 hour - 68.6 MBAdam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil. Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetyne...
2016-025-Windows Registry, Runkeys, and where malware likes to hide
June 27, 2016 04:05 - 50 minutes - 46.5 MBThe windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups). This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself. We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions. And no podcast ab...
2016-024: Kim Green, on CISOaaS, the Redskins Laptop, and HIPAA
June 20, 2016 01:22 - 1 hour - 67.1 MBWe are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company. She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role. Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities tha...
2016-023- DNS_Sinkholing
June 13, 2016 00:11 - 39 minutes - 36 MBPicture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet. You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning. What do you do? In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to or through a honey network that can be used to further analyze things like #infection vecto...
2016-022: Earl Carter dissects the Angler Exploit Kit
June 06, 2016 01:44 - 57 minutes - 52.8 MBEarl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware. This week we sit down with him to understand the #Angler EK. He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We ...
2016-021: Carbon Black's CTO Ben Johnson on EDR, the layered approach, and threat intelligence
May 29, 2016 00:07 - 57 minutes - 52.8 MBBen Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc). We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry. Ben discusses with us the Layered Approach to EDR: 1. Hunting 2. Automation 3. Integration 4. Retrospection 5. Patterns of Attack/...
2016-020-College Vs. Certifications Vs. Self-taught
May 21, 2016 23:06 - 54 minutes - 49.7 MBDr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better? We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well. Dr. Miller is also spearheading a new cybersecurity degre...
2016-019-Creating proper business cases and justifications
May 16, 2016 04:09 - 54 minutes - 50.1 MBProcurement is a process. Often a long drawn out, tedious process, but it is necessary to ensure that hardware and software is going to be what works in your organization. We go over what is necessary to make sure your procurement is as smooth as possible. Some of the topics we discuss include: 1. Aligning business goals and operational goals 2. How to discuss ROI with management 3. Getting actionable information for business requirements from affected parties 4. Steering yourself ...
2016-018-software restriction policies and Applocker
May 09, 2016 00:11 - 1 hour - 54.9 MBWindows has all the tools you need to secure an OS, but we rarely use them. One example of this is 'Software restriction policies'. Which is a method by which you can block certain files from being saved anywhere, what file types can be executed in a directory, and can even whether or not you should allow software to install. We also discuss the use of parental controls as a cheap, easy method of restricting users to access certain websites, installing software from iTunes store, or restr...
2016-017-The Art of Networking, Salted Hashes, and the 1st annual Podcast CTF!
May 02, 2016 05:04 - 1 hour - 57.2 MBYou might have heard "Network when you can, not when you have to..." The art of network is creating connections and nurturing relationships that benefit everyone. This week we discuss building networks, creating people networks that allow for free sharing of ideas and knowledge. Whether it be a professional organization,like ISSA or ISC2 meetings, or you just get a bunch of people together to have coffee on a Saturday morning. We also brainstorm ideas on how people in our community keep th...
2016-016-Exploit Kits, the "Talent Gap", and buffer overflows
April 25, 2016 04:26 - 1 hour - 55.1 MBAngler, Phoenix, Zeus... all famous exploit kits that are used to move malware into your environment. This week, Mr. Boettcher and I discuss the merits of Exploit kits, how they function and what can be done to stop them. They are only getting more numerous and they will be serving more malware to come. We shift gears and discuss the 'talent gap' the media keeps bringing up, and whether it's perceived or real. We discuss the industry as a whole, and what caused the gap, and if it will get b...
2016-015-Dr. Hend Ezzeddine, and changing organizational security behavior
April 16, 2016 03:44 - 1 hour - 64.8 MBDirect Link: http://traffic.libsyn.com/brakeingsecurity/2016-015-Dr._Hend_Ezzeddine_and_finding_security_training_that_works.mp3 iTunes Link: https://itunes.apple.com/us/podcast/2016-015-dr.-hend-ezzeddine/id799131292?i=366936677&mt=2 Dr. Ezzeddine's slides from Bsides Austin (referenced during the interview): https://drive.google.com/file/d/0B-qfQ-gWynwiQnBXMnJVeko4M25pdk1Sa0JnMGJrZmltWlRr/view?usp=sharing You open the flash animation, click click click, answer 10 security questions that...
2016-014-User_Training,_Motivations,_and_Speaking_the_Language
April 08, 2016 01:21 - 41 minutes - 37.8 MBDirect Link: http://traffic.libsyn.com/brakeingsecurity/2016-014-User_Training_Motivation_and_Languages.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-014-user-training-motivations/id799131292?i=366433676&mt=2 Fresh back from my vacation, Mr. Boettcher and I got to discussing things that have weighed on our minds, and I had a story from my travels that fit in perfectly with our discussion. What does our industry (Infosec Practitioners) to motivate people to be secure? Is it a langua...
2016-013-Michael Gough, the ISSM reference model, and the 5 P's
March 26, 2016 07:00 - 58 minutes - 53.9 MBDirect Link: http://traffic.libsyn.com/brakeingsecurity/2016-013-michael_gough-the_5_Ps.mp3 iTunes: https://itunes.apple.com/us/podcast/2015-013-michael-gough-issm/id799131292?i=365622423&mt=2 We discuss a model that Michael Gough used while he was at HP. The Information Security and Service Management (ISSM) Reference model can be used to help companies align their IS and IT goals with the businesses goals... If you've been a listener of our podcast for a while now, you might have heard o...
2016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure
March 19, 2016 01:58 - 51 minutes - 47.4 MBDirect Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3 Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2 Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site? Application logic flaws are often insidious and not easy to find. they require often a bit of work to...
2016-011-Hector Monsegur, deserialization, and bug bounties
March 14, 2016 04:36 - 1 hour - 66.3 MBDownload Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3 iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2 Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the s...
2016-010-DNS_Reconnaissance
March 07, 2016 05:32 - 49 minutes - 45.7 MBDNS... we take it for granted... it's just there. And we only know it's broken when your boss can't get to Facebook. This week, we discuss the Domain Naming System (DNS). We start with a bit of history, talking about the origins of DNS, some of the RFCs involved in it's creation, how it's hierarchical structure functions to allow resolution to occur, and even why your /etc/hosts is important. We discuss some of the necessary fields in your DNS records. MX, ALIAS, CNAME, SOA, TXT, and how...
2016-009-Brian Engle, Information Sharing, and R-CISC
February 29, 2016 01:44 - 1 hour - 60.4 MBWe've reached peak "Br[i|y]an" this week when we invited our friend Brian Engle on to discuss what his organization does. Brian is the Executive Director of the Retail Cyber Intelligence Sharing Center. "Created by retailers in response to the increased number and sophistication of attacks against the industry, the R-CISC provides another tool in retailers’ arsenal against cyber criminals by sharing leading practices and threat intelligence in a safe and secure way." -- R-CISC website To ...
2016-008-Mainframe Security
February 22, 2016 06:08 - 1 hour - 98 MBThis week's super-sized episode is brought to us thanks to previous guest Cheryl Biswas. You might remember her from our "Shadow IT" (http:/brakeingsecurity.com/2015-048-the-rise-of-the-shadow-it) podcast a few months ago. She reached out to us to see if we were interested in doing a podcast on mainframe security with her and a couple of gentlemen that were not unknown to us. Of course we jumped at the chance! You might know them as @mainframed767 and @bigendiansmalls (Chad) on Twitter. The...
2016-007-FingerprinTLS profiling application with Lee Brotherston
February 14, 2016 04:38 - 1 hour - 65.1 MBWe first heard about FingerprinTLS from our friend Lee Brotherston at DerbyCon last September. Very intrigued by how he was able to fingerprint client applications being used, we finally were able to get him on to discuss this. We do a bit of history about #TLS, and the versions from 1.0 to 1.2 Lee gives us some examples on how FingerprintTLS might be used by red teamers or pentest agents to see what applications a client has on their system, or if you're a blue team that has specific app...
2016-006-Moxie_vs_Mechanism-Dependence_On_Tools
February 08, 2016 03:26 - 54 minutes - 49.5 MBThis week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic... a person's "Moxie" vs. a mechanism Moxie: noun "force of character, determination, or nerve." Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your...
Brakeing Down Security interviewed on "Building a Life and Career in Security" podcast!
February 03, 2016 16:57After we interviewed Jay Schulman on our podcast, Mr. Boettcher and I did his podcast! Listen to both of us share our bios and learn how Mr. Boettcher and I met, and how our unorthodox ways of getting into information security can show that anyone can move into that space... https://www.jayschulman.com/episode15/ Jay has conducted other interviews with some great people, and he creates some great blog posts. Please check out his site at https://www.jayschulman.com You can also hear ou...
2016-005-Dropbox Chief of Trust and Security Patrick Heim!
January 30, 2016 06:34 - 46 minutes - 42.7 MBBrakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics. We discussed a number of topics: Cloud migrations What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration? We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for add...
2016-004-Bill_Gardner
January 24, 2016 03:41 - 1 hour - 72.4 MBBrakeSec Podcast welcomes Bill Gardner this week! Author, InfoSec Convention Speaker, and fellow podcaster... We break a bit from our usual rigid methods, and have a good ol' jam session with Bill this week. We talk about vulnerability management, career management, the troubles of putting together a podcast and more! Bill's Twitter: https://www.twitter.com/oncee Bill's books he's authored or co-authored: http://www.amazon.com/Bill-Gardner/e/B00MZ9P0IG/ref=sr_ntt_srch_lnk_2?qid=1453607...
2016-003-Antivirus (...what is it good for... absolutely nothing?)
January 18, 2016 00:48 - 54 minutes - 50 MB#Anti-virus products... they have been around for as long as many of us have been alive. The first anti-virus program, "The Reaper" was designed to get rid of the first virus 'The Creeper' by Ray Tomlinson in 1971. This week, we discuss the efficacy of anti-virus. Is it still needed? What should blue teamers be looking for to make their anti-virus work for them. And what options do you have if you don't want to use anti-virus? We also argue about whether it's just a huge industry selling ...