Pwned: The Information Security Podcast

37 Episodes

Reverse

AppSec Authentication Requirements

2019-06-1700:08:51

Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

Winnti Malware for Linux

2019-06-1000:04:57

Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

APT10 Update

2019-06-0300:05:57

Ohio’s Data Protection Act

2019-05-2800:08:34

Important Links:More Info: https://www.nuharborsecurity.com/4-things-to-know-about-the-ohio-data-protection-act/State of Ohio Data Protection Act Law Text: https://www.legislature.ohio.gov/legislation/legislation-documents?id=GA132-SB-220IAPP Analysis (by Katelyn Burgess): https://iapp.org/news/a/analysis-ohios-data-protection-act/What is the Ohio Data Protection Law (by Jenna Kersten): https://kirkpatrickprice.com/blog/what-is-the-ohio-data-protection-act/Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

SHA-1 Collision Attacks Explained

2019-05-2000:14:42

Important Links:SHA-1 Collision Explanation Page: https://shattered.io/Malicious Hashing: Eve’s Variant of SHA-1 https://link.springer.com/content/pdf/10.1007%2F978-3-319-13051-4_1.pdfFinding SHA-1 Characteristics: General Results and Applications: https://link.springer.com/chapter/10.1007%2F11935230_1Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

Vulnerability Management and Patching

2019-05-1400:17:44

Show Notes: https://www.nuharborsecurity.com/building-a-vulnerability-management-program-with-the-end-in-mind/Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

Getting started with NIST Cybersecurity Framework

2019-05-0600:12:44

Show Notes: https://justinfimlaid.com/quickstart-building-a-security-program-with-the-nist-cybersecurity-framework/hSponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

Penetration Testing or Red Teaming?

2019-04-2900:08:16

Show Notes: https://www.nuharborsecurity.com/red-teaming-vs-penetration-testing/Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/

As Facts Change So Does My Opinion

2019-04-2200:07:14

Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/My opinion ofsecurity has changed. We are not keeping up. Companies keep getting breached.First things first,the idea and concepts of security have been around for a while. In the most general terms, truth is we havesenior industry and junior skill set. Our collectiveindustry is not helping us be better. Security product companies are coming to the market with new halfsolutions and big marketing budgets. Advisory companies are coming to the table with new buzzwords and hollowconcepts. And "thoughtleaders" and "trusted advisors" are still trying to figure thisout, and probably not giving the best advice yet. All these things take our collective eye offthe ball, cause us to loose focus, and distract us from doing well at securityfundamentals.For those listeningto this unfamiliar with our space, here's some examples what we're dealingwith:People failing to understand that IT Operations and security are completely different disciplines. It's like building a house, you need someone to lay out the blueprint, someone to pour the foundation, someone frame house, someone to do the electricity, someone to the plumbing. These are not the same people. IT Operations and IT Security professionals are not the same people. If you want your house built to code like you want good security hygiene you should hire a security professional.Accounting firms pretending internal controls translates to good security operations. This is a problem. Internal control is destination, but you need a map and relevant mechanism of transport to get to you destination. While I'm sure there are some accountants who play in security, articulating the map and which vehicle to use can be a problem and due to CPA independence rules they are sometimes prohibited from providing tactical guidance.Value added resellers (VAR's) being incentivized to push one product over another. I'm pretty sure I'm going to get some hate mail from this, but I don't think anyone would disagree that vendors and resellers push products to maximize their fiscal standing versus seeking best of breed when it might not be the companies best interest. This creates a ton of confusion in security and really muddies the water, when this happens the only objective measure is price…which is always a bad space to be.Those are someexamples, but it's not all bad. We needstay focused though. In order for our security industry to get better we needget back to basics of good security hygiene. I admit this is easier said than done, its going to take time to getthere. Until we do this we can’t startto think about automation because if you do crappy security and automate it,security automation will allow you just do crappy security faster. You don't need blockchain, if you don'tbelieve it do some research in European Election Security…they use goodold-fashion asymmetric encryption. Ifyou're getting started, or need a realignment go back the fundamentals, goodpolicy, good security architecture, good security hygiene of accounts,etc. When you've done this, thenhopefully you have a good handle on requirements for security technology andyou have the expertise on how the technology should work in your environment.

The Open Banking Directive and Application Security

2019-04-1600:07:10

Show Notes: https://www.nuharborsecurity.com/open-banking-directive-and-securing-web-application-vulnerabilities/Sponsor: https://www.nuharborsecurity.comContact Me: https://justinfimlaid.com/contact-me/Twitter: @justinfimlaidLinkedIn: https://www.linkedin.com/in/jfimlaid/Application Security Checklist for Web Applications and API's. Also @ NuHarbor Security.I have not seen an Open Banking Web Application Checklist, so hopefully this is a good starting point for some.1.Ensure HTTPS: This one is pretty simple but HTTPS protects authentication credentials in transit for example passwords, API keys, or JSON Web Tokens. It also allows clients to authenticate the service and guarantees integrity of the transmitted data.2. Security Tokens: There seems to be a convergence toward using JSON web tokens as the format for security tokens. JSON web tokens are JSON data structure containing a set of claims that can be used for access control decisions. If you are looking for more on JSON formats, here's a good starting point.3. Access Control:Non-public rest services must perform access control at each API endpoint. Web services in monolithic applications implement this by means of user authentication, authorization of logic in session management. To this right at scale, user authentication should be through a centralized Identity Provider which issues their own tokens.4. Input Validation:Anyone developing for a while knows this is a requirement. If you don't sanitize inputs your application days are numbered. Contact me if you want the full-list on this one.5. Restrict HTTP Methods:Apply a whitelist of permitted HTTP Methods (e.g. GET, POST, PUT) and make sure the caller is authorized to use the incoming HTTP method on the resource collection, action, and record. Leverage 405's when rejecting all requests not matching the whitelist.6. API Keys:APIKeys can reduce the impact of denial of service attacks. However, when theirissue to third-party clients, they are easy to compromise. There are a couple things you can do tomitigate security risks including require API keys for every request to theprotected endpoint. You can also returning a 429 message "too manyrequests" if the volume of requests are to high. Do not rely solely on APIkeys to protect high-value resources.7. Validate Content Types:Arest request a response body should match the intended content type in theheader. Otherwise this can cause misinterpretation at the consumer/producerside lead to code injection/execution. Some additional things to think about:Validate Request Content TypesSend Safe Response Content Types8. Manage Endpoints: There is a couple things you can do to securely manage your end points. Avoid exposing your management and points by way of the Internet. If your management and points must be accessible to the Internet, make sure that all users authenticate using strong authentication mechanisms such as multi factor authentication. Security by obscurity is not always a good strategy, but exposing management endpoints by way of different HTTP ports or host on different/restricted subnets can also reduce some risk. Lastly restrict access to these endpoints by firewall ACL's.9. Error Handling:Keep error message is generic in nature. Try to avoid revealing details of any and all failures when necessary. This will help prevent giving the potential attackers the information they need to game the system or perform a secondary attack with the new information.10. Security Headers:This one is sometimes overlooked, but to make sure the content of the given resources is interpreted correctly by the browser, the server should always send the "content-type" header with the correct content type, and preferably the "content-type" header should include a charset. The server should sent the "X-Content-Type-Options: nosniff" security he...