Derbycon is probably one of the best infosec conferences of the calendar year. The podcast always has so much fun meeting listeners, meeting new people, and getting some audio to share with folks who can't be there.
This year, we still got some audio, and it's great. We talked with Cheryl Biswas (@3ncr1pt3d) with her talks at #Derbycon and her work with the #dianaInitiative Check out her talks at the links on @irongeek's website...
Cheryl's Track talk: ...
Interesting email from one of our listeners. Detailing an issue that came up on a client engagement. We walk through best ways to store information post-engagement, and what you need to do to document test procedures so you don't get bit by a potential issue perhaps months down the line.
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email email@example.com
Part 2 of our interview with Chris Hadnagy
Discuss more about his book,
best ways to setup your pre-text in an engagement
how you might read someone on a poker table
a great story about Chris's favorite person “Neil Fallon” from the rock band “Clutch”
and we talk about “innocent lives foundation”, something near and dear to Chris' heart.
We start the second part of our interview with Chris with the question “are the majority of your SE engagements phishing and calls, or is it...
Christopher Hadnagy Interview:
connoisseur of moonshine Social Engineering: The Science of Human Hacking 2nd Edition
Sponsored Link (paperback on Amazon): https://amzn.to/2NKxLD9
SEORG book list: https://www.social-engineer.org/resources/seorg-book-list/
Chris’ Podcast: https://www.social-engineer.org/podcast/
SECTF at Derby (contestants are chosen)
Remembering - attention to detail
Can be the difference between success and...
We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!
Thanks to our Patrons!
Gonna be at Derbycon, come see us!
Congrats to our Derbycon Ticket CTF winners!
2nd Place: @ohai_ninja
3rd Place: @SoDakHib
Mr. Boettcher’s Challenge (SuperCrypto): ...
Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)
Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site.
View the page, submit the flags, leave everything else alone...
Derbycon Auction - starts September 8th at 9am Pacific Time
Slack only -
Opening bid is $175
Increments of $25 only
100% goes to Chris Sanders’ “Rural...
Brakesec Derbycon ticket CTF -
Drama - (hotel room search gate)
Ask for ID
Call the front desk
Use the deadbolt - can be bypassed
Plug the peephole with TP
Hotel rooms aren’t secure (neither are the safes)
Probably the most hostile environment infosec people go into to try and be...
Stories and topics we covered:
Join our #Slack Channel! Email us at firstname.lastname@example.org
or DM us on Twitter...
Sorry, this week's show took an odd turn, and we don't have much in the way of show notes... Ms. Berlin is recovering from knee surgery, and we wish her a speedy recovery.
Bryan B. got back from BsidesSPFD, MO this week, after what was a well-received talk on building community. Lots of other excellent talks from speakers like Ms. Sunny Wear , and impromptu panel with Ben Miller and a whole host of others,...
Ben Caudill @rhinosecurity
Spencer Gietzen @spengietz
Rhino Security - https://rhinosecuritylabs.com/blog/
AWS escalation and mitigation blog - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
What is the difference between this and something like Scout or Lynis?
Is it a forensic or IR tool?
How might offensive people use this tool? What is possible when you’re using this as a ‘redteam’ or ‘pentesting’ tool?
S3 bucket perms?
Raymond Evans - CTF organizer for nolacon and Founder of CyDefe Labs
CTF setup / challenges of setting up a CTF.Beginners & CTFsTypestips/tricksBiggest downfalls of CTF development
Area41 Zurich report
Book Club - 4th Tuesday of the month
TLS = Protocol
DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)
Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are
Past messages and data cannot be retrieved or decrypted...
https://nostarch.com/packetanalysis3 -- Excellent Book! You must buy it.
ShowMe Con panel and keynote
SeaSec East standing room only. Crispin gave a great toalk about running as Standard user
Bsides Cleveland -
1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that...
Ms. Berlin’s mega tweet on protecting your network
Utica College CYB617
I tweeted “utica university” many pardons
Mr. Childress’ high school class
Laurens, South Carolina
Probably spent as much as a daily coffee at Starbucks… makes all the difference.
CTF Club, and book club (summer reading series)
Here are 50 FREE things you can do to improve the...
Ok I think these topics should keep us busy for a while. Topics for discussion:
Do hospitals have a free pass when being attacked? #OPJUSTINA https://nakedsecurity.sophos.com/2014/04/28/anonymous-takes-on-boston-childrens-hospital-in-opjustina/https://www.youtube.com/watch?v=eFVBz_ATAlU- when anonymous attacks your hospital
The oldest known vulnerability is still a big problem. Default passwords. Why haven't we fixed this yet?...