7MS #289: I'm Dipping My Toes in Windows Forensics
Two weird things happening in this episode: I'm not in the car, and thus not endangering myself and others while podcasting and driving! My once beloved lav mic made a trip through the Johnson family's washer and dryer. I don't know that she'll ever record anything again. We'll see once it fully dries out (fingers crossed). I spent some time this last week getting back into Windows systems forensics, which has been really fun. If you want a play-by-play guide with some fantastic, practical, hands-on advice, grab yourself a copy of the Blue Team Handbook: Incident Response Edition. I also started a forensics page on BPATTY. Also, I picked up a Google Home Mini for $30 and can honestly say it quickly has found a special place in my tech/geek heart...even if it is recording everything I say and sending it to the NSA. But a small device that will play Michael Buble's Christmas album as soon as I command it with my voice? Worth the privacy sacrifice. Finally, if you're in the St. Paul, MN area tomorrow and wanna hear me come talk about "Blue Team on a Budget," come to the Government IT Symposium - more info here.
7 Joulu 201713min
7MS #288: I'm BURPing a Lot
Sorry the podcast is late this week - but it's all for good reasons! I'm busy as a bee doing a ton of pentesting so I have a smattering of random security stuff to share with you: Mac High Sierra root bug Did you hear about this? Basically anybody could log in as user root on your system without a password because...there isn't a password! Read the Twitter thread where I originally read the news here, read about the root account madness here, and then read how the fix broke file sharing here. BPATTY ROCKS! I tried to wiki-fy my BPATTY project to make it a bit easier to read, so head to bpatty.rocks and let me know what you think! I'm BURPing a lot I can't tell you how fun it has been to get back in the pentesting saddle and hack some Web sites these past few weeks. Here are a few tips/tricks others taught me that have helped me get back in the swing of things: In Burp, state files are being depreciated in favor of project files. Read more here For BApp extensions, here are a few that help you get the job done: retire.js looks for old/outdated/vulnerable Javascript libraries Software vulnerability scanner helps you find vulnerable software, such as old versions of IIS CO2 has a bunch of tricks up its sleeve - my favorite of which is helping you craft sqlmap commands with the right flags More on today's show!
1 Joulu 201714min
7MS #287: Introducing 7 Minute Security LLC
Well, after over-teasing this last week, I'm excited to announce that I've started my own company! 7 Minute Security, LLC gives me an outlet to do all my favorite infosec stuff, such as: Network assessments Vulnerability scanning Penetration testing Training Public speaking I welcome you to check out 7MinSec.com for more information. Or 7MinuteSecurity.com or SevenMinuteSecurity.com. Collect 'em all! What does this mean for the podcast? Nada - I'll keep cranking it out. Maybe we'll cover a few more business related topics (people have asked about how to get an LLC off the ground, so I might do an episode or two on that), but otherwise everything's the same! What about the Patreon project? Because I've been blessed with this opportunity - which will in turn help me keep the 7MS lights on - the Patreon campaign will close down soon. For you lovely Patreons, I've sent you a message (via Patreon site and via email) with more details.
22 Marras 201712min
7MS #286: The Quest for Critical Security Controls - Part 3
We're continuing to hammer on the CSCs again this week. Here's some rad resources that can get your CSC efforts in the right direction: CIS Implementation Guide for SMEs CIS Cybersecurity quarterly newsletters Netdisco lets you locate machines by MAC or IP, show the corresponding switch port, and disable it if necessary. Defensive Security Handbook isn't specifically mapped to CSCs but offers great advice to tie into them. Open-Audit tells you what's on your network, how it's configured, and when it changes.
16 Marras 20179min
7MS #285: The Quest for Critical Security Controls - Part 2
Nothing to do with security, but I've heard this song way too much this week. I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack. After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1: Ability to map network devices to users to create an inventory Email alerts for new devices that pop up on the network Block unwanted users from the app, even when not directly connected to the LAN Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices More on today's show...
9 Marras 201712min
7MS #284: The Quest for Critical Security Controls
For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as: The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization. Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place. I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic. More on today's episode...
2 Marras 201712min
7MS #283: OFF-TOPIC - I Love Cops and COPS
My plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios. So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following: What it was like growing up with a dad who was a cop Losing a cousin in the line of duty Getting a call from my local police department this week claiming I was a danger to a school bus full of kids. Whaaaaa? Oh, and I sing a little bit on this episode too.
27 Loka 201718min
7MS #282: A Peek into the 7MS Mail Bag
I'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include: Q: Do I think it's dangerous to podcast and drive? A: Not really, especially now that I got one of these babies. Q: What is the eJPT cert all about? A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSCP. It's favorably reviewed and will set you back a few hundred dollars. Have you taken this cert? I'd love your feedback and, if possible, to do a mini Skype interview with you for the show. Drop me a note and lets chat. Q: What's a good place to practice Web hacking skills online? A: I've been a long time fan of Juice Shop, and up next in my queue is HackTheBox. Q: Any more Vulnhub.com VMs in the works? A: Kinda. Listen to today's episode :-)
19 Loka 201711min
