A conversation with Justin Seitz

In this brand new edition of the Exploring Information Security podcast, I have a conversation with Justin Seitz (@jms_dot_py).

When I have guests hop on the podcast, I usually try to break the ice a little and get them warmed up for the episode. Often times these can turn into some really good conversation about the infosec field. I'd like to start capturing those conversation and release them (with the person's permission), because there are some really great insights.

I've released this episode early to the people on my newsletter (check below to get in on the fun). I wanted to get feedback and also give people who sign-up some bonus content, which is something I hope to do more.

In this episode we discuss:

  • My unique role working with other departments
  • Report writing and dealing with awful reports
  • Similarities between the developer boom and the security boom

Why container security is important - Part 2

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

  • What are some of the other security considerations?7
  • Who should secure containers?

More Resources:

Why container security is important - Part 1

In this shipped edition of the Exploring Information Security podcast, Wes Widner joins me to discuss container security.

Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.

In this episode we discuss:

  • What are containers?
  • What are the different kind of containers?
  • What is Wes' experience with containers?
  • What are the big security concerns?

More Resources:

What is Hunchly?

In this screenshot edition of the Exploring Information Security podcast, Justin Seitz joins me to discuss Hunchly.

Justin (@jms_dot_py) is the creator of Hunchly. I got to know Hunchly at SANS SEC487 OSINT training earlier this year. It's a fantastic tool that takes screenshot as the web is browsed. This is very useful for investigations involving OSINT. I'm also finding it useful for incident response, particularly for clicking on phishing pages. I sometimes forget to take screenshots as I'm investigating a phishing page. Having Hunchly means, I don't have to worry about taking screenshots. I then use the screenshots for reports and training. It's a really useful tool.

In this episode we discuss:

  • What is Hunchly?
  • How did Hunchly come about?
  • Who should use Hunchly?
  • What is the cost of Hunchly?

More resources:

How to make a Burp extension

In this crafting episode of the Exploring Information Security podcast, Paul Johnston Customer Champion at Portswigger joins me to discuss how to make a Burp extension.

Paul (@paulpaj) wrote a blog post on how to make a successful burp extension and get it published in the Burp Store. A lot of the recommendations in the article are from Paul's experience handling extension submissions for the Burp Store.

In this episode we discuss:

  • What is the process for extension approval?
  • What is Burp Suite?
  • How does someone make an extension?

How to handle CFP rejection(s)

In this refused episode of the Exploring Information Security podcast, Michael Kavka joins me to discuss how to handle call for presentation rejections.

Michael (@SiliconShecky) wrote a blog post on his site at the beginning of the year titled, It is CFP season... So what. In the article he hit on rejections and I thought it'd make for a great podcast topic. More recently, he wrote a blog post on the, Anatomy of a Rejected CFP. The article walks through his rejected CFP for DerbyCon.

In this episode we discuss:

  • What is Michael's experience in submitting CFPs
  • Why a CFP is rejected
  • What are the different types of cons?
  • How to handle a CFP rejection letter

More resources:

How to create a phishing email - Part 2

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.

In this episode we discuss:

  • What are the technical steps to creating a phish
  • What needs to be consider from a technical standpoint
  • What is GoPhish and GoReporter
  • How important is timing

Other resources:

How to create a phishing email - Part 1

In this expedition edition of the Exploring Information Security podcast, Chris Maddalena a senior security consultant joins me to discuss how to create a phishing email.

Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.

In this episode we discuss:

  • What you need to consider before creating a phish.
  • Where to get phishing ideas.
  • Where to get phishing templates.
  • What happened when accounting sent out an email.

What is OSINT ORCS YOGA?

In this battlefield edition of the Exploring Information Security podcast, Micah Hoffman joins me to discuss OSINT ORCS YOGA.

Micah (@WebBreacher), is a SANS Instructor and author of the SEC487 OSINT course. He recently had his second class in Denver, Colorado (more dates here). During that class he found people asking about how to navigate the waters of OSINT resources. His solution was to start the OSINT Resource Classification System (ORCS). It's a call for the OSINT community to standardize on how resources are categorized. YOGA or Your OSINT Graphical Analyzer is meant to be a visual aid for people looking to navigate the streets of OSINT resources.

In this episode we discuss:

  • How SANS SEC487 is coming along
  • What is YOGA?
  • What is ORCS?
  • Why is ORCS YOGA important?

How to implement GDPR - Part 2

In this 2k-like edition of the Exploring Information Security podcast, Stuart Scott AWS Content Lead at Cloud Academy and George Gerchow Chief Security Officer at Sumologic join me to discuss how to implement GDPR.

Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).

In this episode we discuss:

  • How to implement GDPR in AWS
  • What are subject data rights?
  • How other regulations are impacted
  • What's ahead for GDPR

More resources:

 

How to implement GDPR - Part 1

In this 2k-like edition of the Exploring Information Security podcast, Stuart Scott AWS Content Lead at Cloud Academy and George Gerchow Chief Security Officer at Sumologic join me to discuss how to implement GDPR.

Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).

In this episode we discuss:

  • Why am I getting all these privacy update emails?
  • What is GDPR?
  • How to implement GDPR?
  • What are Data Processing Addendum's

More resources:

How to crack passwords

In this crackerjack edition of the Exploring Information Security podcast, Sean Peterson of Parameter Security joins me to discuss password cracking.

Sean (@SeanThePeterson), is one of the most passionate infosec people you don't know. He recently did a talk at ShowMeCon on how to crack passwords. It was his first ever talk and pretty damn good. Sean joined me to give me his insights into password cracking.

In this episode we discuss:

  • What type of hardware is needed for password cracking
  • What type of attacks are used for password cracking
  • How to crack passwords
  • What's ahead for password cracking

What is the General Data Protection Regulation (GDPR)

In this European edition of the Exploring Information Security podcast, Cliff Smith of Parameter Security joins me to discuss General Data Protection Regulation (GDPR).

Cliff (@BismthSalamandr), recently gave a talk at ShowMeCon on GDPR and why everyone should care. It's a really good talk and a great primer if you haven't dug into GDPR, yet (you should). Cliff is a recovering lawyer, so he's providing a different angle than your normal security professional.

In this episode we discuss:

  • What is GDPR?
  • Why it could change
  • Why it's important
  • Who it impacts

How to talk to developers

In this chatty edition of the Exploring Information Security podcast, AppSec Nerd Tanya Janca joins me to discuss how to talk to developers.

Tanya (@shehackspurple), is a former developer turned security person. She speaks regularly at conferences around the globe. The topics often focus on working with developers to improve security, which is something I believe in. She's a project lead for OWASP DevSlop.

In this episode we discuss:

  • Why working with the developers is important
  • How to talk to developers
  • What are the benefits of working with developers?
  • What are the top recommendations for talking to developers

ShowMeCon 2018 Live

In this panelist episode of the Exploring Information Security podcast, the first ever podcast panel at ShowMeCon 2018!

Amanda Berlin (@InfoSystir), Wik (@jaimefilson), David Cybuck (@dpcybuck), April Wright (@aprilwright), and Dave Chronister (@bagomojo) join me on the live EIS panel at ShowMeCon, June 7, 2018. This is the first panel I've ever done for the podcast. It went so well, I hope to do more in the future. We cover a variety of topics and have a few laughs.

YouTube version

In this episode we discuss:

  • What's coming back in vogue
  • What to do with master ID
  • What our thoughts are on new password policies from NIST
  • How to handle best practices

How to achieve security awareness through social engineering - Part 2

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • How to communicate with executives
  • Why we need to empower users
  • What happens when Jayson plays video games
  • Why shock value is important

How to achieve security awareness through social engineering - Part 1

In this ranty edition of the Exploring Information Security podcast, Jayson E. Street joins me to discuss how to achieve security awareness through social engineering.

Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.

In this episode we discuss:

  • Why security awareness is important
  • What our own experience is with training people
  • What's in the training
  • How to talk to communicate effecitvely

What's happening at Converge and Detroit BSides?

IMG_5368.jpg

In this pile of an episode for the Exploring Information Security podcast, Johnny Xmas (@J0hnnyXm4s), Kate Vajda (@vajkat), Rachel Andrus, Kyle Andrus (@chaoticflaws), Daniel (not going to try spelling last name), Amanda Ebbutt, Daniel Ebbutt (@notdanielebbutt), Chris Maddalena (@cmaddalena), and myself get together to record a podcast during Converge and BSides Detroit.

It's another podcast special! This one was at Converge and BSides Detroit. This one took a little bit to get going. When we did we got into a little bit of everything. Topics both in infosec and topics outside of infosec.

In this episode we discuss:

  • Everyone tries Malort
  • The "breach" at Twitter
  • One size doesn't fit all for the populace
  • Real world issues (net neutrality, income, and public service)

Why mental health is important

In this mindful episode of the Exploring Information Security podcast, Amanda Berlin joins me from Converge and BSides Detroit this past week to talk about mental health.

Amanda (@InfoSystir) gave a keynote at Converge last week. The topic: mental health. It's a great talk and something I recommend people watch. Mental health is very important in our field. A lot of us were bullied coming up through school. Others grew up in awful environments. We've gotten past those challenges to become successful information security professionals. There are still scars, however, and if we don't identify and address them it will lead to unhealthy actions. Especially, since we are in a high-stress field that is overwhelmed.

We need to have an open dialogue about mental health. The downside to have a poor mental health. We need to share ideas on how to better address our state of minds. Often we feel alone. We are not. If you feel like you are in a bad place mentally, there are resources that can help. Call a hotline (1-800-273-8255). Do a Google search. There are people who can help. Family, friends, or mentors. You matter.

In this episode we discuss:

  • Why talking about mental health is important
  • What experience we've had
  • How we handle our own mental state
  • How others are handling their mental state

What are bug bounty programs?

In this hunting edition of the Exploring Information Security podcast, Keith Hoodlet of Bugcrowd joins me to discuss bug bounty programs.

Keith (@andMYhacks), is a solutions architect at Bugcrowd. He's also the co-host of Application Security Weekly. While Keith works at Bugcrowd, he also has a lot of experience participating in bug bounty programs. Check out his website AttackDriven.io.

In this episode we discuss:

  • What are bug bounty programs?
  • Who are security researchers.
  • Who is running the bug bounty program?
  • When should an organization implement a program.

More resources: