What are BEC attacks?

In this phishy edition of the Exploring Information Security podcast, Steve Ragan of CSO joins me to discuss business email compromise (BEC) attacks.

Steve (@SteveD3) has been covering BEC types of attacks for the past year at CSO. These types of attacks are increasing. It may get worse with GDPR requirements next month. This ended up being one of the more difficult podcasts to get scheduled. Steve and I had to cancel on each other a few times because of phishing related stuff.

In this episode we discuss:

  • What are BEC types of attacks?
  • Who is performing BEC attacks?
  • How are people falling for them?
  • What can people do protect against this type of attack?

How to prepare for an infosec interview

It's another solo episode! Next weekend I will be at BSides Nashville. Among the many other things I am slated to do, I am helping out with resume/interview workshop. As preparation for the workshop I put together a list of interview questions I intend to use.

I put out a tweet asking for interview questions from the Twitter community. I got back some really good questions. As I was putting the list together I decided this would make a great podcast. Preparing for an interview is very important. I increased my offer rate significantly once I started preparing for interviews. Prior to that I always tried to wing them. I spent 15 months looking for a job at one point. I would get interviews, but failed to get offers.

Interviews are a nerve-racking process. Preparation provides more confidence and the ability to anticipate curve balls in an interview. Being prepared allows you to have more brain power when there is a question you didn't anticipate. When you're prepared, it shows. People tend to like candidates who are prepared. They can tell by how direct and decisive answers are to questions. There is one caveat to this. If your interview with someone as part of a network, there is more leniency in the interview.

Preparation

There are multiple ways to prepare for an interview. Figure out what works best for you. What I have below and in the podcast are what I've used to be successful in interviews.

Look at the job posting

Review the companies job posting and your resume before going into an interview. If you're doing resumes write you should have a different one for each job you apply to. Remembering which resume you submitted is important. Tie your experience to the job posting. This will help with answering the question in a way that shows you're a fit for the role.

Look for key words in the job posting that you might be asked about in the interview. If you're going for a role in a security operations center (SOC), be prepared to answer networking questions. If you're doing application security be prepared to answer development questions. If you're going for a penetration tester role be prepared to talk about attack techniques and your methodology. You get the idea.

Write out questions and answers on 3x5 index cards

I use the list of 31 common interview questions from the muse. I pick the ones that apply and write them down on 3x5 index cards. I then flip them over and write down my answers in one word or short sentence. This allows me to practice my answers to questions such as, "What's your greatest strength/weakness" or more technical questions like, "How does DNS work?"

Practice, practice, practice

Go over the questions you've collected. Read out loud the question and say out loud your answer. Flip over to see that you've hit on your main point. Do this over and over again. Do this again in the waiting room or in the car (if you've arrived early, which I recommend) on the day of the interview. That's the benefit of writing questions and answers on 3x5 index cards, they fit nicely in a coat pocket.

You will practice questions that don't get asked. There is no way for you to anticipate all the questions you'll be asked. Getting the common ones and the ones you think will be asked will make the interview go much smoother. The less brain power you have to spend on a question the more you have for the questions you didn't anticipate.

Physical preparation

  Go get a haircut and make sure you still fit into your interview clothes. If you've out grown a pair of slacks you'll need to go buy a new pair. Prior to the interview you can ask what is the dress expectation. A suit is standard and something I often go with. I also have a pair of khakis and a sports coat in case they want me to dress down. Have at least two sets of interview clothes for multiple interviews. Dressing in the same thing twice is not a good look.

I feel uncomfortable going to an interview in just a t-shirt or polo shirt, even if that's what was recommended. I know some interviewers in our industry care less about dress. I believe in over-dressing rather than under-dressing, though.

Extra preparation

I applied for a job once that described the role as I would my dream job. I did all my usual preparation above. I had two really good interviews and was slated for a third. The first two were phone interviews. The third was going to be in person. It was expected that I would interview with the CISO and a one or two other managers (it ended up being six).

I decided that I would put together a short slide presentation. I practiced going through the presentation as part of my answer. I also went to the print shop and had them print out three bound copies of the presentation. It cost me about $35. I took this to the interview. Two questions in when we started discussing my vision for the role, I handed out the bound copies of the presentation. I then walked through my vision for the role. I got an offer for that job and I'm happy to say I'm still in that role.

Wrap-up and resources

Preparation is so important for a job interview. I failed at it for a long time. Some people can wing an interview and get an offer. I am not one of those people. Once I took the time and made the investment into preparation, I increased my offer rate. I turned down other positions, because I had the confidence that a better offer was coming. 

Review the job posting. Tie it to your experience. Write down common questions and ones you think might be asked. Practice. Say your answers out loud. Do that over and over again until you can answer question confidently and concisely. Then practice some more. Make sure what you wear to the interview is ready before the day of the interview. Scrambling around for something presentable creates more anxiety and nervousness. Finally, consider putting a presentation together. $35 was a great investment.

Before I go here are some great resources around preparation:

Hope to see you at BSides Nashville!

How to build a malicious link clicker

In this clicking on that link episode of the Exploring Information Security podcast, Daniel Ebbutt and Kyle Andrus join me to discuss how to build a machine that is used to click on malicious links.

Daniel (@notdanielebbutt) and Kyle (@chaoticflaws) are two of the people I go to when I need to have a better understanding of what a malicious link does. They're passion for clicking on links is out of this world. They also provide some really good insights into the work of clicking on links most people shouldn't. I asked if they'd be willing to walk me through building out a machine that could help me do what they do. They kindly obliged and thus another open mic podcast is born.

In this episode we discuss:

  • How to click on a malicious link
  • What we can learn from clicking on a malicious link
  • What the best setup is for clicking on a malicious link
  • What to do with that information

Why contributing to the infosec community is important

In this giving back edition of the Exploring Information Security podcast, why contributing to the infosec community is important.

I'm taking a different approach to solo episodes and the podcast. I am going to blog about the solo episode before recording it. This will allow me to collect my thoughts. As a result of this, I hope, that it'll make the solo episode much more smoother. Usually, I write down some points and then just riff off that. Because I'd like to write more I figured this would be one way to improve quality of the podcast, while also providing some more elaborate show notes. With that, let's get to the topic at hand.

My origins as a contributor

When I started my IT career, I wasn't much of a contributor. I came in did my work and went home. In the evenings I played a lot of video games. Mostly, World of Warcraft and Counter-Strike mods like Day of Defeat. I raided. I played in competitive leagues. I had a lot of fun. I started college about a year after I got out of the Navy. I was doing it because I had the GI Bill and figured I might as well use it.

A few semesters in the government changed how the GI Bill worked. If I went back to school for six or more credit hours, I would not only get the courses covered, but also get basic housing allowance. College quickly became a part-time job. I bumped up from one class a semester to three. The wife and I started a family with our first child. Somehow I managed to balance work, school, a child, and my gaming habit.

In 2010, (for whatever reason) I started blogging about the Astros. A year later I started up a podcast for the site. I enjoyed the blogging and podcasting. At some point I explored the possibility of making a career out of my media arts degree. Things were fine at work, I just didn't really care for being a network administrator.

In 2012, I got my first opportunity to work in security. By this time I had realized that going into the media arts field would be a struggle for myself and my family. I still did the blog and podcast because I enjoyed it and was starting to make a little money from it ($100 a month). I would continue to do it until May 2015.

In November 2013 I went to my first BSides in Charleston.  I went with a buddy. He and I had such a great time going to the conference that nine months later we started our own local security user group in Columbia, SC called ColaSec. That was my first contribution to the infosec community.

Check that my second contribution was ColaSec. My first was this podcast. I produced seven episodes of EIS during the summer of 2014. I didn't release them to any podcast directory, because I wasn't sure I wanted to do it or not. I was still doing the Astros blogger/podcaster thing.

Check that again my third contribution was ColaSec, my second was the podcast, and my first was shooting pictures at BSides Nashville 2014. I've since shot several security conferences. You can check out my photography page for the conferences (plus some non-security events) I've shot.

In May 2015, I graduated from the University of South Carolina with a bachelors in Media Arts. I decided it was time to take the effort I was putting into the Astros and put it into the infosec field. By this time I realized infosec was where I wanted to be career wise. I was reading and listening to everything I could. ColaSec was becoming more and more popular. Another thing I realized was that blogging and podcast for the Astros opened up opportunities for me.

It allowed us to get interviews with players and front office personnel. Through these interviews we found out that people in the organization were reading our stuff. I even got to meet some of these people along with several of the writers on staff. I got to travel to Spring Training and ball parks. I got to know members of the media. I've been interviewed on TV, other podcasts, and been quoted in the Houston Chronicle. If I took that effort and applied it to my career similar opportunities were bound to happen. And that's what happened.

Why it's beneficial

Networking is one of the biggest benefits. Through shooting pictures, I've been able to get to know several conference organizers. Through the podcast I've gotten to know several infosec practitioners with something interesting to say. Through ColaSec I've gotten to know fellow peers and those looking to get into the industry. All these have led to getting to know other people in the industry.

I am in a dream job right now. That is a combination of knowing someone who I started the OWASP Columbia SC chapter with and knowing someone who helps organize BSides Nashville. The job I got previous to this one was because I meet the South Carolina state CISO at ColaSec. Networking with others in the industry is one of the best ways to land a new opportunity.

New skills is a result of networking with people. I have a large network of people I can go to if I have a question about something. Even when I don't have a question about something I'm learning new things by engaging with people. I'm learning about new techniques and tools. Speaking and teaching is a great way to solidify a learned topic. It can also help in day-to-day meetings where you have to present something.

Career advancement is the result of the benefits above. New opportunities led to new challenges. New challenges led to gaining new skills that help your progression as an infosec professional. I was hired into my current role, because of my contributions to the community. The development director I work with told me that what impressed him the most was my contribution section of the resume. I was volunteering at conferences. I was speaking. I was doing podcasts. Those impressed him more than anything else on my resume.

Contributing makes the community better. I've heard from several people about how the podcast helped them with a topic. I've heard that the con specials help humanize some of the high profile pros you see on Twitter or speaker circuit. How they seem more approachable now. I've been told my pictures help conferences get sponsors. ColaSec (my greatest contribution) has helped people get Security+ certified. It's helped people land jobs in our field. It's helped people get in front of others and teach something. It's helped people learn.

When we started ColaSec we expected to network with our peers in the field, around town. It turns out a lot of people showed up because they wanted to get into security. We also had people show up who didn't necessarily want to get in, but had an interest in security. We've had a couple developers show up because they believe security is important.

Contributing opens up a lot of opportunity. It also creates opportunities for others around us to get better.

How to get started contributing

Find something you're interested in that can add value to the infosec community. Shooting pictures and podcasting is something I enjoy doing. It makes contributing easier. I've also just simply volunteered at events. It's a great opportunity to feel special because you get a different color shirt and badge and get to walk in "restricted areas."

Speaking is a great way to contributor. Most conferences really really like first time speakers. I believe one of the reasons why I got to speak at DerbyCon in 2015 was because I was a "first time" speaker (BSides Augusta was actually my first time) and because I had EMET in my talk (Dave Kennedy loves EMET). I'm still learning as a speaker, because it's a tough skill to master. There are a lot of resources and people available to help someone get started.

I've seen people make a quilt that was auctioned off. The proceeds went to charity. Some people create music. Others put on capture the flag (CTF) events. Blogging is a great way to improve your writing skill and help research a topic. I find it strangely therapeutic and extremely satisfying when I finish. Speaking of, I've run out of ideas off the top of my head and I think you get the point.

Takeaway

Contribute to the infosec community. It can open up a lot of great opportunities for you and your career.

How to submit a presentation to a conference - Part 2

In this presented edition of the Exploring Information Security podcast, Dr. Jessica Barker joins me to discuss how to submit a presentation to a conference.

Jess (@drjessicabarker) runs the @cyberdotuk account on twitter and website. She's also the co-founder of Redacted Firm (@redactedfirm). She wrote an article last year that covered recommendations and tips for submitting to a conference Call for Papers (CFP). It all started with a tweet asking what's holding people back from submitting to a conference. Over 6,000 responses later there were a variety reasons, including "I don't know enough.' The article goes on to ask several organizers for their suggestions on submitting. In this podcast episode we dive into the article and much more.

In this episode we discuss:

  • How is someone supposed to navigate advice
  • How to submit a presentation to a conference
  • What resources are available
  • What should someone do if the don't get accepted to speak?

How to submit a presentation to a conference - Part 1

In this presented edition of the Exploring Information Security podcast, Dr. Jessica Barker joins me to discuss how to submit a presentation to a conference.

Jess (@drjessicabarker) runs the @cyberdotuk account on twitter and website. She's also the co-founder of Redacted Firm (@redactedfirm). She wrote an article last year that covered recommendations and tips for submitting to a conference Call for Papers (CFP). It all started with a tweet asking what's holding people back from submitting to a conference. Over 6,000 responses later there were a variety reasons, including "I don't know enough.' The article goes on to ask several organizers for their suggestions on submitting. In this podcast episode we dive into the article and much more.

In this episode we discuss:

  • How to get started submitting a CFP
  • Why submit a presentation to a conference
  • The different types of CFP review
  • What preparation is necessary

What is Social Engineering for the Blue Team?

In this building better relationships edition of the Exploring Information Security podcast, I discuss my new presentation and workshop content for this year, Social Engineering for the Blue Team.

I've already written a couple blog posts on the topic:

I've also created a GitHub page to track all my resources I intend to use in the presentation and training. The idea of the content is that we can use social engineering (like the red team) in our day-to-day interactions at work. We can use the same techniques to build better relationships and build better security mindsets in our organization. If you prefer soft skills.

In this episode I discuss:

  • What is social engineering for the blue team
  • How I came up with the idea
  • How can this be applied
  • What techniques we can use to build better relationships

What's happening in OSINT?

In this open edition of the Exploring Information Security podcast, I sit down with Micah Hoffman, Kerby Plessas, and Josh Huff to discuss Open Source INTelligence (OSINT).

Micah Hoffman (@WebBreacher) is a SANS instructor who will be teaching a brand new SANS course, SANS487: Open-Source Intelligence Gathering and Analysis.

Kirby Plessas (@kirbstr) runs her own training company Plessas Experts Network, Inc. There is an online training portal that you can use to learn more about OSINT.

Josh Huff (@baywolf88) is a Digital Forensics Private Investigator and OSINT addict. He runs the Learn All The Things website.

This is a new format for the podcast that I am trying out. It's a lot like the conference episodes I do: It's longer; I allow swearing; and there is no format or direction. I asked for OSINT questions on Twitter and got some pretty good ones back for people to answer. I can turn this into a live show that would allow for people watching to interact with the guests on the show. I need feedback on whether or not this of interest to people. Hit me up on Twitter (@TimothyDeBlock) or email (timothy[.]deblock[@]gmail[.]com)

In this episode we discuss:

  • Why it's important to automate OSINT
  • What tools are available for OSINT
  • Where does OSINT end and breaking the law begin?
  • Where can OSINT be used in an organization
  • How to get into OSINT
  • and much much more

More Resources:

How to become a social engineer - Part 2

In this social episode of the Exploring Information Security podcast, Chris Hadnagy joins me to discuss how to become a social engineer.

Chris (@humanhacker) is the Chief Human Hacker at Social-Engineer, Inc. He's the author of several social engineer books. He also has his own podcast. This past summer he announced the Innocent Lives Foundation, which has the objective of unmasking anonymous online child predators through OSINT and relationships with law enforcement. He is a social engineering Hulk in the field of information security.

In this episode we discuss:

  • How to practice to become a social engineer
  • What is toastmasters
  • What college courses can help
  • What resources are available.

How to become a social engineer - Part 1

In this social episode of the Exploring Information Security podcast, Chris Hadnagy joins me to discuss how to become a social engineer.

Chris (@humanhacker) is the Chief Human Hacker at Social-Engineer, Inc. He's the author of several social engineer books. He also has his own podcast. This past summer he announced the Innocent Lives Foundation, which has the objective of unmasking anonymous online child predators through OSINT and relationships with law enforcement. He is a social engineering Hulk in the field of information security.

In this episode we discuss:

  • What is social engineering
  • What skills are needed to become a social engineer
  • How much of social engineering is experience
  • What tools are used for social engineering

How to hack iOS - Part 2

In this fruity episode of the Exploring Information Security podcast, Wes Widner joins me to discuss how to hack iOS.

Wes (@kai5263499) is a cloud engineer, who loves to dig into Apple product security. Last year (and on a previous episode) he discuss how Macs get malware. He's back again this year to discuss how to hack iOS. He will be speaking at BSides Hunstville February 3, 2018. If you have a chance to go, be sure to check out his talk. Also, check out is OSX security awesome list on GitHub. It's a really useful set of links on This dude is really smart.

In this episode we discuss:

  • Are we talking NSA level hacking?
  • What tools are available for hacking iOS
  • What resources are available for hacking iOS

More resources:

How to hack iOS - Part 1

In this fruity episode of the Exploring Information Security podcast, Wes Widner joins me to discuss how to hack iOS.

Wes (@kai5263499) is a cloud engineer, who loves to dig into Apple product security. Last year (and on a previous episode) he discuss how Macs get malware. He's back again this year to discuss how to hack iOS. He will be speaking at BSides Hunstville February 3, 2018. If you have a chance to go, be sure to check out his talk. Also, check out is OSX security awesome list on GitHub. It's a really useful set of links on This dude is really smart.

In this episode we discuss:

  • What is his talk about?
  • What's the difference between application and device hacking
  • What skills are needed to hack iOS
  • How Apple works with law enforcement

More resources:

What is Converge and BSides Detroit?

In this Motor City edition of the Exploring Information Security podcast, Ryan Harp, Kyle Andrus, and Kate Vajda join me to discuss the conferences Converge and BSides Detroit.

Ryan (@th3b00st), Kyle (@chaoticflaws), and Kate (@vajkat) help put on one of the best conferences. Last year was my first year at the conference. I was not disappointed. They had a workshop on application security; a room set aside to get resume feedback; Ham radio exams; and much more. They also had three days of wonderful talks with some really great speakers. At lunch there are multiple treks to go grab a coney dog.

The call for papers is currently open. They're looking for speakers and to add more workshops this year. Tickets are also available now. Make sure to grab yours and I'll see you at Converge and BSides Detroit May 10-12.

In this episode we discuss:

  • How the conference got started.
  • Where the conference is at and what's new this year for the layout.
  • What's unique about the conference.
  • Coney dogs.

How to build an AppSec Pipeline

In this foundational episode of the Exploring Information Security podcast, Matt Tesauro and Aaron Weaver join me to discuss the AppSec Pipeline.

Matt (@matt_tesauro) and Aaron (@weavera) are the project leads for the OWASP AppSec Pipeline. The project provides resources and guidance for building out your own appsec pipeline within a development team. Building a pipeline is important in helping get security embedded within software.

In this episode we discuss:

  • What is the OWASP AppSec Pipeline
  • How did it get started
  • Who should use the AppSec Pipeline
  • How to implement the AppSec Pipeline

What's ahead for the Exploring Information Security podcast in 2018

In this reflection edition of the Exploring Information Security podcast, I look back at 2017 and also look ahead to 2018 for the podcast.

2017 was a great year for the podcast. I saw increased listernership. We had a new episode format that involved talking to several security professionals at various conferences. I've also seen an increase in companies and public relation firms reaching out to me to pitch guests. In 2018 I'd like to explore some new formats. There may be a conference panel in the future. I also expect to look at advertising and sponsorship for the podcasts. I also need to work on an archive feed for older episodes.

If you have feedback on any of this or ideas for where I should take the show, I would love to hear them. You can hit me up on Twitter (@TimothyDeBlock), email: timothy.deblock[@]gmail[dot]com, or by leaving a comment below. Thanks for such a great year and I look forward to a fantastic 2018.

How to overcome imposter syndrome

In this fake episode of the Exploring Information Security podcast, Micah Hoffman joins me to discuss imposter syndrome.

Micah (@WebBreacher), this past year, spoke on imposter syndrome and how to overcome it. It's something we all deal with (even several years into our careers). It's useful, but also dangerous for those of us in the information security community. We need to try and compare ourselves to others less and speak more positively internally.

In this episode we discuss:

  • What is imposter syndrome?
  • Why people get imposter syndrome.
  • How to overcome imposer syndrome.
  • Stick around until the end to hear some real imposter syndrome.

What is the Rural Technology Fund?

In this non-profit edition of the Exploring Information Security podcast, Chris Sanders joins me to discuss the Rural Technology Fund.

Chris (@chrissanders88) grew up at a disadvantage. He wasn't rich or handed a great educations. He speaks of being part of the free lunch kids at school. He's managed to turn himself into a successful information security professional, with his own company and non-profit. A lot of that is due to his teachers and mentors encouraging his interest in computers. The Rural Technology Fund is a way for him to give back and give other kids an opportunity to see if they have a spark for technology.

In this episode we discuss:

  • What is the Rural Technology Fund?
  • How it got started.
  • How people can apply for funding.
  • How people can contribute.

Ways to donate can be found at their website. Also, make sure to pick them as your charity for Amazon Smile.

How to build your own tools - Part 2

In this bird feeding episode of the Exploring Information Security podcast, Chris Maddalena joins me to discuss how to build your own tools.

Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.

In this episode we discuss:

  • Why should someone build their own tool
  • What tool should people build?
  • How to get started building tools
  • What resources are available for building tools

How to build your own tools - Part 1

In this bird feeding episode of the Exploring Information Security podcast, Chris Maddalena joins me to discuss how to build your own tools.

Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.

In this episode we discuss:

  • Why should someone build their own tool
  • What tool should people build?
  • How to get started building tools
  • What resources are available for building tools

What is the Orange Team?

In this colorful edition of the Exploring Information Security podcast, April Wright joins me to discuss the orange team.

April (@aprilwright) and I met earlier this year at ShowMeCon. She shared with me the concept of the Orange Team. Which is an idea around the security (blue) team working more closely with the development (yellow) team. I loved the idea and wanted to hear more. She spoke about the topic at BlackHat and DefCamp. Unfortunately, the recordings of her session haven't been released yet. So, I decided to have her on to discuss in more detail.

In this episode we discuss:

  • What is the orange team
  • How did the idea come about?
  • What are the activities of the orange team?
  • Who should participate