The Shellsharks Podcast

Join myself (@shellsharks) and Thomas Peterson as we dive into his experience with Offensive Security’s challenging OSWE certification, discuss where we get our inspiration for blogging and more!

Show Notes

Main Show

• tpetersonkth.github.io
• Offensive Security - OSWE
• DEF CON YouTube channel
• HackTheBox
• Offensive Security - OSCP
• Thomas's OSWE Review 2022
• Shellsharks Desk setup
• eLearnSecurity - PTP
• IKEA
• OG Shellsharks Look
• Shellsharks - Captains Log

Postshow

• Swedish Fika

Listen in on a fun conversation between myself (@shellsharks) and my friend/guest Kyle as we discuss everything from our monitor setups to OSINT leveraged in the Ukraine-Russia conflict to vendor APT Naming and more!

!! Explicit Language Alert !!

Show Notes

Preshow

• Check out my monitor setup via my Desk Setup 2021 post
• Check out the apps I typically use via my Mac Tools post
• Hone your coding skills with Leetcode
• Elite "PewPew" map courtesy of FireEye

Main Show

• Ukraine Humanitarian Fund
• Google (allegedly) un-blurring Russian satellite imagery
• Tracking Russian soldiers using stolen iPhones
• Destructive Wipers
• Named Vulnerabilities List
• CrowdStrike APT Adversary Universe
• Mandiant APT Naming
• Dragos Threat Activity Group Names
• What is a Chollima?
• Offensive Security Courses
• OffSec WEB-300/AWAE/OSWE
• Certifications are not like Pokemon Cards
• Shellsharks Podcast on Burnout
• My Reddit AMA
• "Thought Leader"
• The CISSP
• DoD 8570
• Metasploit Default Credential CVE

Join myself (@shellsharks) and Scott Contini (from https://littlemaninmyhead.wordpress.com) as we discuss cryptography, AppSec, Log4J and more!

Show Notes

Main Show

• Little Man In My Head: https://littlemaninmyhead.wordpress.com
• Java Cryptography Architecture (JCA) Reference Guide - https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
• NaCl: Networking and Cryptography library: https://nacl.cr.yp.to
• Don’t Roll Your Own Crypto: https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-your-own-crypto
• Sony Playstation Hardcoded Key: https://www.engadget.com/2010-12-29-hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm.html
• Cryptology vs Cryptography vs Cryptanalysis: https://militaryembedded.com/comms/encryption/cryptology-cryptography-and-cryptanalysis
• Deprecating MD5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
• Ron Rivest: https://people.csail.mit.edu/rivest/
• Quantum Cryptography: https://csrc.nist.gov/projects/post-quantum-cryptography
• AppSec Australia: https://www.meetup.com/en-AU/appsec-australia/
• Grover’s Algorithm: https://en.wikipedia.org/wiki/Grover%27s_algorithm
• Internet Communications - TLS: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
• DevSecOps: Just one definition - https://www.devsecops.org
• OWASP: https://owasp.org
• CAPTCHA: https://support.google.com/a/answer/1217728?hl=en
• reCAPTCHA: https://www.google.com/recaptcha/about/
• Analyzing the OWASP Top 10: https://shellsharks.podbean.com/e/analyzing-the-owasp-top-10-2021/
• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
• SAST: https://www.synopsys.com/glossary/what-is-sast.html
• Microservices: https://microservices.io
• DAST: https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/
• OWASP Zap: https://owasp.org/www-project-zap/
• SCA: https://www.synopsys.com/glossary/what-is-software-composition-analysis.html
• Inception: https://www.imdb.com/title/tt1375666/
• Checkmarx Codebashing: https://checkmarx.com/product/codebashing-secure-code-training/
• Security Champions: https://www.synopsys.com/blogs/software-security/security-champions-program-appsec-culture/
• NIST SP 800-63B, Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
• TruffleHog: https://trufflesecurity.com/trufflehog
• Log4Shell: https://log4shell.com/
• CISA on Log4J Issue: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
• Heartbleed: https://heartbleed.com
• Shellshock: https://nvd.nist.gov/vuln/detail/CVE-2014-6271
• The Morris Worm: https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218
• ETERNALBLUE: https://nvd.nist.gov/vuln/detail/CVE-2017-0143
• WANNACRY: https://www.cisa.gov/uscert/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf
• Mandiant’s Report on Solarwinds Incident: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
• BurpSuite: https://portswigger.net/burp

    Postshow

• Domain Squatting: https://www.godaddy.com/garage/what-is-domain-squatting-and-what-can-you-do-about-it/

Join myself (@shellsharks) and my good friend Mike (@QWORDsmith) as we discuss the new OWASP Top 10 for 2021.

Note on this episode: My audio was incredibly quiet during the recording so when editing I had to pump up the volume which introduced a fair bit of static. I apologize and hope the episode is bearable despite that static!

Show Notes

    Preshow

• Simplenote: https://simplenote.com
• Notion: https://www.notion.so
• Obsidian: https://obsidian.md
• Visual Studio Code: https://code.visualstudio.com
• Notepad++: https://notepad-plus-plus.org/downloads/
• GitHub Pages: https://pages.github.com
• Atom: https://atom.io

Main Show

• Funny OWASP Top 10 2021 Tweet - https://twitter.com/CubicleApril/status/1437531584119386116?s=20
• Infosec Blogs: https://shellsharks.com/infosec-blogs
• An Ode to RSS: https://shellsharks.com/an-ode-to-rss
• Shortcuts: https://apps.apple.com/us/app/shortcuts/id915249334
• Netsparker Article on OWASP Top 10 2021: https://www.netsparker.com/blog/web-security/owasp-top-10-2021-not-what-you-think/
• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
• OWASP Top 10 2010: https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2010.pdf
• OWASP Top 10 2013: https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf
• OWASP Top 10 2017: https://owasp.org/www-pdf-archive//OWASP-Top-10-2017-en.pdf
• OMIGOD: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
• That’s some Galen Eros level shit: https://www.reddit.com/r/cybersecurity/comments/podx9q/omigod_widespread_azure_linux_vulns_in_hidden/
• ChaosDB: https://chaosdb.wiz.io

Join myself (@shellsharks) and @cradersec as we discuss blogging, Western Governors University (WGU), home labs and more!

Show Notes

    Preshow

• Audio Hijack: https://rogueamoeba.com/audiohijack/
• Rogue Amoeba: https://rogueamoeba.com
• OmniFocus: https://www.omnigroup.com/omnifocus/
• Todoist: https://todoist.com/
• Notion: https://www.notion.so
• Fantastical: https://flexibits.com/fantastical
• Getting Things GNOME!: https://wiki.gnome.org/Apps/GTG

Main Show

• Crader Security: https://cradersecurity.com
• Why I Blog. You Should Too!: https://shellsharks.com/you-should-blog#title
• WGU: https://www.wgu.edu
• Shellsharks Captain’s Log: https://shellsharks.com/captains-log
• MIT Open Courseware: https://ocw.mit.edu/index.htm
• Raspberry Pi: https://ocw.mit.edu/index.htm
• AWS Free Tier: https://aws.amazon.com/free/
• Pluralsight: https://www.pluralsight.com
• GitHub Developer Pack: https://docs.github.com/en
• Google Cloud Free Tier: https://cloud.google.com/free
• Potent Wisdom: https://potentwisdom.com - Coming Soon!
• The Linux Smack: https://linuxsmack.com - Coming Soon!
• The Privacy Smack: https://privacysmack.com - Coming Soon!
• TryHackMe: https://tryhackme.com

    Postshow

• Shellsharks Inbox Zero - https://shellsharks.com/inbox-zero#title
• Digital Minimalism - https://www.amazon.com/Digital-Minimalism-Choosing-Focused-Noisy/dp/0525536515

Kyle (@cyberspacekyle) and Masie (@masiehabibi) join me (@shellsharks) once more to chat motivation and burnout in infosec and in life. We also have a fiery fitness challenge throw-down! I hope you enjoy this relatively short but lively episode!

Preshow

• Apple Watch Fitness Competitions: https://support.apple.com/en-us/HT207014

Main Show

• Shellsharks: https://shellsharks.com
• Linkedin: https://www.linkedin.com/
• Blind: https://www.teamblind.com

Join myself (@shellsharks) and my guest Sukrit (@sukritdua) as we chat pentesting, training, craft beer and more!

Note: I apologize in advance as Sukrit’s audio was a little spotty. Enjoy!

Show Notes

    Preshow

• Collective Arts Brewing: https://collectiveartsbrewing.com/us/
• Quebec Maple Coke: https://www.coca-colacanada.ca/en/specialtysoda/quebec-maple/
• Icewine: https://mywinecanada.com/wine/ice-wine
• Dragon Stout: https://www.ratebeer.com/Ratings/Beer/Beer-Ratings.asp?BeerID=749

Main Show

• Kali Linux: https://www.kali.org
• HackerOne: https://www.hackerone.com
• BugCrowd: https://www.bugcrowd.com
• SANS Cyber Security Blog: https://www.sans.org/blog/
• PortSwigger Blog: https://portswigger.net/blog
• INE / eLearnSecurity: https://ine.com/pages/elearnsecurity-pricing
• Shellsharks: https://shellsharks.com
• Getting Into Information Security: https://shellsharks.com/getting-into-information-security
• Reddit Feedback: https://www.reddit.com/r/netsecstudents/comments/m0lbst/a_guide_for_those_looking_to_break_into_the/
• PTP: https://elearnsecurity.com/blog/ptpv4-launch/
• OSCP: https://www.offensive-security.com/pwk-oscp/
• Try Harder: https://www.offensive-security.com/offsec/say-try-harder/
• Web Application Hackers Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
• Web Security Academy: https://portswigger.net/web-security
• Hacker101 CTF: https://www.hackerone.com/blog/Introducing-Hacker101-CTF
• OverTheWire: https://overthewire.org/wargames/
• picoCTF: https://picoctf.org
• SANS Holiday Hack Challenge: https://holidayhackchallenge.com
• Cybrary: https://www.cybrary.it
• PentesterAcademy: https://www.pentesteracademy.com
• PentesterLab: https://pentesterlab.com
• eWPT: https://elearnsecurity.com/product/ewpt-certification/
• eWPTX: https://elearnsecurity.com/product/ewptxv2-certification/
• SANS SEC542: https://www.sans.org/cyber-security-courses/web-app-penetration-testing-ethical-hacking/
• INE Plans: https://ine.com/pages/plans
• SANS Work Study Program: https://www.sans.org/work-study-program/
• SANS Summits: https://www.sans.org/cyber-security-summit
• SAN SEC660: https://www.sans.org/cyber-security-courses/advanced-penetration-testing-exploits-ethical-hacking/
• Stephen Sims: https://www.sans.org/profiles/stephen-sims/
• aCloudGuru: https://acloudguru.com
• Pluralsight: https://www.pluralsight.com
• Linux Academy: https://login.linuxacademy.com

    Postshow

• Untappd: https://untappd.com
• Foursquare: https://foursquare.com
• Mike on Untappd: @beersharks
• Sukrit on Untappd: @AllPints
• Hill High Marketplace: http://www.hill-high.com
• untappdScraper: https://github.com/WebBreacher/untappdScraper
• Captains Log: https://shellsharks.com/captains-log

This week on The Shellsharks Podcast, @masiehabibi joins me (@shellsharks) to talk Clubhouse, ransomware, the Colonial Pipeline hack, Google I/O, iOS vs Android and more!

Podcast Pre-chat

• Clubhouse: https://www.joinclubhouse.com
• Find me on Clubhouse @shellsharks !
• 2021 Microsoft Exchange Vulnerabilities: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
• Twitter Spaces: https://blog.twitter.com/en_us/topics/product/2021/spaces-is-here.html
• The Shellsharks Podcast website: https://shellsharks.com

Colonial Pipeline Hack & Ransomware Discussion

• Colonial Pipeline hack: https://www.wired.com/story/colonial-pipeline-ransomware-attack/
• Tesla: https://www.tesla.com
• Darkside ransomware group: https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
• Home Depot breach: https://www.reuters.com/article/us-home-depot-cyber-settlement/home-depot-reaches-17-5-million-settlement-over-2014-data-breach-idUSKBN2842W5
• RTF Report: Combatting Ransomware: https://securityandtechnology.org/ransomwaretaskforce/report/
• SP 800-207, Zero Trust Architecture: https://csrc.nist.gov/publications/detail/sp/800-207/final
• BeyondCorp: https://cloud.google.com/beyondcorp

Google I/O vs Apple Events & iOS vs Android

• Google I/O: https://events.google.com/io/?lng=en
• Google LaMDA: https://www.blog.google/technology/ai/lamda
• Apple Spring Event 2021: https://www.apple.com/apple-events/april-2021/?useASL=true
• Google Duplex: https://ai.googleblog.com/2018/05/duplex-ai-system-for-natural-conversation.html
• WWDC: https://developer.apple.com/wwdc21/
• iOS Jailbreaking: https://en.wikipedia.org/wiki/IOS_jailbreaking
• CheatsWithFriends: http://cydia.saurik.com/package/com.fire30.hackingwithfriends/

Join myself (@shellsharks), Kyle (@cyberspacekyle) and Masie (@masiehabibi) as we discuss Getting Into Information Security, what industry certifications are best to get for those new to the field and more!

• Old Ox Brewery: https://www.oldoxbrewery.com
• Chimay Blue: https://www.beeradvocate.com/beer/profile/215/2512/
• Security+: https://www.comptia.org/certifications/security
• SANS: https://www.sans.org
• SEC503 Network Intrusion Detection: https://www.sans.org/cyber-security-courses/intrusion-detection-in-depth/
• ACloudGuru: https://acloudguru.com
• Python: https://www.python.org
• DOD 8570 (from SANS): https://www.giac.org/certifications/dodd-8570

Introducing The Shellsharks Podcast! Join me (@shellsharks) in this new show about all things Infosec, Technology and Life-in-general. 

For more on Shellsharks, check out the site!