Exploring Information Security - Exploring Information Security Timothy De Block

Summary:

In this informative episode, Timothy De Block discusses session hijacking with Web Application Security Engineer and PractiSec Founder Tim Tomes. The discussion delves into the intricacies of session hijacking, exploring its mechanics, vulnerabilities, and prevention strategies.

Tim’s website: https://www.lanmaster53.com/

You can reach out to Tim for Training, Consulting, Coaching, Remediation Support, and DevSecOps.

Episode Highlights:

Understanding Session Hijacking:

Tim Tomes clarifies the common misconceptions about session hijacking, emphasizing its relation to temporary credentials rather than sessions alone.

The conversation covers the technical aspects, including how sessions and tokens are hijacked, and the role of cookies in managing temporary credentials.

Technical Mechanisms and Vulnerabilities:

Detailed explanation of how session hijacking occurs, focusing on temporary credential management and the vulnerabilities that allow hijackers to exploit these credentials.

Prevention and Security Best Practices:

Strategies to prevent session hijacking, such as secure management of tokens and sessions, are discussed.

Importance of using flags like HTTPOnly and Secure to protect data transmitted in cookies.

Common Tools and Exploitation Techniques:

Tim Tomes discusses common tools like Burp Suite and its Collaborator tool for detecting and exploiting session hijacking vulnerabilities.

Real-world Application and Examples:

Practical insights into how session hijacking is executed in the real world, including Tim’s personal experiences and how these vulnerabilities are identified during security assessments.

Key Quotes:

"Session hijacking is not just about stealing sessions; it's about exploiting the temporary credentials that represent a user." - Tim Tomes

"Protecting applications from session hijacking involves understanding the application's handling of temporary credentials and implementing robust security measures." - Tim Tomes

Recommended Resources:

OWASP Guide on Session Management

Web Security Academy by PortSwigger

In this episode, Mike Holcomb discusses the intricacies of Industrial Control Systems (ICS) and Operational Technology (OT) security. Michael provides a comprehensive overview of the challenges and strategies associated with securing ICS and OT environments.

Episode Highlights:

Michael discusses the evolution of the Bsides Greenville event, emphasizing the incorporation of OT topics and the balance they aim to maintain between IT and OT content.

Michael shares insights into the unique cybersecurity challenges faced by different sectors, including manufacturing and power plants.

A deep dive into network architecture in ICS environments reveals the importance of segmentation and controlled access between IT and OT networks.

Michael emphasizes the critical nature of asset management and network monitoring in maintaining security in ICS environments.

The conversation also covers the increasing convergence of IT and OT systems and the implications for security.

Michael touches on the impact of ransomware on ICS environments and the need for robust incident response plans.

Summary:

In this relaxed and engaging episode recorded from air loungers at Show Me Con, Timothy De Block catches up with Amanda Berlin from Mental Health Hackers during Mental Health Awareness Month. They discuss the importance of mental health in the IT security industry, which is often fraught with stress and high demands.

Episode Highlights:

Personal Stories of Mental Health: Timothy and Amanda share their personal experiences with mental health challenges, emphasizing the common struggles many face in the IT security field.

Impact of Alcohol: The discussion explores the impact of alcohol on mental health, particularly how it affects sleep and stress levels. They touch upon efforts to create event spaces that offer alternatives to alcohol-centric activities.

Mental Health Hackers: Amanda talks about the work of Mental Health Hackers, a group that attends various conferences to provide spaces for people to relax and decompress.

Fundraising and Awareness: Mention of Mental Health Hackers' new t-shirt campaign designed to promote mental wellness, with proceeds supporting their activities at conferences. You can get T-Shirts here: https://www.customink.com/fundraising/mental-health-awareness-for-mhh

Key Quotes:

"It’s really about awareness... paying attention to how habits like drinking can impact our mental state and sleep." - Timothy De Block

"We need to create environments at events where drinking isn’t the main focus, allowing people to enjoy without the pressure of alcohol." - Amanda Berlin

In this insightful episode of Exploring Information Security, Troy Hunt, the creator of the widely recognized website, Have I Been Pwned (HIBP) talks about the origins and evolution of the service. Troy discusses his transition from writing about application security to developing HIBP and delves into the impacts of data breaches on both individuals and companies.

In this episode of Exploring Information Security, Security Engineer Kyle Goode takes a deep dive into the versatile world of pfSense, a robust open-source firewall and router that has been a mainstay in the network security arena for over two decades. Kyle shares insights from his own experiences with pfSense, exploring both the practical and technical aspects of setting up and managing a pfSense system.

In this enlightening episode of the Exploring Information Security podcast, we dive deep into the world of deepfakes with Dr. Donnie Wendt. With a background in cybersecurity at MasterCard, Dr. Wendt shares his journey into the exploration of deepfake technology, from setting up a home lab using open-source tools to presenting the potential business impacts of deepfakes to leadership teams.