ISC StormCast for Friday, June 25th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 25 June 2021
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, June 25th, 2021 edition of the Sandtonet Storm Center's Stormcast. |
| 0:08.0 | My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:13.1 | In our defending web application security class, when we cover session cookies, I often mention that, hey, these cookies are as valuable |
| 0:23.1 | as a username and a password, and you have to defend them accordingly. |
| 0:28.6 | Looks like the bad guys have also been listening. |
| 0:32.8 | Xavier notes that in addition to usernames and passwords, cookies apparently are being traded online. |
| 0:40.7 | Of course, Malware can always be used to steal these cookies from an infected system, and if |
| 0:48.1 | the sessions aren't properly protected, in a particular web application, they may be valid for a significant amount |
| 0:56.6 | of time, which then enables them to be traded. |
| 1:01.6 | And talking about cookies and weak sessions, a checkpoint published a fairly extensive report |
| 1:09.2 | looking at weaknesses in various components of Adelagian's software. |
| 1:14.9 | Adelaian, if you're not familiar with the company, they do make software that is commonly used to organize software projects. |
| 1:22.5 | There are a number of project management tools and the like that are part of their portfolio. So at its heart, |
| 1:29.9 | of course, a compromise of their software would compromise a company's software development process. |
| 1:38.0 | And with that, essentially, you're good old and these days highly popular supply chain attack. |
| 1:45.3 | Many of the vulnerabilities outlined in Checkpoints Report are attacking sessions and session |
| 1:51.3 | cookies and are allowing impersonation of users, also including vulnerabilities, like, for |
| 1:57.4 | example, session fixation and cross-site scripting being used to steal cookies as well |
| 2:03.6 | as cross-site request forging, then being used to trick victims to perform certain actions |
| 2:10.9 | on the attackers' behalf. If you're using any of the Alation products, patches have been released, but you probably do want to take a look at the report at Checkpoint published. |
| 2:23.5 | It's very detailed and verify that these vulnerabilities are addressed, also that any software that you are building doesn't include these particular vulnerabilities. |
| 2:36.1 | And we have an interesting vulnerability in Dell's support assistant and bias. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.