Easy Prey

Easy Prey

Chris Parker, the founder of WhatIsMyIPAddress.com, interviews guests and tells real-life stories about topics to open your eyes to the danger and traps lurking in the real world, ranging from online scams and frauds to everyday situations where people are trying to take advantage of you—for their gain and your loss. Our goal is to educate and equip you, so you learn how to spot the warnings signs of trouble, take quick action, and lower the risk of becoming a victim.... Show More
June 3, 2020 28 min

Have you ever wondered how hackers find vulnerabilities and how companies can find and fix their own? You will find out today! On average 30,000 new websites are hacked every day.

Our guest for this episode is James Kettle. James is the Director of Research at PortSwigger Web Security where he explores new ways to attack websites and designs and refines vulnerability detection techniques for the Burp Suites scanner. 

James shares his hacking experience and hard work helping companies keep their websites secure from all the crazy stuff going on out there.  On today’s episode, James shares his expertise to help you be more aware of possible red flags and prevention measures to take to protect yourself and your website.

Show Notes:
  • [00:40] - When James was at university he saw that Google said they would pay anybody that could hack their website. He thought that sounded like fun and spent a huge amount of time doing that. 
  • [01:02] - Now James works at PortSwigger and researches new techniques to hack websites. 
  • [01:11] - Bounty programs are where a company wants to make sure their product or website doesn’t get hacked by malicious people so they go out and publicly say that anyone is welcome to try and hack their website. If you are successful and you don’t do any damage, but you tell them how you did it they will pay you for it and then fix it. 
  • [03:45] - Pen testing is the classic approach to securing your website where you pay a consultant to spend one or two weeks trying to hack your website. 
  • [05:14] - It is totally worth it to get that third party view. Developers often can’t find problems with their own products. 
  • [06:13] - If you want to find a vulnerability on a website you need to use an attack technique.  
  • [07:15] - These days they see a lot of cross-site scripting vulnerabilities and it’s the most common one they see. 
  • [07:37] - One of the most common causes of high impact breaches is access control issues.  
  • [08:45] - James shares the biggest data breach they were able to do during their testing. 
  • [10:31] - Try to use a framework whenever possible, because it makes things like sequel injection less likely to happen.  
  • [11:01] - The standard approach after you make the website is to try to get someone else to look at it. 
  • [11:27] - With Wordpress, it is very important to keep it up to date, install as few plug-ins as possible, and choose a good password. 
  • [14:08] - Use as few browser extensions as possible to avoid possible malware issues. 
  • [15:25] - Most people are not being personally targeted by hackers so the threats that most people need to watch out for are things that can be automated. 
  • [16:10] - If you are using the same password on multiple websites you are going to get hacked. 
  • [17:02] - A common misconception is that if you have a strong unique password then it doesn’t matter if you reuse it. 
  • [18:03] - James uses websites with the assumption that all the data I give this website is going to end up public at some point. 
  • [18:45] - Provide the minimum information possible. 
  • [20:19] - James shares his all-time favorite story. 
  • [22:33] - If an entity builds their security around detecting when people are attacking them then running a bug bounty would be harmful because they have no idea who is legitimate or hostile. If your website is on the internet, it is being attacked.
  • [23:35] - When you are being attacked, it is important to know that it most likely isn’t personal.
  • Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

    Links and Resources:
  • Podcast Web Page
  • Facebook Page
  • whatismyipaddress.com
  • Easy Prey on Instagram
  • Easy Prey on Twitter
  • Easy Prey on LinkedIn
  • Easy Prey on YouTube
  • Easy Prey on Pinterest
  • Have I Been Pwned
  • PortSwigger
  • Burp Suite
  • Web Security Academy
  • BurpSuite on Twitter
  • Share
    Mark as Played

    Chat About Easy Prey

    Popular Podcasts

    30 For 30 Podcasts
    30 For 30 Podcasts
    Original audio documentaries from the makers of the acclaimed 30 for 30 film series, featuring stories from the world of sports and beyond. 30 for 30 offers captivating storytelling for sports fans and general interest listeners alike, going beyond the field to explore how sports, competition, athleticism and adventure affect our lives and our world. Sports stories like you've never heard before.
    Stuff You Should Know
    Stuff You Should Know
    If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks then look no further. Josh and Chuck have you covered.
    Crime Junkie
    Crime Junkie
    If you can never get enough true crime...
      Music, radio and podcasts, all free. Listen online or download the iHeartRadio App.

      Connect

      © 2020 iHeartMedia, Inc.