Vegas from afar

by javvad Malik with no comments
One of the rules from our Infosec Rockstar video was that even if you can’t attend a con, you should tweet as if you’re there. Well, I kind of messed up on that tweeting part – but despite me not being at Bsides, Blackhat or Defcon this week, I’ve been living vicariously through the tweets of others.
Speaking of the Rockstar video, SpaceRogue bought this to my attention!

Whoever you people are… STOP!
Throughout the week Pilgrim really captured the essence of being there with tweets and retweets that evoked mixed feelings where I felt like I was missing out, but somewhat glad I was missing out, if you know what I mean.

From a technical perspective, the social medias were abuzz with Dan Geer’s keynote talk from BlackHat. Which means:
  1. The keynote was really good.
  2. His talk contained perfectly placed twitter-friendly soundbites.
  3. All the ‘noisy’ tweeters attended his talk.
I guess you can read a transcript of the talk and judge for yourself – http://geer.tinho.net/geer.blackhat.6viii14.txt
Finally, the coolest, in a classic old skool anti-hackery-hack thingy was without a doubt, Wesley McGrew’s Pineapple pawnage

Which, kids is the moral of the story. A lot of cool tools, software, hardware exist to help automate tests by taking the complexity out of it all. But that doesn’t mean you shouldn’t try to understand how it works – or at least recognise the fact that your tool can be manipulated itself to work against you… particularly at a con where most people will know more than you.
Stay secure my friends.
filed under blog

A recap for Eve and Gillis

by javvad Malik with 1 comment

I often shoot myself in the foot by agreeing to doing things and then realizing it eats up a lot more of my time than I’d originally anticipated which is why I haven’t been blogging or making videos much recently.

Some of the things that have been consuming my life lately have included (cue fast-paced soundtrack)

I travelled to Las Vegas to attend Guidance Software’s CEIC conference.


I must say, Vegas is very different outside of Blackhat / Defcon / Bsides season and I did miss not seeing an ocean of black shirts and wonderful hair styles. Although, I did get to find a shisha bar – so it wasn’t all bad. shisha vegas

For non-shihsa related news, my 451 Research colleague David Horrigan and I co-wrote a writeup on the conference which can be obtained here free of charge and registration.

Oh, and I also got to hang out with the goodDoctor Krypt3ia


In June, the good folk atEskenzi held their annual event. The first day consists of analyst / vendor meetings where I got to speed date a whole host of vendors. The second day consisted of a CISO roundtable – which in theory should have played out like the hunger games. Three sides converged, CISO’s, vendors and analysts – I was hoping for fireworks, nasty comments and backhanded digs. But this is London and despite the efforts of some of our American guests, the proceedings remained rather civilized.


And I got to hang out with and pick the brilliant mind of Mike Rothman.

mike rothman

The next day it was the RANTConference – where I donned my Host Unknown mask. We had a great time, and my nail file swag was definitely the highlight. You can see the video here:http://youtu.be/XlhgKlmc7K8?list=UUTwY3LNRujMskBDbQvKoiBw

ACG put on their London conference. It was the first time I’d attended an ACG and it was extremely good. I was lucky to moderate a panel entitled, “is Anti Virus dead?” – the summary outcome was ‘yes’.

There was the inaugural Bsides Manchester which was brilliant. Matt Summers who was instrumental in setting up the first Bsides London invited me to MC the main track and I couldn’t say no to him. After all, he’s the man who imported Bsides into the UK… he’s kind of like Jack Daniel, except younger, with no facial hair, not as much style, class or interesting… but you get the idea. It did afford me the luxury of getting selfies from the front whenever I wanted. bsidesmcrselfie

As the old adage goes, you wait for one new and cool conference up north and suddenly you get two. Steelcon was held in Sheffield and organised by Robin Wood. This was a special conference for me as not only was it the first time that I’d been invited to give the opening keynote – but I was invited to deliver it along with my daughter, Girl Cynic. I’ve been meaning to put up a video of our experience which I may do so in the future, but suffice to say it went well. There was a kid’s track which the children all seemed to really enjoy and the whole day was really well put together.


My final trip came a couple of weeks ago when I attended McAfee’s analyst event in Amsterdam. It was an enjoyable whirlwind 36 hours in the Dam, where I got to spend some time with the ever-elusiveRaj Samani.


So with all these events and travelling happening in the last few months – I had to tap out and not go to Blackhat, Defcon or BsidesLV this year. Maybe now Eve and Gillis will stop this online campaign of terror! J


Screen Shot 2014-08-06 at 14.48.34

filed under blog

Interview with the BatCISO

by javvad Malik with no comments

With so many breaches occurring on a regular basis, perhaps it’s time for a new kind of CISO. A Bat CISO!

filed under Video

Infosec conferences – client side vs server side

by javvad Malik with no comments

Because infosec has cured cancer, ended poverty and created a utopian paradise that the villain in Demolistion Man could only dream of – the industry often finds itself trying to fix the really big issues via twitter and other social media platforms as well as within the hallways of conferences as to what is wrong with the infosec conference scene.

A few suggestions have been thrown out about what can be done to remedy the problem and what the ideal number and style of infosec conferences look like.

Haroon Meer gave a very good talk (as always) during his 44con keynote last year.

The infinitely quotable Grugq posted a thought-dump on the issue and most recently, Rob Fuller commented on the role alcohol plays within the infosec conference scene which caused a firestorm of opinions to rain down from all sides.

Of course, those aren’t the only opinions in this space – we often also get the chance to grab some popcorn and witness some absolutely mind-blowingly epic micro-movements which generate dialogue that Simon Pegg would be proud to have penned himself. Examples include

  • • Banning of booth babes
  • • Expensive ticket prices
  • • Not enough free caffeine
  • • Too much free caffeine
  • • Vendor parties
  • • My talk not getting accepted

Not to belittle some of these issue, I mean I know how cranky I get without caffeine, but the problem is that these are what I’d say are, “server side” issues that primarily are up to conference organizers to address and resolve. Average attendees have little say or influence in how conferences are run – so what can you, as an average attendee do in order to maximise your chances of having a fruitful and useful experience?

It’s like me complaining that the luggage allowance on flights isn’t enough, or that there isn’t enough legroom in economy. Sure they are valid complaints that need the U.N. to get involved, but these can only be fixed by the airlines and not by the passengers. On the other hand, you can make your flight a much more pleasant experience by simply investing in luggage bags which meet the airlines dimensions and a bottle of sleeping pills.

Until a couple of years ago I wasn’t a regular conference goer. However, in my job as an international analyst, my job revolves around me going to quite a few conferences. At first it sounded like the ideal job, but my boss did warn me it would take all the fun out of going to cons… and she was right. So, I’ve adopted a bunch of activities that try to make cons a better experience for me.  In other words, these are some of the ‘client-side’ changes I’ve made.

1. Book early

There’s something quite heroic about booking a last minute flight, not knowing if you’re going to get to the airport, sharing tweets with the world letting them know how you like to live dangerously and always on the edge. In reality though, few things worse than booking late to find all the nearby and good quality hotels have been taken leaving you across town in a seedy part of town. Sure, it may allow you to experience some of the local culture, but I prefer to conserve as much energy as possible – it’s a marathon and nothing is worse than my short legs having to carry me halfway across town to walk all day at a conference.

Less walking, less tiredness = more happier conference goer. Read the rest of this entry »

filed under blog

Security and the cobra effect

by javvad Malik with no comments

Some people just want to watch the world burn. Others just want to give bad security advice. Check out Troy Hunt’s blog post on the matter.

filed under blog, Video

The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security

by javvad Malik with no comments
I didn’t write the book, the book wrote me. Which is kind of true because I kind of wrote a lot of stuff independently and then combined it with some of my old notes that I took whilst preparing for the exam and scoured through old emails for the rest.


It’s definitely not something that will help you pass the test, but the idea was simple, give a perspective and some real-life stories on how the knowledge pans out.
Ben Rothke kindly took the time to read and review the book, so that should  give you some ideas as to what it’s all about.


If you want to get your hands on a copy, then it’s virtual only from Amazons UK  , US and other stores.


If you’re a publisher or in a similar line of work and would like a review copy, get in touch via email, javvad<at>j4vv4d.com.


filed under blog

We won!!!

by javvad Malik with no comments

If you like to keep up with my ramblings on the Facebook or twitter, you’d probably have seen that not only was I nominated in several categories for the European Security Bloggers Awards, but so was Girl Cynic.

Well, apparently Girl Cynic has been doing something right because she won the award for most entertaining blogger whilst I won the award for best video blogger. It’s an honour and I’m immensely proud to win an award two years in a row, not to mention glad to see the Girl is helping keep things in the family. All that’s left really is for me to get her to write my reports for me and I can quit my day job and retire! I’m sure that day will come soon enough…

Until then, Girl Cynic did demand that her picture go up on the website as she now see’s herself as an equal partner in this venture. The student really has surpassed the master…  created a monster have I.

A full list of the nominees and winners can be found here.

P.S. As its customary to thank people when winning an award, I’d like to thank you and everyone who voted – this one’s for all you guys! <exit stage left>

filed under blog

Spotting phishing scam emails

by javvad Malik with no comments

Phishing emails can be nasty pieces of work. They put a lot of effort into appearing legitimate in order to trick users into falling for their scams. In this video, I only take a look at this one specific email which claimed to come from Apple. There are lots of signs to look out for that aren’t covered in the video. Each of these signs may not mean anything on their own, but putting them together could indicate a phishing attempt.

Some of the other things you can look out for that aren’t in the video would include things like the email being sent from a weird address, like Yahoo or Gmail. Or it claims to come from a government department of some sort.

Slowing down helps a lot – nothing bad will happen if you don’t open or respond to an email immediately – well, I guess unless it’s your boss, in which case you could get fired. But at least you didn’t infect the whole company… now that’s what I call going out on your shield!

filed under Video

A friend with photoshop is all you need

by javvad Malik with no comments

Jimmy is a good guy – I like him, he works in security and trains MMA. Which means if he can’t gain access to your server, he’ll simply beat the password out of you.

Then he posted this picture on twitter in a cowboy hat. Ridiculous cowboy hat

As they say, a little photoshop is a dangerous thing – and the temptation was too great to not take advantage of the opportunity.

1 brokeback

Which led to the birth of Jimmy Sozé

2 usual suspects

This got Jimmy a bit worked up, so I challenged him to a duel.

3 duel

He said he’d kill me – to which I said that’s a crime punishable by hanging till he’s dead, dead, dead!

4 hang em high

The subsequent barrage of messages proved that Jimmy was indeed unchained. Read the rest of this entry »

filed under blog, Uncategorized

RSA & BSides SF 2014

by javvad Malik with no comments

For the times you feel like the ball inside a pinball machine.



filed under Video