Blog Post


Be in a Vegas music video

Apologies if you found the title of this post to be a bit click-baity. But bear with me, I’m pretty excited about this.

Next week is hacker summer camp aka Blackhat, Defcon, and BsidesLV in sunny Las Vegas.

I asked myself, other than the talks, the networking, and the things we won’t talk about – what else can one do with so many people in one place?

The answer is simple, we all get together and film a music video.

Knowing that almost everyone is a huge Nickleback fan, you’re almost guaranteed to be familiar with the song and music video for “Rockstar” where each line, or couple of lines are lip-synced to by different people.


And that’s pretty much the idea for this video. I’ll come along with my camera and lyrics and will be seeking willing volunteers to lip sync along to a couple of lines.

It’s intended to be a bit of fun – you don’t need to wear any face-paint or fancy outfits – just be prepared to mime along to the sounds of  “infosec rockstar”

Sample lyrics from the first couple of verses to give you a taste of what’s in store:

I’m through with standin’ in lines to talks I’ll never get in

Keep entering CTF’s but I’m never gonna win

This cyber hasn’t turned out

Quite the way I want it to be

(Tell me what you want)

I want a brand new SIEM correlating events

Forensic capture of all the packets

And threat intelligence

That’s useful to my boss and me

(Yeah, so what you need?)

I need shodan license that’s got no limit

And a virtual machine with a kali on it

Make plane fly sideways

At thirty-seven thousand feet

(Been there, done that)


If you’re interested in participating – you can find me at BSidesLV on Tuesday. You can also pop along and see my talk at 17:30 in the hire ground track.


Wednesday and Thursday I’ll be at Blackhat and will mainly be at the AlienVault booth. Unfortunately, I won’t be sticking around for Defcon this year though.

Hope to catch up with many of you fine folk in the mild warmth of Las Vegas!


jm hearted

Things I hearted last week

For the week ending 24th July 2016

Lessons learnt from trying to negotiate with five different ransomware gangs. If you’re willing to haggle, you can get a discount.

This isn’t a new talk by Jim Manico, but the first time I saw it and serves as a great lesson on TSL/SSL and how HTTPS should be implemented. (43 min video)

Brian Krebs at it again, Carbanak gang tied to Russian security firm.

China bans testing of self-driving cars on public highways pending regulation.

Raytheon shared a post discussing Pokemon Go and how augmented reality plays a role in the military.

What does a hacker look like? A style guide from TV & movies.

Skype finalizes its move to the cloud, ignores the elephant in the room. Spoiler alert: things like security, privacy, eavesdropping, protocols etc.

Everything you need to know about web shells.

Troy Hunt on why HTTPS has a speed advantage over HTTP.

An iPhone case that detects snooping.

How we broke PHP, hacked Pornhub and earned $20,000. These types of writeups are the reason I’m such a fan of bug bounties.

A nice writeup on The Long-Term Effects of Tracking Employee Behavior. Lots of takeaways from a security perspective, both in terms of tracking – but understanding what you’re measuring.

Finally, not so much security, but relevant to business models. A fantastic analysis of the Unilever buyout of Dollar Shave Club.


Breaking in, and through security: Leron Zinatullin

Just over four years ago I received a LinkedIn email from a young man in Russia. It wasn’t too different from emails I occasionally receive. He was someone wanting to build a career in information security and was looking for some advice.

He was on his way to London to start his MSc and wondered if I would be willing to answer a few questions for him.

lz mail

It’s funny how life sometimes comes full circle. It wasn’t that long before then, that I emailed Stephen Bonner (not to be confused with Stephan Bonner)  asking him for career advice.

The difference between Leron and anyone else that has ever asked for advice is his willingness to learn and take on board as much knowledge as possible and then apply it. In a few short years, not only was Leron able to complete his MSc, but he landed a job (while turning down other offers), spoke at events, and wrote a book. Achieving more in 3 years than most people do in 10.

So, the roles are now reversed. I needed to catch up with Leron and pick his brains about his journey and see what I could learn from him.

What made you apply for MSc at UCL?

After several years in in the industry I realised that my education wasn’t complete. I came from a technical background but quickly realised that not all the problems could be solved through technology. I decided to learn more about information security management, culture and usability.

I was attracted to UCL I really liked some of the research staff’s profiles: Angela Sasse, Shamal Faily and David King who was a visiting fellow at that time all helped me a lot during my studies.

I picked modules like “People and Security” to understand the human element of security better and ended up doing some research with Angela on modelling conflicts between security compliance and human behaviour. This involved working with people to understand root causes of poor security culture in organisations.

Do you think it was worthwhile doing it?

Yes, I learned a lot about research techniques, how to come up with a hypothesis and then use qualitative and qualitative methods to prove or disprove it.  I use this knowledge now in my consulting career.

I was always interested in the human aspect of security and this programme combined this with the strong foundation in cryptography and computer security.

You were in Russia when you sent me that first email. What made you get in touch with me?

I remember checking your YouTube channel one evening. The video I was particularly impressed with was called “How do I learn more about infosec?”

Among other good points, you shared your opinion on mentoring and how it works in the real world. I thought since you were talking about it you might well be open to the idea of sharing your knowledge with someone else i.e. me.

I was struggling at the time to see what value I could bring to such a relationship, but decided I would figure it out along the way.

We met several times when you came and we discussed different ideas and also what the industry was like.

What did you find the most useful bit of advice you received?

I found many points useful. I didn’t know what the industry was like in the UK and anywhere outside Russia for that matter. More importantly I wasn’t sure what I wanted to do with my career.

You explained that the security field itself is very broad. It is similar to medicine: there are general practitioners who know a little bit about everything, which is the base level of knowledge. For complex cases they will refer you to specialists in blood, heart, eyes, ears and other specific body parts. The same applies to security: there are broad generalists and technical experts. There are also non-technical security professionals, who understand the business, the risks and how to integrate security into the corporate strategy. Just as you can’t replace a surgeon with a GP, you can’t replace a technical subject-matter expert with a generalist, and vice versa. That made me think about where I see myself adding value to the industry.

I also appreciate your points on personal branding. I started a blog – and created my Twitter account @le_rond right after one of our meetings.

After studies you were able to land a job – what advice would you give to anyone looking to land their first job in security?

I would say start with something you like doing. There are many aspects of security and there are different types of work out there. One can easily find something they like.

You gave a talk in the rookie track at BSidesLondon – how was that experience for you?

The experience was very rewarding. I got to know many great people there and I spoke about the convergence of physical and information security. When preparing for the talk, I researched this area thoroughly which also helped a lot with my studies. I got to practice presenting and received valuable feedback from the people in the room. I even managed to get a job offer right after the talk but decided to go for KPMG instead in the end.

I would recommend signing up for the rookie track at BSides to anyone who would like to share their ideas with the community. There is a lot of support provided, in particular from mentors like yourself, to make the experience great.

You also have spoken at universities and other places voluntarily. Why did you do that? How was the experience? Is it something you’d recommend to others?

One thing I didn’t get enough during my studies is industry practitioners coming and sharing their stories. I decided that with some experience here and internationally I could help students and people who are interested in security understand the industry better. I also wanted to give back to the community, and I was sharing some of the tips I’ve learned from you. I help people to work on their soft as well as technical skills and always available to support their efforts. I’m finding it very fulfilling and I would definitively recommend it.

You wrote and published a book earlier in the year. How did you find the process of writing a book? What motivated you to write it? Do you plan on writing more books?

I’m not going to lie – it was hard work. There was a lot of research and re-writing, I took me over three years in total. And this is not a thick book.

As a consultant I help companies develop and implement security strategy and transformation programmes. Working across various industries, I’ve seen some badly implemented security projects which were completely missing the point.

I wrote this book to help security professionals and people who are interested in becoming one to do their job better. I believe that they not only need to ensure that a company is adequately addressing information security risks, but they also have to communicate the value of security appropriately in order to be successful. That’s why it would be also useful for business executives and project managers who would like to get a better understanding of security.

The main goal of this book is to gain insight into information security issues related to human behaviour from both end-users’ and security professionals’ perspectives. It aims to provide a set of recommendations to support the security professional’s decision-making process when implementing controls and communicating these changes within an organisation.

To achieve this, I conducted a number of interviews with UK-based security professionals from various sectors, including financial services, advertising, media, energy and technology. Their views, along with further relevant research, were incorporated into the book, in order to provide a holistic overview of the problem and propose a solution.

The feedback I received so far was very positive and I’m glad I get an opportunity to help people address some of the challenges they face in this area.

I find sharing my knowledge with the community extremely rewarding and I would definitely consider writing more.

Many people will look to you as a success story – someone that achieved a lot in just 4 years… what things do you think best contributed to your success?


Thank you Javvad – that’s very kind of you to say that. I think it is always a team effort. Things I’ve achieved are not done just solely on my own. There were many people who helped me with the book, including yourself, for example. People were giving me advice and useful constructive feedback on my early drafts. At work there were also always people willing to help out. I’m very grateful for that. Security is a small world in a good way – get involved and there will always be someone to help you.




jm hearted

Things I hearted Last Week

For the week ending 17th July 2016

Pokemon Go took the cybers by storm. There was much hullabaloo over the excessive permissions the app was asking for, which seem to have been fixed. Still, I liked this writeup by Dan Guido on the permissions Pokemon Go got.

Four cyber attacks on UK railways in a year.

Matt Hughes wrote a nice piece around assuring security products and the dilemma of answering the question of how secure we are.

Cymmetria Releases The MazeRunner Community Edition. A free edition for research of personal use.

We Tried to Operate a Surgical Robot While It Was Being Hacked

Arguably one of the biggest case rulings this last week was when a court ruled Microsoft does not need to respond to US warrant for overseas data. Had this ruling gone against Microsoft, the impact would have been felt throughout US-based cloud-computing companies. While this is probably not the last we’ll hear on the matter – one cannot downplay the significance of this case.

Hacker gets two years in jail for celebrity swatting.

Great article on the work that is done behind the scenes to make Mr. Robot accurate. Includes some familiar faces.

Finally – there was a failed coup attempt in Turkey a few days ago. The Grugq writes a great article on the role of cyber in coups and why it was so influential this time.

jm hearted

Things I hearted last week

For the week ending 10th July 2016

The recorded talks from BsidesLondon are up! Check out the playlist here. There are some really good talks in there – I haven’t seen all of them yet, but Steve Lords Naughty Toys for Wicked Girls and Boys  and Holly William’s Offensive Anti-Analysis are definitely worthwhile.

Ashley Madison in hot water with the FTC over the use of Fembots. I wonder if anyone ever got caught cheating and subsequently divorced – only to later discover they’d cheated on their partner with a bot. No amount of cold water could put out that burn.

A somewhat deep and academic paper of which I didn’t fully comprehend.  In which researchers conclude that, yes, you can have both deep learning and privacy.

How to Crack Android Full Disk Encryption on Qualcomm Devices

With Blackhat and DefCon around the corner, Wesley McGrew has put together a guide to security at conferences

Why is a great OSINT tool. Nice post on spam, campaign stats and red flag URLs.