October is National Cyber Security Awareness Month (NCSAM), but why restrict it to a month, when we need it all year round.

So, I created a few very short videos on a few security awareness topics. The idea was to keep them short enough so people would watch them to the end, have a bit of an twist (post-credit scene), and set it up so people can discuss some of the security issues they face.

You’re free to use these in your place of work, or place on those large TV screens in airports if you so desire.

The password one probably could do with a bit of tweaking, I know what I was trying to say, but think it came across a bit negative. But still, it’s there if you like to use it.

Some older videos that could be used for awareness purposes are listed below.

 

 

Hackers are everywhere, but they’re not content with just hacking into banks and stealing the money. They are after you too. Once they get access to your facebook or email account, they can read all your private messages, send out rude messages that claim to be from you, and generally ruin your life.

Often they will break into an account because the same password has been reused on different sites.

To help prevent hackers and have a happy ending, follow these awesomely cool and amazing tips that will blow your mind!

  1. Don’t reuse passwords!

Perhaps the biggest contributor is the fact that many people will reuse passwords on multiple sites. Each site and service should have its own unique password.

 


2. Don’t reuse passwords

Like seriously, don’t do it.

3. Subscribe to haveibeenpwned.com

Be notified if any of your email accounts end up in a breach dump.

4. Enable two-factor authentication

So that even if someone guesses your password, they can’t get in with out your fob.

5. Enable two-step verification

Accept that a lot of sites don’t provide or support two-factor authentication, so settle for the less attractive two-step verification.

6. Accept your fate

You discover that not only can you not enable two-step verification, but the website prohibits long passwords and special characters.

 

 

Remember I said there would be a happy ending?

Covering the infosec news from the week, so you don’t have to!

Links to stories in the video

 

  1. The beginning of the end(point): where we are now and where we’ll be in five years
  2. The strange way people perceive privacy online
  3. Tesla responds to Chinese hack with a major security upgrade
  4. Good cybersecurity can be good marketing
  5. Cyber: Ignore the penetration testers:

 

Other stories of interest

When automated bots were primed to sell the UK Pound

The ethics and morality behind APT reports

Scott Helme went wardriving.

Internet of things botnets – SSH just got real!

Lloyds combats call center fraudsters with new tech

F-Secure pens an open letter to businesses that block VPNs on their free WiFi

Sarah Clarke gives a perspective on GDPR, a personal and professional journey.

Akamai finds longtime security flaw in 2m devices.

 

It’s been an interesting few weeks which is why I haven’t posted my usual updates. I was out in Vegas for Blackhat and BsidesLV, both of which were great as always. I also had a chance to pop off to visit the Grand Canyon with my partner-in-crime Adrian Sanabria. Video coming soon, but this vine will give an idea of how far we got into the wilderness.

 

Blackhat was also a blast. AlienVault had a brand new booth design and the interactions were as engaging as always.

DSC_0435DSC_0438

Now onto the business end of things.

Do whistleblowers ever win? Researcher who exposed VW gain little.

Remaining on the topic of cars, Auto group pushes best practices for vehicle security

Mozilla to block Flash in Firefox browser – about time.

Bypassing Win10 UAC by using disk cleanup.

A tutorial on Configuring NPS 2012 for Two-factor Authentication

New attack bypasses HTTPS protection on Macs, Windows, and Linux

TrustedSec released version 7.3 of the Social Engineer Toolkit (SET)

People care about privacy, so why won’t they pay for it?

Looking at the malicious side of bad UI. Dark Patterns are designed to trick you (and they’re all over the Web)

Microsoft REST API Guidelines – a good set of principles.

Do you like using a VPN? Well, if you plan on using it in the UAE, you could end up with jail time and a $545,000 fine.

Am I saying that EMET was written to stop Metasploit sourced shellcode? Yup. Pretty much.

Not directly security related, but I found it interesting to read how Starbucks has more money on customer cards than many banks have on deposit. Probably a lot easier to rob than banks too… just saying.

Something that reads like the bug equivalent to national novel writing month. Good writeup on high frequency security bug hunting with 120 bugs in 120 days.

Post-conference season we always get a rash of opinion posts about why conferences are broken or bad. Here’s Alex Stamos’s take Addressing security blindspots through culture

Teen hacker flies to Black Hat on his one million free airmiles

 

After a very slow 2014, Cynical Rants About Security Stuff – or CRASS for short (unfortunate and unintentional) is my attempt at being more regular in publishing content. The idea is that once a week I’ll ramble for a couple of minutes on any given topic.

This week I rant about the vulnerability disclosure process and how Google and Microsoft arguing publicly doesn’t really help anyone. There are some football (soccer) references that I’m sure all my US-based friends will totally understand.

I won’t write up all my thoughts on the topic as I’ll be covering ground that many have already written about. If you’re interested in finding out more, or exploring other opinions on the subject, then I recommend checking out the following

Rob Graham: A call for Better Vulnerability Response

 Space Rogue: In the beginning there was full disclosure

and Steve Ragan: Microsoft blasts Google for vulnerability disclosure policy

Jimmy is a good guy – I like him, he works in security and trains MMA. Which means if he can’t gain access to your server, he’ll simply beat the password out of you.

Then he posted this picture on twitter in a cowboy hat. Ridiculous cowboy hat

As they say, a little photoshop is a dangerous thing – and the temptation was too great to not take advantage of the opportunity.

1 brokeback

Which led to the birth of Jimmy Sozé

2 usual suspects

This got Jimmy a bit worked up, so I challenged him to a duel.

3 duel

He said he’d kill me – to which I said that’s a crime punishable by hanging till he’s dead, dead, dead!

4 hang em high

The subsequent barrage of messages proved that Jimmy was indeed unchained. Read more

It’s December – and it’s kind of a tradition that every year I get together with the fine folk at Twist and shout to make a Christmas video.

This year, however we decided to do something different, so along with my Host Unknown companions Thom and Andy, we set out to do something serious that captures a great story.

The Greatest Story Ever Told from Twist and Shout on Vimeo.

 

To see where the Christmas tradition started, check out Santa gets hacked and it’s sequel below.

 

Santa Gets Hacked! from Twist and Shout on Vimeo.

 

 

Santa Gets Hacked – Aftermath from Twist and Shout on Vimeo.

On my command (line) – Unleash Hell

 

unleash

Keyboard warriors are so last year… now keyboard gladiators – that’s something I could get behind!

 

We outsourced our greeting card this year to a professional marketing company company. As part of the suggested monetization strategy, we can’t be giving away stuff for free anymore! Enjoy 🙂

 

RSA Europe 2012 has come to an end. It will be a memorable conference because I got the chance to be part of a panel debating whether users should be given infosec awareness training or not. It was an enjoyable experience and I can update my profile to say I’ve spoken at RSA – does it get any cooler than that? Well, only if you’re Josh Corman, who seemed to be part of every other talk at RSA. Despite this, I didn’t get a chance to see any of his talks – how lame is that?

Who's with me?

Not holding back my feelings on the other panelists

Well, that’s the life of an analyst. It’s the seedy underbelly of the analyst lifestyle that you don’t get to see behind the glitz and glamour. Well, there’s a reason analysts and members of the press get free passes to a lot of conferences, and I’ve got a sneaky suspicion that it isn’t to see all the talks. That’s not to say I didn’t get to see any talks – I went to the keynotes which were very well executed if a bit wrong on content. James Lyne gave an always entertaining and informative presentation while Brian Honan showed people how to hack senior management. I’m sure I saw other talks too – but after 3 days of buzzing around, speaking to a myriad of different people, everything ends up being a bit of a blur – if only there was some way to intelligently analyse all the big data in my cloudy memory.

Buzzword bingo aside – it’s great being able to speak with some people far more intelligent than myself (which is nearly everyone) and just bounce ideas around, get a better understanding and broaden your horizons.

Like any conference when it ends you half mixed feelings of relief that it’s over and you can get back to ‘normal’ life, where a part of you doesn’t want to say goodbye to all your friends who’ve come in from far and wide who’ve joined you on the roller coaster ride. The best thing though was that once it was all over I didn’t have to pack no bags or catch a flight, but rather simply got on my motorbike and rode home. Which got me thinking about the pros and cons of attending a conference in your hometown.

The biggest pro would have to be that you get to sleep in your own bed every night.

The con would have to be that you don’t get to discover a new city with strange people you met off twitter just because they claim they are a security person.

I guess the jury is still out on that one.

 

If you’re visiting London for the Olympics or maybe a conference and you’re looking around this charming city, there are a few things you need to know to enjoy your trip and if you value your safety:

1. Don’t be correcting us on the names of things. We call them pavements (sidewalks) bins (trash cans) boot (trunk) and the like. Most importantly of all, we don’t call our trousers pants!

2. London folk are very polite, if you step on their foot, they will apologise to you. Try it on a packed bus.

3. Nothing will get you stabbed more quickly than standing on the left of the escalator when on the tube / underground / subway. When I say stabbed, I mean people will tut loudly and huff and puff.

4. In fact just avoid the tube during peak hours altogether. You’re just going to stop in the middle to read maps and take pictures delaying everyone else trying to get to their next meeting.

5. We are not overly affectionate people. A simple handshake will more than suffice. No high fives, one arm or two arm hugs… ever!

6. Things are not awesome, rocking or mind-blowing. They are either good, or not too bad.

7. We don’t like to make small talk on any topic other than the weather despite the fact we get nothing but rain all year long.

8. A lot of places in central London are very close. Walk around and you’ll be amazed. For the more adventurous, try one of these walking routes http://www.walklondon.org.uk/

9. If you’re into cycling, you can check out routes and maps and even how those hire bikes work. http://www.tfl.gov.uk/roadusers/cycling/11607.aspx

10. Yes, we drive on the left hand side of the road. Look to your right when crossing. There’s a good reason for driving on the left. You see back in the old days when we had knights riding horseback, if they’d come across another knight approaching from the opposite direction, they had no idea if they were friend or foe. So they would draw their sword (predominantly in their right hand) and move to the left to better strike out if need be. As a result the horses nearly always ended up riding on the left of the road. When we upgraded to cars, we kept the same convention because you never know when you need to draw a sword whilst driving.

I was speaking with Tripwire about how we have some great European information security professionals who haven’t seemed to ever get featured in any of their crowd sourced articles. So they kindly offered me the chance to write one for them picking the best of what Europe has to offer. The topic we agreed upon was “Security Myths”.

You can read the entire article on their blog. Seeing as I put it together, I took the liberty of adding one of my own opinions in video format. Enjoy, and feel free to include any other major security myths that haven’t been covered.

This is my mandatory, “look at me I’m at BlackHat Europe” post. Usually I’ll hide myself away at conferences in the back row and hear out all the talks because I find it much easier to talk about security when I’m alone with my camera in my room.

It was my first Blackhat and in my eagerness I’d agreed to cover the event for Infosec Island. After I’d said yes, I began to consider the ramifications of my decision and concluded that the best course of action would be to go cap in hand to my friend Jim Shields of Twist & Shout to come be my cameraman, sound man, lighting guy and manager for the conference.

Those in attendance would have seen me with Jim lugging around camera’s lights, microphones trying to convince people to say a few words to the camera. For the most part I didn’t get a chance to sit in any of the talks. But I did end up getting a private audience with most of the speakers, so don’t feel like I missed out on any of the great information that was being given out like cotton candy.

I’ve reviewed some of the early footage and it looks absolutely awesome. Jim has really woven his magic, which totally sucks for me because in future, people will only ever be disappointed in the quality of anything I’ll ever produce. So as much as I’m grateful to Jim for coming along and helping me out, I also really hate him. Maybe on our trip back I’ll sneak some of Amsterdam’s famous mushrooms into his bag and leave him to explain it at customs.

The tables were slightly turned on me as Nabil @Toolswatch who I’m convinced is Antonio Banderas’s long lost brother cornered me for an interview which turned out to be quite fun. At least in my mind I like to think I’m as articulate and motivating as Martin Luther King.

Antonio Banderas interviewing Martin Luther King

 

If you haven’t been to a big conference like Blackhat, I’d strongly recommend you take the time to experience it. You get to meet some great people and talk about all sorts of things that I just cannot share. You’ve got to be here to hear it. That’s kind of a good slogan. Maybe I should trademark it.

You may have heard me gloating saying that I’m off to Blackhat Europe in Amsterdam. The kind folk at Netpeas are sponsoring and Infosec Island are sending me as one of them. It kind of feels like being welcomed into a family. I’ll be at Blackhat introducing myself as being from the Island even though I’ve never met any of the guys there. I mean for all I know they could be serial killers running this whole operation out of a prison cell somewhere.

I can imagine this being how a woman feels when she marries a man and adopts his surname and gets introduced as part of his family. Until she of course spills a drink down her father-in-laws favourite suit whilst trying to pass the bread and in the rush of trying to clear up the mess causes her sister-in-law to stab her husband in the knee with the carving knife.

So yes, I’m off to Blackhat to learn something about security, meet some interesting people and shoot some video interviews without aggravating anyone too much.

The Island may issue divorce papers at the end, but I’m sure we can remain friends… can’t we guys?

I get a lot of feedback on my videos. One of the most common questions I get asked is whether someone can use a particular video of mine in a presentation they are doing internally at work or at a conference etc.

It’s become a familiar process, I get an email from someone who starts with the usual foreplay of, “love your videos and your good looks… <filler> … btw do you mind if I use / reference your video in my presentation.”

More often than not, I double check to make sure they’re not using it for commercial purposes and that they won’t claim to have made it themselves and say yes.

So, in the spirit of sharing, caring and loving the community, I’ve decided to publish all my videos under the creative commons license.

What this means is:

– You are free to copy, share and distribute my videos

Providing

Attribution — You must attribute the work to me

Noncommercial — You may not use the videos for commercial purposes.

Share Alike – If you alter, transform or build upon this work, you may only redistribute under a creative commons license so others may do the same.

Waiver

Get in touch if you want to use videos for other purposes other than the ones described above.

 

Hopefully you’ll find this useful. If nothing else, those of you who’ve been using videos without permission up till now can sleep with a clear conscious tonight.

I really should put this on a separate legal page somewhere. I’ll get around to it sometime soon I’m sure.

More info on Creative Commons Licence can be found at: http://creativecommons.org/licenses/by-nc-sa/3.0/