At first I thought it was an exaggeration. A story that had got out of hand. But after spending over 72 hours travelling with Erich Kron, I do believe he is cursed to travel with.

Despite everything being booked in advance, Erich spent an awful lot of time on the phone sorting out issues that cropped up. Many of which didn’t even make it into our video for two reasons. Firstly, we were so fed up of everything that I didn’t have the energy to hit record on the camera. And secondly you wouldn’t believe us if we did tell you.

For example, after we flew back to Tampa after our journey, Erich’s car battery had died, so we had to call recovery and get a jump before we could get on the road. Or how we sat in a plane on the tarmac for two hours. Or how a 4-5 hour drive from Tampa to Miami ended up taking us 12 hours.

But these are all first world problems.

I am super happy to be at KnowBe4, as you can see from the video, the whole office was fully supportive of a crazy person running around with a camera, and dare I say, embraced it. I think these are my kind of people.

via IFTTT Another busy and enjoyable day at the AT&T business summit in Dallas. Today was spent mainly in sessions, and I ended up spending an hour in an ‘ask the expert’ session as well as getting interviewed by Shira Rubinoff. Yay, go me!

Tomorrow is the last day, and I have a very important panel to moderate.

via IFTTT I’m in Dallas, and there’s not Ewing in sight.

Luckily, what is here, is a great business summit. Here are some of the highlights from day 1 where I spent most of the time drooling over the booths.

I got the dates wrong in the video, should have said 21st Aug to 5th Sept.

But, this is me looking at the whole incident as a customer, not as a security professional.

I received the email notification from British Airways informing me of the breach and the fact that customers payment and personal information was compromised. The advice was for customers to contact their card providers and follow their guidance.

Being a diligent consumer, I contacted my card provider who informed me via an automated message that they were aware of the breach and they are looking into it and no further action on my part is needed.

Okay then.

But being a self-starter, I thought it would be a great idea to change my BA password, just in case it was also somehow compromised.

Despite me thinking of myself as a pretty web-savvy person, it took me a while to find the page to update my password. As you can see, it asks for username, current password, and new password which must be at least 6 characters and complex.


Unfortunately, I found that filling out the details resulted in it asking for a PIN. This got very confusing for me. It suddenly switched from a password to a PIN and I ended up being unable to change my password.


So, the summary is:

  1. I got informed my personal and card details were breached
  2. There was nothing I could do about it
  3. I felt like it was all a waste of my time.
  4. The end.




This video was prompted by discussions with someone that was adamant that they would never, never, everrrrr put their logs in the cloud.

I enquired as to why they weren’t open to the option, and their response was that they don’t believe that sensitive information like logs should be in the cloud.

Now that’s all cool and stuff – I mean, everyone has their own risk models. But in the big scheme of things, the company was already using cloud infrastructure and apps for a variety of different things.

I mean, if you’re putting your entire customer management system, and your financials in a cloud app – there aren’t many more valuable things left to protect.

I’m not saying you should or shouldn’t adopt the cloud, or use a particular provider or not. What I do reckon, is that we should be a bit more sensible when looking at the wider corporate adoption and all the information contained therein, and adapt the security controls accordingly.

It’s coming up on my 3 year anniversary at AlienVault – and after a conversation with a friend, it dawned on me that I don’t think I’ve ever really explained what AlienVault does.

So, when I was in Austin this last week I recruited some of my colleagues to help make this short video to give an overview of the product.

Find out more at
Or follow @AlienVault on twitter (tell them I sent you)

A lot of individuals and companies of all sizes often use the phrase where they ‘think’ they’ve been hacked or breached, or had some form of unwanted event.

There is usually a lack of conviction in this statement, and in hindsight it’s not easy to validate.

Sure, one could use a service like to retrospectively check, or wait for a service provider to inform them that their data has been compromised – but there are better ways, if one is more proactive in their approach.

Perhaps one of the best features of Gmail is the ability to add a +something to your email address to identify which providers are either breached or have shared your email address.

For example, if my email is [email protected]; when signing up for BSidesLondon, I’ll provide my email address as [email protected]

It’s also worth looking at getting an adblocker (note not all adblockers are created equally – look for a good one that won’t sell you out in other ways). But basically, the less scripts that are allowed to run in your browser, the less tracking, and the less opportunity available for anyone to inject malicious content is good.

For those that have a bit more patience to validate every connection, get something like LittleSnitch or RadioSilence (or similar – I’m not endorsing these products). But anything that can detect outbound connections applications and software on your machine is making. It gives you the ability to control and decide which apps can communicate externally and send who knows what data.

Finally, one of my favourite techniques is to use honey tokens. The free ones available at Canarytokens are super easy to use and set up.

Other ways to set up your own honey tokens would be to put false customer records into your CRM. Set this customers email to an address that you control. That way, if you ever get emails sent to that particular address, you know that your customer records have been compromised – probably by your most recently-departed sales person.

While there are many other things one can do to enable quick detection of compromises, I find these some of the easiest and quickest to setup and get running with.

Having an early warning system is good, but it’s only as good as the response. Therefore you should have a plan of action as to what to do if you are notified that someone has accessed your files or compromised your accounts. Mainly this would include changing your passwords, notifying relevant parties, and putting your guard up. But it will depend on what is triggered, by who, and what your personal risk tolerance is.

For small businesses, and even larger corporations, these techniques can still work – however, there robust enterprise-grade offerings available which are more suited to the task (maybe the Canary hardware device is good for you, or AlienVault USM Anywhere) . Still, I wouldn’t be against having a few honey tokens scattered around a corporate network just to see who may be poking their nose around where it doesn’t belong.

Anytime we discuss security, it’s mainly to talk about the failures. So I’m taking time out today to spread some positivity to all those security folks that have made it through the week without an incident occurring.


via IFTTT After its 2015 breach, the Information Commissions Office (ICO) has released a very thorough report which highlights a number of deficiencies in Carphone Warehouse’s security.

I’ve summed up some of the key points in dramatic fashion

The report well worth a read:

It dawned on me, that I’ve never written a browser extension before.

And there are words IT Security articles continually overuse that I wish they wouldn’t.

So, I combined both these together and wrote a chrome extension that would change commonly misused words to something a little more interesting.


– IoT becomes ‘cheap connected garbage’
– Machine learning becomes magic
– gdpr becomes the MacGuffin
– Cyber becomes IT

Full details of the words changed and link to download the extension available at

2018 has kicked off with a flurry of M&A activity in the infosec space. There have been four that I’ve been aware of,

Barracuda acquired Phishline
Cyxtera acquired Immunity Inc
Verizon acquired Niddel
Threatcare acquired Savage Security

I wonder how many more deals will be announced between now and RSA. Either way, it looks like it could be a busy year ahead.

I recently had my 17 anniversary… which is almost as long as I’ve been working in information security.

Information security is great for communication, and communication is great for all relationships and friendships.

The cool researchers over at freedom to tinker found two scripts that exploit browsers built in login managers to retrieve and exfiltrate ID’s.

Below is the email I sent, and the reply from OnAudience



The script that OnAudience uses can be found here

if you have time, check out this tweet thread between Carl and AntiSocial Engineer as they discuss the law vs what happens (or should happen) in reality.

If everyone and their dog is talking about Meltdown and Spectre, then it would be negligent of me to not keep up with all the cool kids.

Website for the vulnerabilities: Meltdown Attack

Google Project Zero blog

NCSC’s advice

Linus Torvalds statement

Work for long enough in one industry for any period of time and you end up speaking an entirely language altogether. This isn’t necessarily a bad thing, in many cases it’s convenient and allows rapid communication amongst peers.

However, in Information security we need to be mindful when communicating with non security, or even non technology users and simplify the messaging as much as possible.

To put my theory to the test, I gathered a bunch of frequently-used terms and asked my non-tech friend if he could decipher what they meant.

Of course, many users would never even feel the need to use or understand some of the terms, but I threw them in there just for fun.