Warning: this is a long post, if you don’t want to read it all then watch this short recap video, otherwise read on.

Even though it was summer, the sun had long set. It was late and getting chilly. My feet were numb and I was feeling the ill effects of 3 days of sleep deprivation. I was sat outside with 4 Americans and a Canadian. The man to the right of me with a goatee that was almost as big as his head took a long puff and declared himself “mellow”. The others nodded in agreement and they all thanked me.

How did I end up in this state? Well it all started three days earlier.

The Dinner Suit Situation

It was the first day of Infosec – I had gotten up early and was already in a bit of a dilemma. I had a suit ready to wear for Infosec, but in the evening I was invited to the SC Magazine awards which was a black tie event (a dinner suit / tuxedo). So I was wearing a suit and was carrying a second dinner suit with me. To make matters worse, I was traveling in on my motorbike; partly because I detest public transport and partly because it would be rather late by the time the awards ceremony finished and I would struggle to get back home; which upon reflection is one of the downsides of having a conference local to you. Had I been in another city, I would have been staying in a hotel within throwing distance of the conference centre and it would have been no problem.

I finally found a bag large enough which I could put the dinner suit in, whilst carrying on my back, whilst riding my motorbike through London’s rush hour traffic. Although I don’t know how Usain Bolt felt the first time he broke the world record in the hundred meter sprint,  I can only imagine it was similar to the sense of achievement I felt when I finally reached Earl’s Court exhibition centre and was able to take out the  dinner suit  relatively uncrumpled. I proudly handed it into the cloakroom for safekeeping, with specific instructions to the attendant to make sure it didn’t get creased up until I collected it later that evening.

The Analyst Panel

Most of the morning was spent in meetings with various vendors. Unlike RSA,  infosec Europe is comparatively smaller and I was fortunate that most meetings were scheduled to be in the press room so I didn’t have to travel very far. As a result managed to get through at least half a dozen meetings by lunchtime.

A few weeks  earlier, I’d received an email from the editor of info security  magazine, Eleanor Dallaway asking if I would be interested in taking part in an analyst panel alongside Brian Honan and Bob Tarzey.  The discussion would be recorded for publication on youtube.  Not being shy of having my mug on youtube, and knowing that Brian would be riding shotgun I felt comfortable enough to say yes.  A decision I was beginning to regret as I found myself having pizza with Brian, Jitender, Thom, Cindy and Dwayne for lunch  and realizing we were late for the panel. Brian seemed unfazed and with his typical Irish charm told me not to worry. I asked if he knew what we were going to be talking about, and he just shrugged let off a big laugh and carried on eating.

We eventually made it to the info security magazine booth where Eleanor seemed relieved to see us. The cameraman was all business and proceeded to get us mic’d up; although Bob didn’t look too happy that he’d been made to wait for 20 minutes doing nothing.

The panel wasn’t very long, it consisted of Eleanor asking a few questions and us answering individually. It was okay I suppose, although sitting there in the chair I did find myself continually wishing I could change the camera angle, do the editing and actually script something witty and clever for myself rather than having to think on the spot.

The CISO Panel

As soon as I wrapped up the analyst panel, I had to make my way to the keynote theatre where I was due to moderate a panel of five CISO’s to discuss the skills needed to make a good CISO.  Room was pretty full, and I was thankful that over the previous few months I’d had ample opportunity to present several times  so I found myself surprisingly at ease.  I was told by the audio person that I had to stand very close to the microphone behind  the lectern or risk not being heard. This was a bit of a pain as I generally dislike standing behind a lectern  when on stage. It puts a barrier between you and the audience. The second issue was that the stage was very wide and I was perched behind the lectern on one side, whilst the panelists had a table on the other end. I hadn’t worn my glasses, and under the theatre lighting I was squinting to see who was who.

As I was squinting like a mole from across the stage, I made out the face closest to me and thought that I could see him; but his name had slipped my mind. In fact, I’d almost forgotten everyones name. I grabbed my notebook and jogged over to the other side of the ridiculously wide stage and tried to make a joke out of not remembering who was who. The CISO closest to me was Simon Riggs who helpfully suggested I write down everyones name in the same order they were sat at the table to make it easier to remember who was who. I thanked him for the tip and wrote down everyones name; Simon Riggs, Paul Swarbrick, Avtar Sehmbi, Matthew Ford and John Meakin.

A slight twinge of guilt did come over me. After all, I’d been in email contact with each of the panelists beforehand and they deserved that I remembered their names. I racked my brain for some sort of witty monologue to say, but all I could muster was a “great” and a half punch in the air before jogging all the way back to take my place behind the lectern on the other side of the stage.

Other than that the session progressed pretty well. I say it was pretty well but I do think I could have done a better job. In hindsight there were times when I should have jumped in and stopped some of the speakers from going on a bit too long. Having said that there was plenty of audience interaction and the questions flowed right to the very end.

Right at the very end I wanted to try and wrap up on a concluding question. So I threw out the old question whether CISO actually stands for Career Is So Over; implying that it is the end of the road and there is no clear progression path afterwards. It seemed to rattle a couple of cages, and maybe a couple of responses veered onto the defensive side. But in all honesty it had been an hour for me standing behind the lectern and my legs were feeling the effects. I thanked the audience and the panelists for their participation and felt relieved to have made it to the end without incident.

Awards, awards & more awards

It was a disabled toilet tucked away on the first floor away from the conference that I found myself changing into my dinner suit. Not exactly glamorous, but beggars can’t be choosers. I cursed as I fumbled a cufflink that fell onto the floor. I picked it up and wondered how clean the floor was. Sure it was on the other side, away from the toilet but doubt crept in. Luckily there was a sink inside so I gave it a quick rinse, being careful not to drop it down the drain, before shaking it dry and threading it through the cuffs of my new shirt.

I looked in the mirror and was greeted by an unfamiliar sight. I smiled at my reflection dressed up like James Bond. Then I snap out of it as I find myself admiring myself for too long. I wonder if its actually possible to creep yourself out by staring at yourself in the mirror.

First stop was the European security blogger awards which was sponsored by Tenable and Qualys. It was very nice of them, but still, it would not have been possible without the hard work put in behind the scenes by Jack Daniel and Brian Honan.

I’d been nominated in five of the categories, which in itself was a pretty humbling experience in itself. To even get nominated shows that your colleagues and peers value your contributions and maybe even like you as a person! I ended up winning two awards for best video blogger and most entertaining blogger.  I’ve joked with friends about how I’m now a global multi-award-winning blogger… but the reality is that I am truly grateful to all my friends in the security world. So I’d like to say thank you!

After that it was off to the SC magazine awards where I had been kindly invited by SC magazine editor Dan Raywood. It was the first time I’d attended and it was pretty much how I thought it would be. Everyone in dinner suits looking very dapper, that gave the atmosphere that this was indeed a special occasion.  A comedian was the compere for the night who was absolutely brilliant. She started off with a short routine, picking on some tables closest to the stage and also on some of the company names. It was one of the best events I’d been to in a long time (maybe ever).

It had gone midnight by the time I parked my motorbike back in the garage at home, almost in time for it to turn back into a pumpkin. It had been a very full,  exhausting and fulfilling day… but that was just the beginning. My biggest challenge awaited me in the morning

Bsides London

I lost count of the number of times I hit snooze on my alarm before a finally rolled out of bed. Throwing on a pair of jeans and a black shirt, I felt I’d got the uniform for B-Sides correct. It was getting late and I really wanted to see David Rook aka Security Ninja’s talks before me, but I needed to go over my presentation one more time. It had been a couple of days since I’d revised it and the nerves were tingling slightly. I recalled the times when something sounded really clever in my head yet the dumbest thing in the world soon as I opened my mouth. That’s how I was feeling about my presentation…  what if nobody liked it, what if people walked out, what if? what if? what if?

I wasn’t afraid of getting on stage and speaking in front of people, I was just a little apprehensive about publicly putting my thoughts out there without the safety net of a videocamera and post editing software where I can take out all of my mistakes. I had given myself enough time to prepare and I’d even given dry runs of the presentation over skype to Thom and Jitender. They had both provided me with some good feedback which I had incorporated as much as I could. But I knew that once on stage, I have a tendency to deviate almost totally from script.

Up on stage I hooked up my laptop and set it to start. The intro of my talk was a short video clip with explosions spinning animations that spelt out that talk title all to the sound of AC/DC’s back in black. The room was full with some people sitting on the floor, I clenched my fists together and slowly released them, technique that Thom showed me once is a good way of getting rid of stress from the body. I looked across the room and saw many familiar faces – accompanied by a feeling of calm. This was B-Sides London… this was the conference I helped organize for the last two years. This was my home!

The intro finished, the music faded and I stepped onto stage with an almighty “ hello B-Sides London!”

The room responded with enthusiastic applause and I felt a whole weight lifted from my shoulders. I got into character and delivered my talk. I think it was the best talk I’d ever delivered. I love B-Sides.

The rest of the day felt like a blur as there were so many people I want to see. It was like a montage of hundred conversations crammed into a few hours. It was the first time that I wasn’t a volunteer at B-Sides London, so I really got a chance to mingle with people and enjoy the conference as a whole.

The Rookie Talk

There was a rookie track for new speakers and one of the speakers was Leron, who had been assigned to me as a mentee and whom I had helped prepare to give the talk. I went down into the rookie track to see how he would fare. I arrived a bit early and Leron was in the room listening to another talk. He looked a bit tense so I invited him outside the room for a chat. He told me he was feeling a bit nervous and I laughed recalling my own nervousness. I reassured him that even I was nervous, but nerves are part of the game. I showed him the fist clenching routine… although I’m not sure whether he thought that was a cool technique or if I was just trying to be Yoda.

I sat through Leron’s talk which, in my biased opinion was very well delivered. Yes, he had a few nerves, but overall he kept to time, delivered his message clearly and didn’t melt under the pressure. I felt happy for him once he’d finished, like a sense of pride.

Afterwards, I saw a few other rookie talks which were all delivered brilliantly. In fact, other than the fact that they were slightly nervous (some visibly more than others) the quality of preparation they had put into the talks should put some ‘pro-speakers’ to shame.

The sentiment has been pretty unanimous that the rookie track was a resounding success and I hope to see many of this years rookies take to the main stage next year. A few days later Mo Amin who spoke on the rookie mentioned on twitter that a colleague of his had asked him to be his mentor for next year. Now that’s progress!

Hitting the wall

The alarm has been going off for a long time. I am having a weird dream in which I’m looking for my phone so that I can turn the alarm off but can’t find it. Eventually the fog clears and I wake up to turn it off. It’s nearly 9am and I needed to be out of the house 15 minutes ago. My legs are tired from standing too much and my throat is feeling a bit sore from talking too much. Not to mention the bloated feeling from eating too much conference food. I stop and wonder how many calories people end up consuming at conferences and try to think of what the average BMI of conference goers is. I make a mental note to pay attention on the show floor at the waist lines of attendees.

I don’t want to get out of bed. A full day lies ahead of me which will need me to have my game face on for the whole duration. It’s that low point that happens at nearly every conference I attend. Sometimes it’s on the first day, sometimes the last day or somewhere in the middle. I’m not crazy enough to have ever run a marathon, but I hear that at certain points runners hit a wall and that they have to keep pressing on to get through that barrier. Pushing through that barrier I get ready and head out to the last day of Infosec Europe.

There are many meetings lined up in the morning that go through to the afternoon. Once caffeine levels are normalized in my blood stream, I get a buzz and perk up. There are some genuinely interesting conversations, both one on one and also whilst walking the show floor. The French commission have a section where a number of French companies have small booths. One of them points out to me that they painted the French flag the wrong way around, and that the Americans always got a bigger and better-looking exhibition area. I smile and nod, the man had a point and I have mixed emotions as I find myself sympathizing with the French.

Secret Project

I got a text from Thom. He was waiting with Andy for me up on the mezzanine area for us to undertake our secret project. I’m unable to divulge the details of the secret project, because if I did so then it would cease to be secret anymore. All I can say is that it was immense fun – I got shouted at on no less than three occasions, Andy got manhandled by a huge man and Thom deserves a punch in the back of the head. But stay tuned and all will be revealed soon enough.

Dinner

Once we’d finished, Thom, Andy and I made plans to go out for dinner to celebrate the end of a successful conference and not killing each other. I hadn’t had a chance to catch up with many friends who were over from across the pond so I started emailing / tweeting whoever I could. Eventually I found myself in a Lebanese restaurant on Edgeware Road with Andy, Thom, Lindsay, Cindy, Anthony, Dan and Dave. It was a lovely meal and despite everyone looking like they could easily fall asleep within 30 seconds of lying down, the conversation flowed beautifully.

Immediately after dinner a few had to leave and Cindy’s husband joined us. Dan was of the opinion that everyone should go karaoke; but my body was giving up on me. My legs were gone and so was my throat. So I suggested that seeing as we were on Edgeware Road, we should try smoking a sheesha. No-one had tried one before, but I convinced them it was a good idea…

An hour later and I find myself sat outside with my five American friends. Dan is to the right of me, and takes a big puff on the sheesha and exhales smoke that seems to get stuck in his huge goatee. He declares himself “mellow”. The others nodded in agreement and I am thanked for the introduction to this fruity pipe. They all had flights in the morning – and I am thankful that I only have a short bike ride back home to get into my own bed.

At last weeks Infosec Europe, fellow blogger, friend and information security executive Jitender Arora was involved in a debate that asked the question whether the auditor was  friend or foe to the security department.

This was an interesting debate that for many can bring up many mixed emotions and feelings. But it reminds me of a quote from the movie Jerry Maguire, “this ain’t show friends… it’s show business”. Which is to say, that does it really matter if an auditor is friendly or hostile towards you? At the end of the day, she is there to do her job and you are there to do yours. The real magic is in how you actually deal with the auditor – which is easy with these few steps by following my video tutorial.

The prestigious European Security Blogger awards are upon us. For those unfamiliar with the European Security blogger awards, it’s an award ceremony for bloggers who specialise in security and reside in Europe – at least that what I hope it means.

I am fortunate enough to have made it into the finals in five of the nine categories – which in itself feels like a great achievement considering how many super-awesome and cool security bloggers there are scattered around Europe. The categories I’m in are:

Best Security Video Blog
Most entertaining blog
Most educational blog
Best EU Security Tweeter
Grand prix prize for best overall security blog

Anyway, it would be a shame to let your vote go to waste so head over to  and make your vote count.

Log management and SIEM are not really spoken about by those outside of security and understood even less. I guess one of the reasons is that unless there are a relatively large number of logs to go through (or there is actually have an interest in doing so) most people will not really do much about it. Hence why I’ve been asked often to explain what a SIEM is, how it differs from Log Management etc. I won’t go into too many details and split hairs, so for the purposes of a high level view on log management, I present to you this video.

I recently saw that researchers had published their findings on security flaws in RC4 in TLS which led to some articles being churned out with eye-catching heading such as “HTTPS is broken”. A decent write-up on the issue can be found on the Naked Security blog.

But this got me thinking about the whole relationship security professionals have with researchers.  It’s kind of a love hate relationship. Researchers find flaws, bugs and general ways to bypass security controls, algorithms, processes and all that other good stuff.

The question becomes though, is it really broken if it was never fixed in the first place? The point being, it is an accepted fact that nothing is ever 100% secure. As Bruce Hallas  is fond of saying, “If it is made by man it can be broken by man.”   Therefore, it is not a matter of if a vulnerability is discovered in a security mechanism, but when. Once a vulnerability is discovered, be it by a researcher or an 8 year old messing around with her Rasberry Pi, it then falls to business security people to determine how likely that attack is to happen. Based on their viewpoint it may not be anything to worry about, or they may decide that this is something that is needed to be fixed urgently. However, beyond this the business owner ultimately decides whether they want to run with the risk or not. Which is why although researchers have demonstrated chip and pin can be defeated, banks had taken the view that for business purposes it is sufficient. Similarly, despite passwords being universally regarded as being about as useful as a chocolate teapot, they are still used as the primary authentication mechanism for the majority of web-based applications in the world.

Perhaps what we don’t have enough of in the information security industry is more collaboration between researchers and security professionals and the business. Although, this particular research team have been quite pragmatic about the whole situation and acknowledge the likelihood today is a bit slim we still see some researchers and industries bickering in public over whether they should be adopting a certain security posture or another.

Can’t we all just get along? Nah, where would the fun in that be?

I can now tick RSA off the list of major conferences I have yet to attend. With near continuous back to back meetings, severe jet-lag, a gathering of a ton of great people, lots of walking and hardly any sleep made it one of the most demanding conferences I have attended as an analyst… but, it was still tremendous fun. Of course, fun is a loosely defined term, and I suppose I can sum it up by saying that the people who attended were awesome and always a pleasure to meet with.

Having said that, right now, I’m more than happy to not travel anywhere for at least the next 10 years!

If the youtube video is blocked in your region, you may want to try the vimeo version of the video.

RSA SF 2013 from The Cynic on Vimeo.

Persistent Threats (yes, I dropped the advanced) get a lot of airtime, but if there ever was a case for a persistent vulnerability (PV), you’d have to imagine SQL injection (SQLi) being the grandmother of them all.

Ever since SQL databases have been used, input fields have been vulnerable to SQLi. If you were to humanise these components, an SQL database would most likely resemble a big lump of a man who doesn’t get out much. Morbidly obese and probably suffers from back acne. Like that late night security guard working at the reception desk in your building who always seems to either be munching on a slice of pizza or sleeping with his feet up on the table and his mouth wide open snoring loudly.

Lady SQLi, is the young irresistibly attractive lady who walks into that reception room and batters her eyelids as asks if she could be let into a meeting room; or use the phone, the restroom or any other facility within the building. Despite having no ID or anyone to verify her identity, the big old database seems happy just to be noticed and is like putty in her hands.

There’s a lesson in there somewhere – I’m just not sure what it is.

We’ve passed the mid-way point of January, but we thought it would be a good idea to share some resolutions and predictions for the year.

As you can tell, we didn’t do a very good job of agreeing on anything. I’ve been warned by Girl Cynic not to be making any more predictions for the year or face the wrath of @krypt3ia (warning some adult language in that post)  so I won’t.

Generally, I’ve never been much of a resolutions kind of guy, but once we started talking about how to improve the videos I really found myself wondering – so I’ll put the question to you fine folk to help me find the answer:

1. Longer or shorter videos? Do you want more detail or are they fine as they are?

2. More education or entertainment? “Infosec Rockstar” was hugely popular, as was “Don’t encrypt passwords” – both polar opposites.

3. More videos or less videos? Are they too frequent? Do you never find time to watch them? Or do they tend to come out too slowly?

4.Anything else you want to add.

Thanks for your help.

London – New research published by another security expert who coincidently works for an anti anti-virus company (AAV) has declared anti-virus to be really dead. An AAV spokesman said, “We threw everything we could think of at the laptop. chickenpox, foot and mouth, influenza, yellow fever, you name it and none of the products detected it resulting in a pure zero percent detection rate.”

An unnamed employee of a leading anti-virus firm lashed out, stating that the rumours of anti-virus’s demise have been greatly exaggerated and that it is alive and as healthy as a four year old asthmatic… running a marathon… uphill… breathing through a straw.

Ever visit a European website and wonder what that message means that generally pops up telling you they use cookies? Well all is about to be revealed.