In the last few days, two very different companies announced two very different acquisitions. LogMeIn acquired LastPass for $125m whereas Dell made a colossal purchase of EMC at $63.1bn. When one of your favourite providers is acquired, it can probably be likened to when your daughter introduces you to the man she wants to marry. … Continue reading A tale of two acquisitions →

I thought the talk at Defcon by Chris Rock around exploiting the flaws in the deaths and births registration process was very good. More interesting than the technical aspects are the potential nefarious use-cases such as committing virtual mass-murder, or raising virtual babies for the purposes of insurance fraud, second identities and much more. This is important … Continue reading Defcon talk: Chris Rock, I will Kill You →

Forget what you know, what you think you know about attribution - I present to you Javvad’s Attribution Methodology or Javtribution(tm) for short. Maybe Dr. Krypt3ia will yell Javtribution Shmattribution and try to poke holes in my findings - but I assure you, my findings can be considered holy enough without any poking. There are … Continue reading Javtribution →

Step 1: Setup a large screen on the wall. Play the threatbutt map on the large screen http://threatbutt.com/map/ Step 2: Whilst dressed up in your hoodie and surrounded by empty cans of energy drinks, keep looking up at the screen and uttering some techno-babble. It doesn't matter what you say as long as you say it … Continue reading Become a Hollywood Hacker in 3 simple steps →

At RSA 2015, Thom Langford gave, in my opinion, an outstanding presentation entitled, Stop selling and start marketing your information security program. I shared it with a few of my friends who I knew were working on security programs at their own companies as there was a lot of useful information in the talk. One … Continue reading It’s simple, but not easy to become a better speaker →

Do you ever get bored when someone starts of a presentation by going over how bad the infosec situation is? They'll quote figures of breaches and how vulnerabilities are going through the roof. Or maybe you're pressed for time and need to get to the meaty part of your security presentation but want to make … Continue reading Security Haiku →

Last weekend I came to the conclusion that Bane - the bad guy from The Dark Knight Rises would make the perfect chief information security officer. 

“You need to think like a hacker” This was the sage advice being given out by an industry veteran in response to a question about working up the infosec ladder. I started nodding in agreement but then stopped  myself mid-nod. Thinking like a hacker is a great statement to make. It can  fit comfortably  into … Continue reading Think like a hacker →

Usually my research ends up behind the 451 paywall, but I noticed the good folk at Guidance Software have made one of my recent reports 'free' to download at their site behind a registration wall. It's part of research I'm doing looking at the insider threat market and I’d be interested to hear your views … Continue reading Is there a traitor in our midst? →

Nearly every security practitioner is familiar with the ISO27001 standard for information security. A lot of companies base their internal security policies on it and third parties use certification to it as a gold standard. But, what do the statements, recommendations and controls actually mean? Working for very large organisations, I learnt them to mean … Continue reading The Cynic’s guide to ISO27001 →