Category: Uncategorized

Recently, a colleague employed by a software company asked me a question. A client of theirs has requested that they amend their software to allow them to set all their users with a single identical password that the users can’t change.  He asked me, “isn’t this a bad idea, and is it even legal?” Let’s… Continue reading Why Your Password Is Important.

I hate almost everything about phishing tests and I think in most cases they are counter productive. This may seem like an odd statement from such a big advocate of “You can’t improve what you don’t measure” especially as I don’t hate the tests themselves, but I do hate why and when most people do… Continue reading You do phishing tests? Why?

This blog post has changed tack a few times in the last two days. It started to document my attempts to replicate a relevant and actively exploited vulnerability in a piece of software I know well and ended up a rant against vendors clamouring for attention without really caring about the impact inaccurate intel can… Continue reading Plex SSDP used in DDoS – Why poor intel in advisories does more than make researchers look bad

On Friday, F5 reported an unauthenticated remote code execution vulnerability (along with a second slightly less serious XSS bug that could also result in RCE) in the Traffic Management User Interface of their flagship Big-IP Load Balancer products (though it seems in-support customers got a heads-up on Wednesday) and they were so bad that US… Continue reading CVE-2020-5902- F5 Big-IP Vulnerability – Why we’re always fixing the symptoms not the cause

It can be really annoying when you reach that point on the security maturity curve when you start to identify vulnerabilities, but management just don’t seem to care. No matter how much red there is in Nessus, you just can’t get the resources to address it, it’s like they just don’t understand. It’s almost like… Continue reading Getting management to listen to you about vulnerabilities

From the outside, people either think InfoSec is all hoody wearing basement dwelling men-children popping shellz and catching cyber criminals or they are corporate cyber-police snooping on your web browsing and preventing people doing their jobs. And whilst there is a little bit of that, there is so so much more and because it’s not… Continue reading We suck at teaching the basics, because they’re dull!

People attending the 2009 BSides Liverpool got what they thought was a one-off chance to hear Jamie Hankins, who worked along side Marcus Hutchins on analysing and then sink-holing WannaCry, tell his side of how things unfolded. Jamie had originally said he didn’t want the video of the event releasing, but thankfully he recently relented… Continue reading Defending the world from WannaCry

So, I make no secret of the fact I officially came into my career in security quite late in life. It had always been a hobby and I’d spent my time in the usual Support/Sysadmin/Developer/Engineer trenches before wandering off into Project Management and Middle Management. When I decided I really didn’t want to be a… Continue reading The start of a journey …….

The Online InfoSec community is dominated by Offensive Security Specialists (be that Pentesters, Red Teamers, Script Kiddies or whatever) , but the truth is between SOC Analysts, Vulnerability Managers, Compliance Experts, Risk Assessors, Security Architects, Threat Hunters, Malware Analysts, Firewall Specialists, Bug Bountry triagers and Security Engineers (to name but a few) in the industry,… Continue reading Why?

My current CISO has opened my eyes beyond the technical aspects of security and taught me a lot about managing security. And by security, of course I mean risk, because like it or not, security is all about risk. Every IT and security team I’d been in previously had treated InfoSec at gatekeepers, as IT… Continue reading Lessons from my CISO – Owning Risk