Ep. 95, HuM@n fAcT0r5 (with Nadine Michaelides)
Jun 17, 2021
(2020-11-19)Cyber psychologist, stakeholder engagement, security training, motivation, weakest link
(00:34:00) “[…] You have to invest time in your workforce. Technology comes and go. But if you really want to have a secure environment with loyalty and the commitment and trust of your employees, then that has to be a long-term investment. And I don't just mean financial, I mean listening to them and working with them.”
We are joined by Nadine Michaelides who is a Sociotechnical Psychologist with a background in Stakeholder Engagement and Communications through high-profile Change and Transformation programmes. Nadine shares her perspective on:
Human aspect of Information Security
Information Security and Stakeholder management
Personal security vs business related security
Effectiveness of security training and how it should be adapted to different audience
Necessity of security certifications
Plus all the awesome questions from the audience who joined us live.
Ep. 94, No punches pulled (with Eliza-May Austin)
May 11, 2021
(2020-11-12)purple teaming, enhancing women abilities, LHS, HCSP, breaking into infosec
[00:25:55] “[…] and although people do say you don't have to be technical to be inside of it, that's correct. But it is also not true. So you don't have to be technical to be a cybersecurity recruiter, for example, or sales or service management. But it does help, hopefully, if they understand at least the technologies that their company is managing. Well, actually, whether or not you mean like a GRC role or project management role, you do actually have to have a good grasp of the technical in order to be good at what you're doing.”
Much overdue podcast guest – Eliza-May Austin - the founder of the Ladies Hacking Society (LHS), CEO and co-founder of th4ts3cur1ty.company and PocketSiem – HCSP (Hybrid Cyber security Provider) tool.
Amazing conversation touching on:
Infosec beginnings
Job satisfaction - Red teaming, blue teaming and purple teaming
Stu’s London landmarks sightseeing trip after one award ceremony
BSides Manchester
Ladies Hacking Society – how/why it came about, core values and ethos of the community
Top Hats and Tails LHS/THMC meet up
PocketSiem
How to break into the industry, importance and respect for fundamentals and the long-term learning journey
Being banned on LinkedIn
Threat Intel
[00:35:48] “It's a non-professional event for professional people […] they're turning up, they know that they're going to have a good time, people genuinely have made friends that are potentially friends for life. They've met just having a laugh and having fun, and we stick to our core value, and that is to enhance women's technical ability and stature in cybersecurity community in the U.K. And that's what we do in and I think I think we're doing a good job with that.”
[00:56:36] “[...] if you really wanted to get into the industry and you don't really know where to start. My advice has always been - go on edx[.]org, go on Udemy, Microsoft Academy or whatever it's called now. There’re all these free resources out there, that are genuinely really good. They're good quality. You don't need to pay for them, and you can just experiment doing a couple of courses, maybe Cybrary or something like that and just see what you like. You know, if you get like a few modules and anything fucking this artwork and if it's hart works, it's boring. Don't do it. Go and do something else and just see what aspect of cybersecurity you like. Because it's not just one job. There's so many jobs in this industry.”
(00:28:15) “[…] I think people need that as well, you know, that they need somebody to believe in them, you know, because… because people surprise you when you believe in them, right? And when you give them time to grow.”
We are joined by Ian Murphy whose cyber awareness videos are truly something I look forward to every time. If you haven’t yet watched those hilarious and so creative masterpieces – you are up for a treat! Please check the links below. During this podcast you will hear about:
Working for the MOD, Symantec and moving to Australia
MDR - Managed detection and response
(Un)realistic job specs and recruitment issues
Marketing BS – how much more secure are we because of that?
LinkedIn and how it is failing
Ian’s awareness videos and other methods to educate about cyber risk
Importance of educating our next generation
(01:05:50) “[…] I think kindness is magic […] when you see somebody doing stuff or trying to do stuff, the easiest job in the world is to criticise from the side lines. […] the bit about respect or the bit about kindness is, maybe sometimes trying to see the context from what other people are trying to say. And if you're going to offer constructive criticism or opinion, do that in a way that is respectful […] Let's be a little bit more considerate of the other people we're trying to engage in.”
(01:16:50) “[…] go after your niche, find your niche, find the thing that makes you you and go after it and you'll have a lot of fun doing it, you know, and don’t listen to anybody who says you can't do it. What they mean is they can't do it and they don't want to see you trying to do it as well. So find your niche, go after it and have an unwavering belief in yourself.”
(00:50:46) “[…] We're not working in a pandemic, we are in a pandemic – working”
Please join Stu in this deep and though provoking conversation with Nicola Whiting, Chief Strategy Officer of Titania Group. In January 2020 Nicola was awarded MBE (Member of the Most Excellent Order of the British Empire) for services to International Trade and Diversity. Their discussion touched on: • MBE and meeting Prince Charles and the Queen • Basic cyber hygiene and cyber essentials • Compliance vs security • Diversity and importance of including Roy Disney and Walt Disney kinds in your company • Kindness, mental health and device detox
(00:23:17) “[…] Dan Ariely quote, where he says Big data is like teenage sex, I think that applies to, you know, basic housekeeping in networks. It’s like - Everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it too”
(00:30:00) “[…] we're all in this to do the same thing. We want to help people innovate. We want to help people drive business, and we want to help people protect the things that they've built. So we've only really got two jobs in our industry: making new stuff and protecting the stuff that we've made”.
Ep. 91, #VerifyIanColdwater (with Infosec Taylor)
Dec 26, 2020
(2020-10-19)SANS, Incident Management, DEF CON, WISP, Diana Initiative, mental health
(00:25:07) “[…] I'm one of those people that I don't really feel like there are mistakes, there's learning opportunities. And that probably sounds really lame, but everyone's going to make mistakes. And it's what you do with that. If you're going to, you know, take a bunch of time to be hard on yourself for it, you're never going to learn and grow because literally everyone makes mistakes. There's not a single person alive who has not made a mistake”
Whist sitting in some random car park at night, Stu is having conversation with Ashley Taylor about her infosec journey. Join in to listen about:
SANS programmes
Business risk vs technical risk
SWOT analysis
Advice on starting in Incident Management and good practice examples
Drama, bulling, harassment and impact on mental health
"#VerifyIanColdwater" and the disappointing Twitter verification process
As well as the awesome questions from the community
Quotes (00:47:10) “[…] I'm kind of in that generation of people where I have this very clear line between real life and online life, and I know I can separate that.”
(01:06:54) “[…] Everybody in the information security community is going to give you advice and you're going to think that you need to learn everything all the time and - don't! You are in charge of your own journey, and if that takes you years or you want to do it in days, it's fine. Whatever you want to do, it's your journey. Don't let other people define that for you. And it's such a, I feel, a such a young field that there's plenty of room, even if it takes you a decade to get up to speed it. There is plenty of room for you to make your mark. So don't be afraid, just - jump in!”
00:40:26 "[..] And so all of a sudden, people became less and less free with their information, less free about sharing stuff, both because, hey, now for the first time, we all knew people would be busted because so many people were being busted."
So we were extremely lucky to be joined by DethVeggie the Minister of Propaganda for the CDC aka The Cult of the Dead Cow. In this episode we discussed the following:
How Stu and DethVeggie met
How DethVeggie joined CDC
Some interesting stories about the early days of CDC and groups that emerged from CDC
What CDC are up to now and some exciting future projects
Conspiracy Theories (╯°□°)╯︵ ┻━┻
Discussion around privacy
Communities then vs Communities now
An amazing rant
And the usual questions from our audience live
Quotes: 00:10:14 "[..] And then came the day my parents got a six hundred dollar phone bill because I'd been calling BBSes and other parts of the country. And in fact, in other parts of the world, I remember calling places. In Sweden, for instance, and, you know, my you know, my dad kind of sat me down, was like this, this will not happen again, but in his thick German accent and I was OK, well, I'm not going to stop calling these places. So I guess they're going to figure out how to call them for free." 00:46:06 "Any time you introduce money into an equation, it is going to radically change it. So, you know, you can you can make an argument whether it's changing it for the better, for the worse on an on an individual basis. But, it will change it [...]" 00:59:38 "Somebody be busted for hacking and they would be in news stories like, oh, they cost three hundred thousand dollars worth of damage, it's like, no, they didn't cause any damage. What you're saying is that it cost the company three hundred thousand dollars to fix the hole that this person found it. They didn't make this hole. They didn't break anything. They didn't destroy anything. They just found a hole that was already there that it cost you a thousand dollars to fix your own holes."
Ep. 88, You Got Mail (with James Linton)
Dec 10, 2020
(2020-07-23)Social Engineering, Pranks, Infosec
*00:06:10 "[...] maybe the first time I've ever read Daily Mail comments, but it kind of said, you know, this guy is clever and he looks to be working in security next. And I guess at the time so I thought maybe I could do that." *
We love social engineering here at The Many Hats Club, so were simply stoked when we were joined by the awesome James Linton aka @SINON_REBORN, famed for being a email prankster who targeted officals at the White House and many other high profile executives. His story is very interesting, in this episode we learn:
Background into Email Pranking and Social Engineering, Web Designer > Social Engineer
Email Pranking Banks Executives
OSINT and Pranking the White House- Lessons learnt from the pranks
Writing a blog post with the NCSC
Phishing threats and BEC scammers
Pranking infosec people, and how that ended!
Getting into infosec and what he is doing now
Public speaking and talks
What training works, and what really doesn't
Scammers
And much more!
00:29:48 "[..] Oh, do you need an email address? Here it is. Now, that's not going to work every time, but I still had a secondary option to ask directly for the email address after that kind of trust was established. So I use that a few times to be fair, and it seemed to work a lot more than it didn't work, just kind of because, again, you don't look like a threat, is not asked for anything, and it's going under the guise of something that does happen"
(00:09:49) […] it is like steering a super tank on occasion. When someone says “It's been three weeks, why didn't you fix that?” It's like, well, it's just taken me a week to get it all translated into Japanese and arrange a meeting with the right person. Trust me, I'm trying to make this happen. I can't just click my fingers…
Quentyn Taylor is the Director of Information Security at Canon Europe, Middle East and Africa. He talks to Stu about important aspects of vulnerability disclosure and bug bounties programmes, where to start, how to set the boundaries and drive business and budget decisions based on findings – amongst many other things. They also touch on:
Humble beginnings
Passport-less travelling
Amsterdam
Vulnerability disclosure and bug bunty programmes
Challenges for middle to large size organisations
Hyper verticalization of IT organisations
Waterfall vs Agile(ish)
Importance of understanding your own attack surface
Red & Purple teaming and driving budget conversations based on the findings
Internal auditing vs external bug bounty hunters
Value of prior experience and curiosity when transitioning to InfoSec
They finish the conversation with excellent rant about CISO – the sacrificial lamb of data breaches, Cyber threat intelligence and scientific approach to report writing. Excellent conclusion of this interesting podcast episode.
Further spoilers:
(00:23:55) […] people tend to overestimate the pace of change in the short term and underestimated in the long term
(01:11:20) […] don't set yourself up and say:” I must become a CISO is where I must be. Now, there are so many other diversified senior roles that you may actually find more interesting, because if you're not enjoying your life, what the hell are you doing with it? […] do the job you enjoy. So find a place you enjoy, find a company you enjoy and enjoy it!
Ep. 83, Journalism Dot Com (with Geoff White)
Dec 03, 2020
(2020-04-03)Infosec, Journalism, Privacy, OSINT
00:04:30 "[..] I find that really disturbing when I see a sci fi cliché and it's kind of coming true in real life. I don't like those moments."
We were very lucky to be joined by the awesome Geoff White @geoffwhite247, author of the fantastic book Crime Dot Com, and Infosec reporter for Channel 4, BBC News and The Sunday Times. In this episode we discussed the following:
Making Risotto with Prosecco :)
His journey into Tech and then Journalism
Discussion around investigative journalism especially in technology/infosec
Importance of Open Source Intelligence, and verification of stories/sources
Leaks and Whistleblowers
Facial Recognition and Privacy
Writing his book, with some amazing insights into the stories behind the book.
And many questions from the audience
00:06:20 "There's no point in doing it if we never get on air. So I started, you know, attending these cybersecurity conferences and learning about cyber crime and just thinking this is where it is"
00:46:10 "I've kind of realised the people in power and responsibility in your life, you kind of take it for granted that they know what they're doing and they make good decisions. And this is the biggest lesson for me is that's not necessarily true..."
(00:09:05) “[…] it's OK to specialize, you don't have to know everything. And I think in today's age, it's obscene. You just wouldn't be able to know everything, you know. And I think this is expectation that, oh, you know, if you're a pentester, you need to know everything. I know a lot of good pentersters (who won't admit it) but they don't know the Cloud. They don't know the real Cloud. I would if I was doing it now, I'd look for what really gets me excited […] So I think pick what really gets you excited and concentrate on that. Ignore what everyone else thinks. They don’t matter. What matters is what you're going to pull your effort into.”
Stu had the pleasure to listen to the incredibly humbling story of Daniel Cuthbert. He is a co-author of the OWASP ASVS standard and currently holds the position of the Global Head of Security Researcher for a large corporate.
This incredible conversation touches on the following subjects:
OWASP and the humbling journey till now
Times when World Wide Web was not a thing
Importance of self-development
How to start in hardware (some great advice there!)
Money vs job satisfaction
Threat modelling and bug bounties
Experiencing Chernobyl as a creative
Photography in a conflict zone
Court case and changes to Computer Misuse Act 1990
(01:06:13) “…submit it and if you see who's on the review board and you want help, reach out. And my offer still stands. My DM’s are open. […] But I will, you know, if I can help the submission, understand it and help you rewrite it and go from that, it doesn't have to be for Black Hats or BruCON or DEFCON or 44CON that I am involved in - it could be for any con”
Ep. 81, Hacker Rhymes With.. (with ytcracker)
Nov 29, 2020
(2020-03-13)Hacking, Nerdcore, Appsec, Community
00:03:55 "And I, you know, being on the Internet and then knowing how fragile everything is to is, just kind of scares me because I know what code runs and prod and how terrible it really is. And there's gnomes that are flipping switches at any point and anything could go down..."
In this episode we were dropping some sick infosec rhymes with YT Cracker, who has a facinating infosec journey and music career. He currently works in appsec for a large online company. In this episode we discuss:
Journey into infosec
Hacking "back in the day"
Appsec
Breaches and security culture
His awesome music career
His journey to Sobriety
Attitudes to the community- be happy, be cool to each other.
00:12:20 "There's a there's a maxim that I used to say on digital gangster that was a digital gangster is only as broke as his morals will allow."
00:42:25 "And I just started making beats and then. I was playing guitar, too, but I wasn't really recording the whole thing was, is I just I listen to rap a lot and I liked rhyming words. And so those two things kind of came together and I just was rapping about the stuff that I knew."
00:50:19 “…So if someone says: “Hey, I'm worried about obscure threat” then it's like “Well, OK, that’s probably a valid threat. But let's take a look at your overall defensive strategy and say, well, this is where you're most likely to get attacked from, like unpatched public facing stuff for social engineering or a supply chain. Why don't we just focus on those three things? First, and if you can close those, your actual risk well, will go down considerably. And then we can maybe think about obscure risk X, which some vendor at a conference told you was very important because I had a big booth”
Our today’s guest is Javvad Malik, a Security Awareness Advocate at KnowBe4. He is possibly best known for the hilarious Security Awareness videos – please check the links to YouTube channels below.
During this insightful episode Stu and Javvad discussed:
YouTube channels, Host Uknown and using laughter to increase security awareness
Importance of building trust and relationships BEFORE you need them
A role of a Security Advocate/ Security Evangelist and the need of continuous research, education and raising the bar
FUD – Fear, Uncertainty and Doubt and how to protect companies from unethical approach of monetising the industry
Power of influence
Value of collaboration projects and blog updates to address common issues and give back to community
Plus all those amazing questions from the community
00:54:55 “So if there's one thing I really want people to do more of, is to set up a blog and just use a free one using WordPress or whatever, you know, any free blogger […] set up your own blog, just call it whatever and just put your thoughts down on there. And I think it will help you immensely as an individual. But more than that, it will help others in the community as well”
Ep. 77, Breaking and Entering...your network (with TinkerSec)
Nov 24, 2020
(2019-10-25)Red Teaming, Physical Security, Social Engineering
00:04:57 "...And the guy that was in security, he goes, look, I don't care what your degree is. You know, if you stop learning after two weeks, then you're obsolete to me. And here, go study all these things and come back to me."
One Stormy night Stu was in a car park "near where he lives", and we were joined by Tinker to talk about all things Red Teaming, it really was an amazing expereince. Tinker took us on a wild ride through the following:
Origins into infosec, from Marines, Blue Team and then Red Team
What it takes to start in Pentesting
Physical Security and Red Teaming war stories
Why he hates social engineering- but is very good at it!
We learnt about Dalas Hackers!
Proxmark and RFID
Mental Health and Burnout and how to prevent this
And the usual rant and questions from our awesome audience who joined us live.
And don't forget to subscibe and share the podcast with all your infosec friends :)
00:08:03"...So I'll be like, hey, I got this access. And she might be like, Oh, I'm gonna the take that. I'm a piggyback off that I got this access. I go, Oh, with that access I can do this. We leapfrog each other and feed off each other, both on ideas but also on skill." 00:13:47 ..And I ain't saying they're Russian. I didn't check their keyboard layout. But even if they're bouncing through Russia, it's like, oh, you know, I kicked in the door and found a Russian sitting on the couch. 00:23:30 "They went to layer one and looked at the switch location and where the physical jack was. And these two. I mean, I'm talking like beefy and angry looking blue teamers came around the corner, just looking angry." 00:45:00 "But my sons literally are my life. So everything I do, I do for them."
Ep. 75, Whales (with John McAfee), part 1
Nov 19, 2020
(2019-10-19)Infosec, NSFW, Crypto Currencies
*00:04:39 "...if you don't leave this world better than you arrived then somehow you fucked up." *
Warning NSFW or probably life. So last year Stu managed to get John McAfee on our Twitch channel (twitch.tv/themanyhatsclub), yes the Anti Virus pioneer and poloarising internet personalitiy. It is very important to note that the views of John McAfee do not represent those of The Many Hats Club or Stu. This episode was recorded before his arrest in 2020.
We had no idea what to expect when recording this episode, especially the bath salts stunt, which was meant to be a joke, but that backfired! So be warned again, there are some very adult themes discusssed in this episode, and please don't do anything discussed in this podcast!
In this episode with John, we discussed the following:
His career and background
The Origins of McAfee Anti-Virus
His work in other start ups
How he started in crypto currencies
His time in Belize
Whales and Bath Salts warning NSFW
What it was like being on the run
And many audience questions
00:19:50 "I've been on the run for almost 40 years from something" 00:22:31 "...Well, you have you ever heard of the SIM swap social engineering? That happened to me. So now I will never give my phone number out to anybody, or at least certainly not link it to any social media account." 00:39:40 "So what's wrong with it is we're focusing on the antivirus paradigm, which is what I invented fucking 30 years ago, and it doesn't work any more"
00:28:21 “…I want them to know I'm there. I want them to think I'm there. Even if I'm not in that specific discord chat, I want them to be concerned- because people are less likely to misbehave if they think that someone is watching them. I'd rather deter them from doing this in the first place, then have to go and deal with the whole court system and get them in trouble for it. If we can just stop people from getting victimized before that happens, that’d be great.”
This episode is extraordinary. And there are a number of reasons for it… That is the first reason the subject discussed is not only important but most often unknown and misunderstood by the majority of people. The second one – it was the first time ever that the entire audience was allowed to say something. Listen to the end to find out why.
We are joined by Katelyn Bowden who passionately talks about The BADASS Army (Battling Against Demeaning & Abusive Selfie Sharing). It is a non profit organization - a collection of victims of image-based abuse who fight non-consensual pornography and all of its forms.
They do that through LEET:
Legislation – working on improvement of the current US laws as they are built around the intent to harm which is very difficult to prove;
Education – Keep the privates – private; teaching how to sex safely and protect one’s privacy;
Empowerment of victims – raising awareness of what can be done in case of non-consensual image sharing utilising The Digital Millennium Copyright Act (DMCA);
Technology – providing basic cybersecurity awareness training, developing programmes and working with platforms to prevent the revenge porn from happening.
The biggest revelation of this episode is to learn what the source of revenge porn usually is. Most of you (like me), before listening to Katelyn had probably this idea of an outraged ex sharing the nudes online.
Well…. Have a listen… It is indeed a very interesting and eye-opening conversation. Katelyn and Stu cover lots of aspects of this subject:
How it all started
Shocking statistics around non-consensual image sharing and the whole subculture of it
OSINT, OPSEC
Deep nudes/deep fakes
Victim trauma and different layers of it
Mentorship by the LE, civilian undercover work and infiltrating discord (do not try that at home)
Punishment (from the legislation point of view of course)
“Get my tits to DEFCON” scholarship 2019 – It raised an amazing $13,560!
Ep. 73, Cyber Expert Advice (with Robert Pritchard)
Nov 11, 2020
(2019-10-17)Leadership, Government, Blueteaming
00:03:21 "My first job was a blacksmith. I spent some time blacksmithing and get kicked by horses and getting burnt on forges and stuff".
So we were lucky to be joined by the amazing Robert Pritchard aka @thecybersecexp many, many months ago. After spending five years doing security risk assessments at a major investment bank, he worked in a variety of security roles in the UK Government, before becoming deputy head of the Cyber Security Operations Centre. He is founder of The Cyber Security Expert. On our podcast we talked about the following:
Looking back at infosec early 2000's
Risk Management & Infosec for leading investment Bank
Early social engineering attacks
Working at The National Infrastructure Security Co-ordination Centre (NISCC) and in Government protecting critical infrastructure
History of UK Government Security Strategies (really interesting this).
Infosec for the London Olympics
Career advice
Amazing rant on Risk Management!
And as always many questions from our audience! Links below:
00:14:35 "They had this great tale of how they tracked down scammers and stuff. It is amazing that a banking Trojan was considered novel in the world of banking in those days, which shows you how much things have changed in a relatively short time"
00:29:44 "But spent the first two years, 11 months convinced that somebody was just gonna walk up behind me, put the hand on my shoulder, and say Mr Pritchard I think we can all agree there's been a terrible mistake, and escort me off the premises"
Ep. 69, IS IT A CROW?! (with Gabe a.k.a. infoseccrow)
Nov 07, 2020
(2019-09-24)Blue Team, Infosec Community
00:02:40"Infosec was not whatsoever a thing that was on my radar when I was looking at what do I want to do. Computer is the I love them. I grew up with them. I attribute having a computer and playing with it and continue to do so to following this path..."
Pre that covid thing, Stu hosted a podcast with the awesome infoseccrow. Originally a sysadmin by trade, now a seasoned security leader and director with a deep technical background and broad experience in business and in technology. Gabe is also President of the UK Chapter of the ISSA. In our podcast we discussed:
Origins into infosec
Blueteaming
Security Metrics that make sense
Threat Hunting
Risk Management
Effective Penetration Testing
A superb rant, plus a lot of questions from the audience, as per usual.
Ep. 89, What The Beer Farmers Think No. 12
Sep 03, 2020
(2020-08-24)
It took many months for them to come back (one, really) but our friends are back with another episode of WTBFT. The lineup, fluid as always, has changed again (hello Scott!) but not as much as what they, in fact, think about:
The Beer Farmers are not The Many Hats Club (but we love each other),
Domain registrars and email marketing companies, the more customers the more money, no matter the use?
BT Hubs and 'security reasons' and the reasons behind it,
Online, pandemic cons and lives reality,
Infosec Happy Hour!
Kevin M. is still a... whoever he was,
Twitter sensitive topics (there's no easy way to put it),
Ep. 87, What The Beer Farmers Think No. 11
Jul 23, 2020
(2020-06-30)
Despite all evidence pointing to the contrary we have, in fact, made it to the 11th episode of What The Beer Farmers think - a monthly (almost) episode about, well, what the Beer Farmers think:
not patching: an old problem that never changes,
another DDOS, how do clouds handle this,
TikTok: it's bad, but is it the worst,
security absolutism: it's not 100% secure, but so what,
Ep. 68, A View From a Blue Mountain (with Rey Bango)
Jun 23, 2020
2019-09-20: blue team, breaking into infosec
[00:26:45] The saying goes, and it's so true you know, an attacker only needs to be right one time. The blue team needs to be right a hundred percent of the time. And that's the truth.
This time on the best podcast within the Inner planets we had Rey Bango, Microsoft Security Advocate, past developer (do you ever stop being one?) and a founding member for jQuery. Started at Microsoft many years back as an IE evangelist, over the years transitioned to the security side, still at Microsoft. Some of the topics covered:
breaking into infosec from other areas of IT,
blue team has to be always right,
building up confidence for public speaking,
attending conferences - the good and the bad and now it helped Ray,
plus a lot of questions from the audience, as per usual :)
More views here:
[00:02:17] I think one of the first sites that I found was The Many Hats Club, when you were all first starting out. (...) The great thing about it is that it gave me kind of an overview of what the security community was like and some of the interactions that were going on.
[00:19:30] Most of the time when you get into security, what do you do? You go out, you download the Kali ISO and you sit there and you stare at it, and you're like oh great I got a Kali ISO, woo.
[01:12:49] It takes a village to raise a security professional. You know basically what it means is that we should all be helping each other out to solve for the common good, not making anybody feel like they can't ask a question because they should know.
Ep. 67, StuCon (with Stu, Stu and Stu)
Jun 17, 2020
(2019-09-05): history, rants, hiring, future
[00:06:44] We're banging our head against the same wall. Why hasn't someone kind of woke up and gone 'We need to change. This is not working.'? And the few people that do just seem to get acquired by a major corportation and we go back to the status quo of not talking the same language as everyone else.
This special episode has brought three Stus: Stu Peck, Stu Hirst and Stu Coulson into one virtual room for an extra long episode about the State of the Industry. Stu Hirst does cloud security at Just Eat, previously Photobox, Capital One and Skyscanner. He is also a co-founder of Cyber Scotland Connect, which do security meetups. He previously joined us over a year ago on episode 11 of the podcast, talking about challenges facing blue tea, imposter syndrome and future attack trends. Stuart Coulson runs HiddenText, a consultancy business providing strategy advice. He previously worked for Cyber Security Challenge, Secarama and NCC.
The Stus talked about:
was before better than it is now in infosec?
burnouts,
best and worst of 2019,
HR, hiring, inclusivity, HR gatekeeping,
being part of the awesome infosec community.
Their takeaways?
Stu Hirst: Overlook the drama, focus on the good parts of the community (Hirst),
Stu Coulson: community is fighting for the same things (stopping bad guys) and allow community to help when things are hard,
Stu Peck: stay awesome and learn from other people.
If that did not convince you, this will:
[00:08:32] It's almost like drug laws. It's like, you know, you can keep carrying on doing the same thing you're doing and it doesn't work. Or you can have a selection of people who can help define a different way to do it.
[00:08:33] Companies take on reasonably junior roles by job title or position in the business. But then you'll come the main security person in that business, the amount of work that's on your plate and the amount of risk that you've got to take on compared to your salary is I mean (...) just laughable.
[01:55:16] This industry is phenomenal (...) to be part of something bigger than just, you know, picking up your paycheck and paying your rent (...) we shouldn't underestimate that. I love it. You know, this is my career for life, and I'm pretty humble and thankful to be part of it.
Ep. 66, The state of online training (with James Hadley)
Jun 10, 2020
(2019-08-21): certifications, trainings
[00:21:54] There's an overreliance on certification, so people assume that because someone can pass a multiple choice exam, that they have skills that are effective in the workplace. And I don't think the two correlate.
This time on a very rainy night we had James Hadley, CEO of Immersive Labs and an ex-GHCQ trainer to talk about online trainings, certifications and the state of this part of our industry:
how James got into infosec,
how did Immersive Labs come about,
resources, skills and mentors,
Rant of The Episode: HR gatekeeping.
But wait, there's more:
[00:02:01] I got into infosec when I started trying to do things I probably shouldn't have done. So a good example was trying to bypass the control system on the that they kind of stopped us from getting access to the file system to stop us playing games, trying to find out ways to bypass that.
[00:09:05] What we saw was if people had the ability to self research, troubleshoot something, try something, read a number of articles and try again. That research phase of trying things are learning that knowledge generally sticks.
[00:34:02] I think it's fundamental for people to get the basics of computing under their belt. So rather than jumping straight to 'I want to be a red teamer and use Kali', clearly understand what an operating system is, how priviledges work and networking.
Ep. 65, Cyber Warrior Princesses (with Becky Pinkard and Dr. Victoria Baines)
Jun 06, 2020
(2019-07-30): law enforcement, (cyber)crime, empowerment
[00:25:28] "When I worked at Europol, I was the only female team leader out of nine. Now I go and speak at infosec events where I won't be the youngest female person in the room anymore. That is absolutely fantastic."
The first episode of the second season of The Furry Hats Podcast we started big with two fantastic guests: Becky Pinkard and Dr. Victoria Baines. Becky is a cyber security executive and published author, as well as co-found of ‘We Empower Diversity in Start-ups’. Vick is a former law enforcement intelligence analyst with experience in investingating cybercrime and child exploitation, currently an independent researcher. Together they host the Cyber Warrior Princess podcast (Apple, SoundCloud).
Some topic covered:
backgrounds, how they started and got where they are,
emotional affects of working with child abuse cases for a long period of time
Twitter, women in infosec and representation and discrimination
random segway into Stu talking about how he looks like Boris Johnson,
working at Facebook, social media working with governments and transpancy reports,
advice about getting into law enforcement.
If that did not convince you, here's more:
[00:09:30] So my PHD is in classic literature. So Roman satire is my subject which like the only way I can describe this is it's like private eye, but two thousand years old but in Latin.
[00:12:32] When I got to Europol, I was suddenly branded as the person who knew about online stuff and could write reports about online stuff. So almost despite myself, I ended up writing the first SOCTA, which was the first EU threat assessment on cybercrime.
[00:48:20] What was it like working at Facebook? So when I first got there, it was a bit like a breath of fresh air. Someone from law enforcement asked me, 'oh, what's it like working on the dark side?'
[01:06:22] I used to be regularly contacted by law enforcement agencies and lots of different countries who would say 'oh, we've suddenly lost access to our Facebook page and (...) you urgently need to reactivate it' like it was my fault.
[00:17:34] Well we take them outside and then we beat them thoroughly for about 20 minutes just to make sure that they're made of the right stuff
On a sunny May day, we had the pleasure of Mike Koss joining us. Mike is a retired hacker with over 2 decades of security experience, currently in a head of security role and served on the InfoSec Europe 2019 CISO advisory board. Some of the fascinating topics covered:
a path from a morally bankrupt blackhat teen to whitehat head of information security,
CISO experience, hiring and onboarding people into his team,
working for Disney, how it differes from other companies,
Rant of the Episode: ticking a compliance box, CISOs not knowing security basics.
TL;DL:
[00:01:09] I started in infosec on the wrong side of the law back in 1995;
[00:09:54] To be honest morally it was kind of like selling my soul a little piece at a time which I now have not, I'm completely devoid of soul;
[00:14:36] I think I had dreadlocks at the time as well and occasionally wore the old black nail varnish;
[00:57:11] with all the resources at all the conferences and all the avenues to learn I'm still astounded when I go into an organization and I see the lack of care or lack of any sort of progress that has been done for five 10 years or any lack of vision.
Ep. 54, Web is all around (with Sean Wright)
May 28, 2020
(2019-03-23)web and application security, bug hunting, disclosures
[00:15:43] Everyone makes mistakes. Software has bugs. There's no software out there that is totally bug free
The most famous infosec podcast on this side of Milan had a pleasure of having Sean Wright, 1/4th of (fluid) lineup of The Beer Farmes, as a guest on this fine March evening; a short but very conscise episode where we heard about:
Sean's path to the industry,
tools of daily use,
disclosures: public, responsible,
Rant of the Episode: putting stuff on the open Internet.
[00:02:19] We spent a lot of time trying to find vulnerabilities in that. Let's just say we've found some that allowed us to get admin access to some of the computers and we had great fun,
[00:05:37] I'd say, start with the basics and learn things like the OWASP Top 10. Get familiar with things like XXS, SQL injection. There's certainly a lot of courses, especially universities that don't introduce developers to those concepts. That's kind of why we have this whole problem that we have today in some aspects,
[00:15:43] Everyone makes mistakes. Software has bugs. There's no software out there that is totally bug free. So it doesn't mean they're doing a bad job or anything. Companies need to take that on board and realize when they get these security vulnerabilities brought to them, it's not a criticism of them.
Ep. 85, Time has no meaning anymore (with Stu and a lot of guests)
May 27, 2020
(2020-05-21): mental health
A special edition of our podcast for Mental Health Week and the world we are in right now. Stu and many guests: Chrissy Morgan, Mike Thompson, Sean Wright, McLabraid (with an attempt at the intro), ZoomerX, RiceOperator talked about how they are coping (or not) with being Under Pressure (Do do do bah bah bah bah O-kay). This is all for you - so that you know that you are not alone in this!
(2019-03-21): Aadhaar, bug hunting, vulnerabilities and disclosures
[00:16:35] People deserve to keep their data private
This time on the best podcast in the hackerspace we had Baptiste Robert a.k.a. fs0c131y interviewed by Stu On A Train talking about security research, mostly with respect to privacy. We are sure you know Baptiste from his Aadhaar (Indian identity number) research, in this episode you will find out more about this and other topics:
how did he come about researching Aaadhaar - and what is it,
sources of Twitter trends, relations analysis,
negotiating with the receiving end of vulnerability disclosures,
Plus a flurry of questions from the audience.
[00:17:17] sometimes [...] to make people fix an issue you have to do some name and shame
(2019-03-07): containers and k8s, DevOps and security
[00:27:49] Don't sell yourselves short in terms of what knowledge you have
Before the world turned all to geese we had Ian Coldwater as a guest on our famous podcast talking all things Kubernetes. They started in a purely DevOps role and moved into infosec from there. Ian also proves that you can be a full time mom and go back to work and rock it!
Important note: Ian talks about Girls Taking Over and how you should DM them - DO NOT, please contact CTF_Circle instead.
moving from pure developer environment to devsecops;
how did Ian get into hacking k8s, toolsets, labs;
public speaking, making your talk interesting;
Twitter community: the good, the bad and the ugly;
Rant of the Episode: how DevOps people think infosec is full of toxic people;
interleaved with questions from the audience.
Highlights!
[00:05:35] hacking really appeals to me [...] it's really cool that I can do work that I really love and get paid for it; and the people in infosec are really great;
[00:13:20] like a lot of other pentesting work - you want a sexy 0day, you end up with admin/admin;
[00:58:54] let's find ways to not be seen as awful jerks and blockers because I don't think that we are that, I think we're better than that
Ep. 49 - From virus wars to weaponised toasters (with Mikko Hyppönen)
Feb 28, 2020
(2019-03-01): early viruses, future threat intel
[00:27:45] If it's smart, it's vulnerable
Unusual time for us (Friday afternoon) but for Mikko Hyppönen we are happy to bend the rules! CRO at F-Secure and with the company since 1991, and a proud owner of a pinball machine. It all started with C64 and programming in Finland and through the years - support at F-Secure, reverse engineering, educating, public speaking and teaching he finally made it to our podcast. A short episode but a lot of topics have been touched upon:
from analysing viruses in the 90s to F-Secure;
war stories - early virus outbreaks;
blackhats and a career in infosec;
organisations vs APTs and intelligence agencies;
hiring in infosec;
Rant of the Episode: why are passwords are still used for authentications;
And audience questions!
If you need more encouragement to listen:
[00:19:12] if you have been caught, you've been sentenced and you've paid your dudies to the society the society should welcome you back;
[00:26:35] the attackers are not intrested in your toaster, they are interested in your network. If your toaster in on the network, it's gonna be the weakest link;
[00:40:45] pick your niche and run with it and become as good as you can.
(2018-11-23): technology, mental health, surviving in infosec
[00:28:02] Best thing you can do about yourself is, you be you. Don't hide yourself. Stop hating yourself
Before we all have found out that we are all notdan we had the notdan, Infosec Cartoon Doggo, Professional Shitposter and, foremost, expert on many things security as a guest on our famous podcast. Notdan's fire for technology started when parents grounded him and he found a way to bypass the password. Started from BBSes and, as one thing led to another, security has became his thing, especially network intrustion. A broad spectrum of topic have been mentioned:
tips for making a break in infosec;
a take on responsible disclosure*;
horror stories: bad full disclosures;
notdan and Tesla: a love story;
Twitter infosec community; detox and taking breaks from infosec;
mental health;
DDoS mitigation/network intrusion stories;
plus, as always, lots of side quest - you need to hear it to believe it!
Teasers and otherwise
[00:07:40] Keep going with your passion, and use the jobs which closely align with your passion and go along with it." - notdan Learn and progress. It takes time to be a hacker;
*[00:36:15] Tesla is the next Apple;
[00:48:12] If you are in the dark place and trying to reach out, take a leap of faith and just go for it and get help. Half measures isn't gonna help. Ignoring it isn't an option.
Ep. 80, What The Beer Farmers Think No. 10
Feb 19, 2020
(2020-01-31)
It sounds unbelievable but this is the 10th episode of What The Beer Farmers think, a highly-irregular show about (information) security; and this time specifically about:
BeerConOne: what happened, what did not and general reflections;
thought leaders, influencers, vendors, toxicity - 18 months later;
High Risk Vendors;
21 years of SQL injection - and still going strong;
[01:49:22] sometimes you need help to get to the point where you can actually start helping yourself
On this moony February night our guest on The Many Hats Club was Cheryl a.k.a. 3ncr1pt3d: a passionate threat intel analyst, mom, and which may be what you know her from: one of the founders of Diana Initiative. We talked about:
getting into infosec: Star Trek, interior design, law firm;
Ep. 45, Banks' Most Wanted (with The Stu)
Nov 03, 2019
(2019-02-06): Social Engineering
[00:51:10] I'm still learning pick pocketing at the moment...it helps when stealing badges
So this time we have Stu as a guest, repeating the winning format with ProxyBlue as host. The format for this podcast is a AMA (Ask Me Anything) where we learn about:
Stu's back story Pottery> Recruitment > Infosec > Social Engineering
How Stu learnt social engineering as a recruiter
Bank jobs in the US, as a Brit
Social Engineering Methodology
War story, after war story
Importance of Open Source Intelligence (OSINT)
And alot more..
Plus all those wonderful questions from the audience (thank you).
[00:03:06] Started recruiting people into infosec..that's where I picked up my skills around social engineering, I was taught to lie, or profiling companies as we called it..
Ep. 44, Stories from the other side, part 2 (with Jack Rhysider)
Oct 29, 2019
(2019-01-24): darknet diaries
[00:03:21] "I want to interview people who've been hacked, or done a hack. I wanna hear the emotion or the panic; get the crazed look in the eye that nothing is ever gonna be the same again"
We were joined again by Jack Rhysider from Darknet Diaries (we lost our previous talk recording), a fabulous podcast about the human side of hacking, and great stories told by those who were involved.
In this episode we talk about;
Defcon 26 the last time that Stu met Jack
Jack Rhysider conducting his own investigation into iTunes scams (chart breakers)
How Jack researches his stories for Darknet Diaries podcast
From SOC to Podcaster- background story
We also talk about Mobman and the controvesy surrounding his story, a previous guest on TMHC and Darknet Diaries
How start a podcast, or go Pro!
And as usual answer questions from the live audience
darknet quotes
[00:42:37] "...There was this one case, a guy used nothing special to hack a slot machine, and was just pushing buttons on the machine itself, no magnets no external componets, just the buttons on the machine to make it spin out extra cash. And they tried to try him under the CFAA..."
[00:49:11] "... What I get alot of request on, besides how do I hack my girlfriends Facebook account, or whatever.. the number 2 question I get is how do I get started in this? ... I'm in a good position to guide alot of people into this industry.."
Ep. 43, S in Cloudsecurity stands for... (with Francesco Cipollone)
Oct 22, 2019
(2019-01-17): cloud and app security
[00:54:36] It's just one great example on how much we've become complacent, because until something hits you in your face, you don't realise how dangerous this stuff is.
Presented from an airport, we have Francesco Cipollone, founder of NSC42, with a rant filled talk about cloud security, securing the infrastructure, and security practices. Topics covered in this talk include:
application security;
vendor security;
securing the infrastructure;
enforcing good practices;
responsible disclosure;
Rant of the Episode: not doing the basic things right.
Some quotes to grab your interest:
[00:04:43] The best way, I think, to learn stuff is to teach;
[00:42:09] go back to the design board and start saying "this is what is right, this is what is wrong", and start doing that from a logging perspective;
[00:50:39] Your normal admin, at this point in time, is saying "Oh, this is boring! Why do I need the multi-factor"; while tomorrow, my normal admin is saying "Why am I accessing the production server without multi-factor?".
(2019-01-06): pirates, social engineering, awareness
(00:01:27) Started working in anti piracy intelligence off the coast of Somalia, which is a bit abnormal for a straight out of university, blonde middle class girl.
We were joined by Lisa Forte one evening a long time ago, where she shared her awesome expereince and background everything from Anti-Piracy Intelligence, working in Intelligence Services, Cyber Units in the UK Police Force and starting Red Goat Cyber. In our talk we covered the following:
Hunting Pirates (yes actual pirates!). Can I get an arrrrrgh?
Intelligence gathering, and counter intelligence techniques
Lisa and Stu shared some Social Engineering war stoires
The power of training
Cyber War Room Simulations
Public Speaking
What makes this community great!
Stu rates this talk in his top 10.
Something to get you interested:
(00:21:01) "Sometimes you really need a safe word.."
(00:45:54) "Situational awareness is really important, this is something I've been trying to get accross to my own family."
Ep. 70, What The Beer Farmers Think No. 8
Oct 14, 2019
(2019-09-26)
On the eight (approximately... bi-montly?) episode of What The Beer Farmers think the group was caught off-guard in Scotland, and this is the recording of what happened when they only had one microphone to speak to:
BSides Manchester;
vBullletin 0 day;
forced updates on Windows: yes, absolutely, but;
iOS13 location privacy bug, is the QA slipping?
how much is your (breached) data worth?
we need more (infosec) success stories;
Crown Sterling story;
and the key feature of the evening: a lot of information about the upcoming online security conference organised by The beer Barmers: Beer Con One, hashtag BC1, and the important fundraising campaign around it: https://www.gofundme.com/f/beerconone.
Thank you Mike, Ian and Sean for being here for us!
Ep. 71, A personal story that many of us can relate to (with The Stu)
Oct 11, 2019
(2019-10-08): mental health, motivation to continue
This time we had no guests - or, you all were our guests as Stu guided us through some of his personal stories in the context of keeping your head straight and your mental health under control.
No quotes, no teasers, as it wouldn't do the justice - please take a moment and give it a listen.
Ep. 41, Security parental advisory (E) (with Ed Tucker)
Oct 08, 2019
(2019-01-10): risk management, corporate security culture, blue side, rants
[00:20:06] we have policies that are written by security for security that no one ever reads let alone understands or adheres to. They've written like Ten Commandments thou shalt not share thy password. Why not. They never explained why not or what the alternative is. [00:20:21]
The second episode of 2019 brought us Ed Tucker with his fantastic, straight to the point and tell-it-how-it-is Brummie personality to speak about the ever changing security landscape - or, how some things just don't change. Details:
stocking shelves -> pub support -> HMRC -> European CISO Of The Year;
jumpstarting security at HMRC;
security's problem: we assume the controls work, they don't;
helping security startups;
and the first edition of now known as "Ed Tucker Rant"
plus questions from the audience, as always!
More details
[00:04:21] There is a little potted history with me that almost everyone I've ever worked for has gone bust, apart from Fujitsu and HMRC [00:04:29];
[00:07:11] like most people my age is at some point in my life I tripped and fell into security because it didn't exist as a career path [00:07:18];
[00:20:41] we have all these various controls in place and most of them don't work; firewalls that effectively are there to heat your data center because no one's got a bloody clue what rules are on them [00:20:51];
[00:57:57] Someone will always click that always open or they'll reply or do something. It's almost inevitable. [00:58:02];
[01:27:34] There was a great thread on Twitter not so long back about someone who is basically saying that if you weren't that ninja coder that you were basically substandard infosec it was like fuck me that's so wrong [01:27:48].
[00:18:38] There's plenty of companies out there looking for skilled testers; it's just making them aware you exist
On the first episode of 2019, we have Ryan Dewhurst aka @ethicalhack3r, founder of Dewhurst Security; the wpscan tool; and DVWA (Damn Vulnerable Web App), to talk about WordPress security and the story behind his projects:
Hobby -> Professional Security Testing;
Background of DVWA and wpscan;
Challenges of commercializing wpscan;
Security of WordPress;
Full disclosure vs responsible disclosure;
Tips for starting out;
and many questions from the audience.
Teasers:
[00:26:18] - When I started university in 2008, I didn't even know another person who did computer security, ethical hacking, and nowadays it seems like everybody is doing it nowadays, so it's definitely come a lot commercial;
[00:58:41] - It's nice to receive a bounty; I think it's right that they should, but don't think it's a right. It's more of a privilege than a right;
[01:02:37] - My first project, DVWA, I was creating something to help me to learn, because we may find that useful, and I think when you're a beginner or when you're just learning, I think that's a great thing to do;
[01:13:47] - As long as you're passionate about what you're doing, you're thinking outside the box, and you're doing more than what's asked of you, I think people will pick up on that.
Ep. 64, What The Beer Farmers Think No. 7
Jul 30, 2019
(2019-07-29)
The seventh (approximately monthly) episode of What The Beer Farmers think is an episode about:
The Beer Farmers in Sheffield: a new spicy and explosive show;
hashtag offended: drasticly changing landscape of (infosec) social media discussions, people moving away from Twitter; also: talking about the problem vs. doing something about it;
how will Britain handle information security as an island separated by water and hard borders from all sides?
Was a $5B fine towards Facebook enough?
Ian's solo: The Uninhabitable Earth: A Story of the Future by David Wallace-Wells And Netflix' documentary "The Great Hack";
Marcus Hutchins a.k.a. MalwareTechBlog freed;
The inventor of cybersecurity arrested for firearms possesion after posting a picture with firearms.
Ep. 61, Personal (Information) Security Announcement (with Joseph Cox)
Jun 12, 2019
(2019-05-19):infosec journalism, reporting about cybercrime
[00:36:28] the first obligation is to your readers - and then to the source
This time we turn to cybercrime - not doing it but learning about it happening elsewhere. We have been joined by Joseph Cox: a journalist for Motherboard focusing on reporting about cyber crime and information security in general. We have hit the following spots:
responsible reporting: who is the audience?
naming criminals in the interest of the public vs. doxing (that story again);
motivations: keeping it clear for the audience;
responsible reporting: how not to make things worse by publishing a story;
Rant of the Episode: SIM swapping and the harm it causes;
and, as always, questions from our fabulous audience.
Some teasers for this episode:
[00:05:05] you don't want to confuse an ordinary reader with a lot of technical details you really want to boil it down as simply as possible -and that's going to anger some people;
[00:34:34] just because a hacker is blackmailing a victim doesn't mean you can't cover the data breach - people still want to be informed about it, especially if it's email addresses and hashed passwords or something that is still important;
[00:43:26] We really need to not underestimate the capabilities of very low skilled hackers.
Ep. 59, Veterans and hackers unite (with Cybermentor)
May 17, 2019
(2019-05-02): pentesting/red teaming, training, military community
On this sunny May night we were joined by Heath, a.k.a. The Cybermentor - a veteran, penetration tester. He is well involved in information security communities; both for military and the general public, with a drive to teach and share knowledge:
accounting -> information security and pentesting;
VetSec: infosec for past and current military personnel;
certificates, OSCP and beyond;
(infosec) war stories, and what is and what is not a pentest;
Rant Of The Week: never stop learning;
plus, as always, lots of questions from the audience.
Ep. 58, Pancake Con (with Lesley Carhart)
May 11, 2019
2019-04-11: DFIR, martial arts, breaking into infosec
[01:16:55] Do you know how annoying it is to clean a sword?
A second episode of this night, and this time we had a pleasure to guest Lesley Carhart, a.k.a. hacks4pancakes: a master of many skills, currently this is ICS in terms of prevention and DFIR. She hacks for pancakes (you need to search for this story!), she knows how to operate a sword and is a full spectrum cyber-warrior princess. This episode had many highlights, such as:
a farm in Illinois, USA via military service (still a reservist) to today's information security;
great things about infosec twitter, burnouts;
martial arts, weapons, movies and games!
breaking into infosec;
Rant Of The Episode: the importance of basics in security;
and lots of questions from the audience.
Some highlights:
[00:31:21] passion is important but passion can also lead to burnout
[00:44:02] Oh my weapons list! Oh I've never been asked about that on a podcast before
[00:51:25] you don't have to be like a programmer and you don't have to be a network engineer but you need to have a solid foundation in all those different things to be really good at security
Ep. 57, Be aware of the puppets! (with Kathryn Brett Goldman)
Apr 23, 2019
2019-04-11: security awareness, user behaviour, startup culture
[00:12:07]: cybersecurity culture is not based on one 20 minute slide deck
Tonight we had two fantastic guests, the first being Kathryn Brett Goldman, CEO and founder of Cybermaniacs and KBG Solutions and Director of Development for Ladies of London Hacking Society and master of puppets of awareness to talk about a different approach to user training:
A degree in theatre -> information security strategy and awareness;
Cybermaniacs: a different approach to awareness training;
changing users' behaviours without killing them with presentations;
rant of the show: how to make startups use the money better?
This show's teasers:
[00:27:53] I think the biggest challenge we've had has actually been business executives, H.R. and people in learning and development who only want to see certain things in certain ways;
[00:53:04] it seems to be a huge part of the challenge we're facing right now is actually the human and behavioral side;
[00:13:02] little teeny tiny bits of learning little teeny tiny bits of nudging in order that the end users who are mostly not technical can actually achieve some behavioral change;
Ep. 56, I spy with my little SpyEar (with Rachel Tobac)
Apr 07, 2019
[00:06:35] I wanted to be a neuroscience major and promptly sucked at school and there were a lot of tears along the way but I did end up getting my double major in neuroscience and cognitive and behavioral psychology [00:06:48]
(2019-04-04)
This time TMHC was privileged to host Rachel Tobac talking mostly about social engineering. Rachel is CEO & Co-founder SocialProof Security and Board Member of WISP (Women in Security & Privacy). She specializes in Social Engineering and has been a winner of DEFCON Social Engineering Capture the Flag competition, 3 years in a row.
Some of the topics covered:
neuroscience, cognitive psychology, DEF CON -> social engineering expert;
why does social Engineering work?
war stories from the field;
Women in Security and Privacy: helping women find their spot in infosec, DEF CON scholarships;
rant of the show: users are not stupid.
plus, as always, a ton of questions from our fantastic audience.
Some key excerpts:
[00:10:07] the very first thing that I did is I called my insurance company and I tried to get information about me without authenticating the correct way and see if you can do that - see you can talk yourself through that situation and do OSINT enough to be able to accomplish that [00:10:22],
[00:30:20] Anybody who loves working at the company and loves posting about it on Instagram and joking and tagging; I have been able to find and be successful in about three hours for the majority my of clients [00:30:32],
[00:36:37] that pretext works but you probably delivered it with more confidence that anyone ever has because you legitimately believed it [00:36:44],
[00:50:12] Every social engineer I know has been successfully phished, every single one [00:50:16],
[01:06:34] we want to send more women and give them more opportunities to find a future boss a future mentor and these things happen because last year we sent 57 women to DEF CON in each scholarship of $780 [01:06:46],
[01:15:15] infosec Twitter sometimes is a dumpster fire, but most of the time it's pretty great. So I would say absolutely make a Twitter follow people join in on the conversation [01:15:24].
[00:07:59] I've been hired as a hitman on two occasions to kill people that they thought were informants. So this was the kind of people that I was actually working with. People trying to kill people. [00:08:10]
(2018-10-18)
This time on our podcast we had Brett Shavers; former undercover hitman and now a digital forensics expert talking about:
the military, law enforcement, working undercover - and now, forensics,
what is digital forensics and how it pairs with incident response,
recommendations of what to learn now to get into forensics,
plus a lot of stories from past and current cases from digital and analogue crime worlds; and a torrent of questions from TMHC members.
And to get you more interested
*[00:37:23] I think police work kind of gives you... you look at somebody sideways pretty much and say, well you're saying one thing but I'm seeing something different [00:37:32], *[00:31:35] The cool thing about forensics and incident response is you can train yourself [00:31:40], [01:08:16] you're infiltrating this group and next thing you know you're getting these cars drive by your house really slow [01:08:22]
Ep. 38, Take care of yourself while reversing malware (with Amit Serper)
Apr 02, 2019
[01:53:16] knowledge sharing is like the most important thing that we have not only as security doers but as humans in general [01:53:24]
(2018-11-16)
This time on TMHC Radio we have spend fantastic two hours with Amit Serper talking about how not to lose one's mind while working in infosec - specifically about ADHD. This episode really resonated with many of us - Amit really hit the mental health nail on the head. And a bit about infosec too!
government -> Cybereason,
ADHD: Amit's journey to understanding what it really is,
...and what are his method of coping with it,
technical: how to break into infosec? learn to program in C.
And a lot of interesting questions from the audience.
rand() quotes to get you more interested:
[00:26:29] never take any any drugs without seeing a doctor especially not stuff that like works on your brain and messes with the chemistry of your brain; your brain is the moneymaker. Don't. Fuck with it [00:26:42], [00:28:58] just knowing that there another person in the room and just being aware that there's a conversation behind me makes my ADHD kick in [00:29:08], [00:31:06] I found out that if I work with headphones I can't work because music distracts me [00:31:12], [00:32:42] when you have IDA Pro open and the nerf dart hits you in the cheek you get angry [00:32:51]
Ep. 37, Snow in Summer and being a Social Engineer (with Snow)
Mar 27, 2019
(2018-11-01)
For this episode we were joined by Snow who shared her experience on how to become a Social Engineer. We learned about the importance of recon, how to clone badges with references to the awesome Bishop Fox, and Snow also shared with us a few of her engagements. If you are interested in Social Engineering then this is the episode for you. You will learn about:
Ep. 36, Scared already? You ain't heard nothing yet (with Thugcrowd)
Mar 27, 2019
(2018-10-31)
One Spooky Halloween we were joined by our friends at Thugcrowd (sshell, dnz, Yuu, skelec, Pic0o) where around the campfire we shared infosec horror stories. In this episode we discussed:
Human Error,
Epic Fails,
Attacks that scare most infosec folks,
And some Social Engineering horrors by Stu himself.
Ep. 33, Cooperative Forest Assistance Act and beyond (with Fred Jennings)
Jan 31, 2019
[...] with hackers you've got sort of the hacker hysteria aspect of it too, where if you can do stuff with a computer you might as well be the Wicked Witch to most federal judges [...]
(2018-10-04)
For this fantastic October afternoon, we have been joined by Fred Jennings a.k.a. Esquiring for an overview of how law interacts with information security:
road to... law! origin stories, human rights work;
war stories: hacktivism vs. street crime;
Computer Fraud and Abuse Act: law predating technology;
CFAA and bug bounties: what to watch for;
...plus some opinions that definitely are not legal advice - but are important nonetheless.
The highlights:
[00:26:51] you get a law that doesn't match the actual technical issues, and as a result criminalizes things that shouldn't be criminal and fails to criminalize things that probably should [00:27:05], [00:46:00] there is a lot of hysteria and fear of the scary hacker out there in law enforcement circles [00:46:10]
Ep. 32, She hacks purple (with Tanya Janca)
Jan 02, 2019
*(...) It's like being on a really nice street or all the houses are new and fancy and then you have one with like broken windows and the door is broken and it's all on the same network (...)*
(2018-09-21)
Straight from across the pond and to the north with a heart of blue came Tanya Janca and talked about:
Mentoring: there are not enough people in information security, connecting professionals with newcomers;
Working for a government for a long time - and wanting out;
Web application security: OWASP; DevSlop: DevSecOps testing;
Pushing left: Tanya's definition of DevSecOps;
how to be more open and diverse in infosec and technology in general: [01:45:16] You know one is talking about diversity but you've actually got to do it. [01:45:22]
Hot takeaways: [00:05:51] And I just I want to help everyone because we really really need people in security. [00:05:56], [01:24:56] None of this crap would have happened if you would let me do my job. [01:25:00], [00:29:16] If you find a bug in the requirements phase it'll cost you ten bucks to fix. If you wait till you've had a security incident - sometimes that's in the millions. [00:29:33],
and a thing about dressing up for work:
[01:31:06] I have worked at so many offices where they told me "we'd really like it if you would wear pants and a t-shirt because you dressing up is making men uncomfortable". But now I'm the senior person and everyone can kiss my ass that doesn't like it. I like wearing dresses. That's it. I like it. And I'm not going to not do it because it makes someone else uncomfortable. I'm not like naked. I'm quite modest in the way I dress and if me dressing up makes you feel like a slob - that's something that's wrong with you and how you feel about yourself. [01:31:41]
Hosted by Stu, episode production Meadow and the Moderators team.
Ep. 31, msrexe.exe (with Mobman)
Nov 25, 2018
(2018-09-06)
[00:53:48] I'm kind of proud of calling myself a hacker. My license plate on my car says Hacker. And you know it upsets me when they use it synonymously with the word criminal. [00:54:03]
We've downloaded a new W95 theme, then CD tray opened and next thing we knew we had Mobman a.k.a. Gregory Hanis on our podcast. There are so many epic stories on this episode that it's hard to summarise, but let's try...
hacking games -> Sub7, the tool that started many a career in infosec;
hacking phone companies -> jail -> the life after;
the cyber security inventor vs. Mobman;
HackBama.com, the upcoming con and the infosec community in Alabama, U. S. of A.;
jobs, jobs, jobs.
[00:04:05] Some people they don't even want but look at Atari it's like what the hell is this blocks on a screen stuff [00:04:11],
[00:23:09] We can open and close people's CD ROM drives. You can hide their start button. You can make your start button reappear. You could flip their screen upside down [00:23:19],
[00:37:17] I gave a location and I went there and then they came out with a SWAT team and I get on the ground guns drawn and like I killed somebody. Or something. So then I got arrested. [00:37:28],
[01:43:11] They're like DEF CON but without all the crazy people [01:43:14],
[01:52:23] this job is awesome and cushy but it only pays like 150k a year. I'm like WHAT. No that's a lot of money. If you can't live off 150k you're doing it wrong. [01:52:36],
[02:04:03] just because I'm doing good now I went through a lot of different things. So you know doing that one wrong thing can have a lot of impact on the rest of your life [02:04:13]
[00:18:45] we know that banks are one of the worst in terms of crap passwords [00:18:48]
It was a night before... actually it an was early Monday morning for some of us when we have been woken up by Troy Hunt to hear about globally distributed backups (take a guess), plus:
who is Troy Hunt and how he does not work for Microsoft,
have I been pwned? how it started and its effect on end user security perception, password policies,
flat-earthers, anti-vaxxers and https-google-conspirators
Certificates: paid or free? EV or DV?
Some juicy bits:
[00:25:18] I don't think anyone here sort of manages the social media accounts for their organization - If you do don't argue with people online because no matter how right you are you look like a [00:25:28], [00:40:16] at the moment a visual indicator in the browser is useless because people just simply don't look for OV versus DV [00:40:23], [00:47:30] I myself find a lot of legitimate emails from organizations, including financial institutions almost indistinguishable from phishing emails [00:47:42]
Ep. 27, Many hats indeed (with Georgia Weidman)
Oct 30, 2018
(2018-07-19)
[00:21:36] Well I mean I did knock over a podium once [00:21:41]
On this cold winter night we had Georgia Weidman, wearer of many hats - an enterepreneur, a penetration tester, a speaker and a writer telling her story on, well, hacking, application and mobile security but also how a hacker finds themselves in a business environment:
from grad school thru government to running a business,
the book: the current and what to expect from the second edition,
automated penetration testing and future of red teaming/pentesting,
BYOD: it's here to stay and the industry has to deal with it,
and many more!
[00:15:08] even to security companies security is not the most important thing; keeping the lights on and making payroll - that's what's the most important [00:15:18], [00:19:44] I was always told if you if you're not nervous before presenting then you're not human [00:19:50], [00:40:29] as long as we continue to try and make one size fits all security we're going to continue to have trouble [00:40:35], [00:42:35] I mean I'm not going to say my first book was bad. I think my first book was awesome. I still have a hard time believing I wrote it. [00:42:43], [00:48:15] One Christmas one CEO one company got an iPhone and said: we're putting this on the network and there was nothing the security guys could do about it. And it's all just gone downhill from there. [00:48:27], [01:06:55] You know when you're in grade school they ask you what you want to be when you grow up and I always said I wanted to be a novelist. But then I became an infosec professional [01:07:07]
Ep. 34, AirFASE (with HackerPom and RagSec)
Oct 16, 2018
(2018-10-14)
Our friends at Bleeping Computer have recently reported about a vulnerability discovered in the AirFASE systems - and as it happens the research was done by the members of our community (HackerPom, RagSec and Stu)
This episode had a slighlty different format as we have focused on the matter at hand so be sure to check out the linked article and tune in for more details, tools, techniques and some tips on how to perform the such a research and not break the law.
Ep. 26, It takes a crowd (with CaseyJohnEllis)
Oct 14, 2018
(2018-07-14)
(...) one of my key motivations is that if I'm learning something, building something and I'm in a position that I can teach as well - then I'm like a pig in (...)
On this fine Saturday we've been joined by @caseyjohnellis and we talked about bugs, crowds and the intersection of the two:
How the idea of Bugcrowd came about - from hacking to crowdsourcing the security,
Some entrepreneur advice: Casey's hints & tips for having a correct mindset when starting a business (in information security) and not being afraid of a failure,
Bug bounties and ethical hacking: people are OK with a locksmith but are afraid of a burglar; how Bugcrowd fits into this and is trying to shift the perception.
(...) one person being paid by the hour no matter how smart they are is never going to be able to compete over the long term with a crowd of adversaries when it comes to finding a vulnerability (...), (...) the whole idea of being able to stare failure in the face and become very comfortable with it - that gives you more courage to go out there and take risks and make things happen (...), (...) we're working in an industry with an incredible shortage of skilled labour (...), (...) bugbounties (...) started to shift this default concept of someone who can hack as being inherently evil (...)
(...) that's what DerbyCon is about: what can we do to help you change the industry for the better and that you have an amazing, epic time (...)
On this fine Thursday night/evening/afternoon we have been visited by Dave Kennedy a.k.a. @HackingDave, and what a night/evening/afternoon it was! He shared some stories from the past, present and some of the future happenings at DerbyCon:
being a hacker at school and moving to being a Marine,
breaking into infosec: consulting, writing tools, first talks, TrustedSec
The road to 8 DerbyCons
The state of the red teaming market, what red teaming actually is and the juicy details on penetration testing and vulnerability assessment,
Which Doctor is the best Doctor.
During the talk Dave also offered to donate to us 5 tickets for DerbyCon - and here's what happened:
We gave one ticket to a person in need (yes, because we like to help),
You are an amazing community - and together we are making a change. Thank you for that!
(...) the information security is my hobby and is my life, but so is my family (...), (...) as a community we can do a lot of great things to change what we see out there today and make the world a better place when it coemes to technology (...), (...) if you don't enjoy doing work - change it (...),
Hosted by CyberSecStu, podcast production: Meadow, PizzaTheHutt.
Ep. 30, From hacking a country to running a con
Sep 10, 2018
(2018-09-06)
(...) There's always plenty of war stories and fun things pentesters have done but I think 44con is one of the things I'm happiest with (...)
On our birthday week we got a present: Steve Lord despite being busy with oncoming 44CON has found some time to talk to us about everything around the conference, and also:
the good old days - his way into computers and how it's different starting down that road today,
how to start on hardware hacking,
fascinating world of hardware security and - is it more interesting than software/network security?
security of public infrastructures plus some war stories,
more 44CON: 44COIN CTF, the assistance program, how our talk submissions are processed by the team and last but not least, helping to fight food poverty.
(...) A CTF, where we're gonna have our own alternate reality game, starring cryptocurrency visionary Don McFlurry (...), (...) If Cyber Essentials was a race horse it would be called Soon-To-Be-Glue (...), (...) taking over an entire countery in tems of their communications' networks (...), (...) wherever there's a mainframe there wil be link a something else, to something else, to the Internet (...)
Hosted by CyberSecStu, podcast production: Meadow, PizzaTheHutt.
Ep. 23, Some fantastic hackers are about
Aug 28, 2018
(2018-07-03)
(...) You need to invest and empower more people. If you invest in the next gen security box, a hacker will get around it and no one in your organisation will know what to do. (...)
This week we got a visit from HackerFantastic (@hackerfantastic) and we heard about sharing exploits and tool development, training people in hackerhouse by bringing them real world scenarios taught by professional hackers - the fundamentals of security and red teaming - as well as how monolithic organisations can understand their threat model and invest in the right areas of security.
(Audio quality will bring you back to the good old AM days - we're sorry for that!)
Hosted by CyberSecStu, podcast production: Meadow, PizzaTheHutt, ProxyBlue.
Ep. 22, Amazing adventures of the RedactedFirm
Aug 16, 2018
(2018-06-28)
In-between one conference and the next, Jess (@drjessicabarker) and FreakyClown (@FreakyClown) from RedactedFirm have found their way into our podcast to give account of some of their adventurous activities in information security, such as:
"(...) Next thing I know, blue lights, and armed police were storming the building (...)"
The highlighs:
How did RedactedFirm started and how it gives back to InfoSec community; being guest curators at Cheltnham Science Festival,
Breaking into banks and kidnapping people (with permission, but still),
Speaking at conferences: how to make your first appearance and rock it,
Building your network of infosec connections and how it benefits your career,
Reaching out to the general public and raising awareness about security.
"(...) It was the best decision I’ve ever made in my life, apart from getting with Jess (...)", "(...) When you make something, and you’re passionate about it, you grab it with both hands and see where it goes (...)", "(...) Infosec is like a vocation – it’s a passion and you get paid to do it (...)", "(...) I remember a particular example” is back! We hear about FC’s kidnapping of a Ghurkha soldier (...)"
(Audio is what you hear, it's not your headphones, it's us - sorry!)
Ep. 21, Championing new InfoSec Talent
Jul 24, 2018
SecJuice! We had Guise Bule (@InfosecScribe) and Nicole Beckwith (@NicoleBeckwith) talking about bringing fresh blood to the infosec community and how SecJuice came to be.
Some key points:
Nicole's and Guise's backgrounds - how they arrived at their current roles in information security,
SecJuice's story: why it happened and what are its goals,
Living the life of a sniper in Ohio, USA,
Keeping the public sector safe - blue teaming, DFIR and security awareness training at a scale.
Some takeaways:
"(...) Everyone brings something to the table. We don’t care if you’re a brand-new writer of if you’ve been writing for years (...)", “(...) Everybody has a story to tell. Everybody has an experience. (...)”, “(...) I originally started this because I was pissed off (...)”
(Please excuse the audio quality, this time it was the flower girl's doing...)
This week on The Many Hats Club Stu (@CyberSecStu) was joined by the Dons of Thugcrowd (@Thugcrowd). We heard from Yuu, Dnz, MG, Solid and Jizzney Princess about the OPSEC fails and OSINT wins they’ve encountered. The discussion this time was centred on:
Examples of slip-ups people made that allowed someone to trace them back and bring them to justice
Tons of entertaining anecdotes of where the good guys tracked down the people committing the heinous trickery behind the scenes
We also had a quick word from Defcon about a large fundamental flaw they noticed in someone’s website that allowed them to grab admin access
We also go on to discuss the different things people do to maintain OPSEC, and the tips that may be worth using to make sure you don’t have an OPSEC fail of your own.
Some teasers:
"(...) I have one that ends in guns (...)”, “(...) The marketing team manager was effectively cheating on his wife… using company resources (...)”, “(...) It ended when he tried to bust into the house of one of my co-worker’s, who pulled out a gun and told him to get the f out of there (...)”, “(...) That’s… Probably a crime though right? (...)”, “(...) I think we just had an OPSEC fail right now (...)”
Onionland: how did he end up running one of the most-widely known Dark Web forums, what would he like it to become, also some tips on moving around Dark Web;
Cryptocurrency trading: apparently you can trade it and not go bankrupt, but it requires a lot of work; also why people seem to believe it's the way forward, as far as banking and investing goes;
OPSEC: Ædiot says it does not necessarily mean keep your name a secret, but it's a full time job that is more a mindset than just using a pseudonym online; check out the last part of the talk for more on that.
Ep. 14, beast_fighter: DFIR and OSINT investigations
Apr 29, 2018
Join Stu (@CyberSecStu) as he talks with Beast_Fighter, a DFIR and OSINT investigator and an author of the Buscador OSINT VM. The main topic is open source intelligence, but many other topics are covered, including:
Beast_fighter's Unusual Journey to his current role,
What people and companies are missing when reviewing OSINT attack surfaces,
Tips and tools for doxing malware devs and other bad actors,
How and why Buscador came to be,
Advice for newcomers to the field,
Advice for journeymen in the field,
Mental health. It's more important than you'd like to think.
Ep 13, Claire Tills: Crisis Communication and Incident Response
Apr 19, 2018
Join Stu (@CyberSecStu) as he talks with Claire Tills (@ClaireTills), an infosec focused Communications reasearcher. They'll talk about Claire's journey into her current roles, as well as a number of other topics, including:
Theories of crisis communication as it relates to information security and incident response.
How companies should react to a breach, and why they often suck at it.
Responding with the balance of technical expertise and traditional respectability.
How to time a breach disclosure.
Trust vs reputation: the right choice for companies.
Join Stu (@CyberSecStu) as he talks with Itai Tevet (@itaitevet), a former team lead at Israel's CERT, and current CEO of Intezer, a malware analysis and threat intelligence company. In addition to Itai's history, they'll also discuss:
Programming, scripting, and information security.
What to look for when facing state actors.
APT code fingerprinting.
Intelligence and attribution.
Recommended tools and methods for malware analysis and forensic analysis.
What intezer does.
Techniques and resources for getting into information security and malware analysis
For episode 11, join Stu (@CyberSecStu) as he talks with Stu (Hirst) @StuHirstInfoSec about his interesting journey into infosec, from working as a DJ, to leading the security team at SkyScanner, to his present role at Capital One. They’ll cover the SkyScanner team branding, imposter syndrome, and motivations for working in the infosec industry. Topics also include:
Ep 10, Cal Leeming: "Path to Redemption: Security in the eyes of a hacker"
Mar 18, 2018
@sleepycal (Cal Leeming) and @CyberSecStu have discussed information security through the eyes of a hacker. They've also looked at what options are available for blackhats who want to rehabilitate
In this episode we've also learned about Cal's background as an ex-blackhat, the impact it had to his victims and family and the people who went out of their way to provide him opportunities and a path of redemption.
Ep 09, Kim Crawley: "Writing your way into InfoSec"
Mar 10, 2018
In this episode we've had a pleasure to have @Kim_Crawley talking about her background, and how she became a prominent writer in the InfoSec industry - but also some gaming and anime conversations slipped in, so there's something for everybody!
Ep 08, Incident response session with CyberSecStu and ProxyBlue
Mar 06, 2018
Join @ProxyBlue and @CyberSecStu on a deep dive into Incident Response and analysis including exploring a practical examples of dealing with NotPetya simultaneously in 140 countries.
This is the recording of of our session with Chris Boyd discussing the future of Malware and Threat Hunting. We also discused colanders, VR, classic games, privacy policies and some of Chris's adventures.
Ep 06, Social Engineering with Jenny Radcliffe
Feb 08, 2018
This is the recording of last weeks session with Jenny Radcliffe discussing all things Social Engineering, in particular physical red teaming, and what organizations can do to better prepare and defend against SE attacks.
Ep 04, Adventures in Curating Hacker Twitter’s Institutional Knowledge session
Dec 28, 2017
This is the recording of last weeks session with @hexwaxwing, and @DanielGallagher on their attempts to map the relationships between InfoSec professionals and to categorize them into identifiable categories of knowledge and expertise
This is a discussion about what's gone into the research they'll be releasing publicly at ShmooCon 2018, as well as discussing with ManyHats listeners potential future priorities and directions for the project.
Ep 03, Pouring salt into the crypto wound: How not to be as stupid as ransomware authors
Dec 20, 2017
Last weeks session with @Toffee, @Fabian and @CyberSecStu. Discussing the various ransomware families that have been prevalent in the past 5 years, exploring the common and often hilarious mistakes that were made and mocking the authors who made them.
While both our guests work for Emsisoft, this is not a sponsored session. They're here on their own dime and out of the goodness of their hearts
They covered several different aspects of social engineering including some useful hints and tips, importantly they also touched on ethics and impact social engineering on targets.
Initially scheduled for just 1 hour, the full recordings are approximately 2 hours.
Our TOPPODCAST Picks 
Stay Connected
