The Bastard Academic

Well, well, isn't this one for the books: the NSA have released GHIDRA, their reverse engineering tool. Yes, you read that correctly, the NSA have released something. Not The Shadow Brokers or any other APT, it hasn't been leaked or nabbed and let into the wild, this is a deliberate sharing of technology by the Puzzle Palace. Not what you'd expect, is it? Announced at this years RSA conference (already controversial this year as Adi Shamir, the 'S' in RSA, was unable to obtain a visa to attend), this reverse engineering tool seems primed to shake things up a bit, as many RE tools cost a fair bit of money. It also seems to be free of backdoors, and although one bug has been found , it can be remedied was reasonable ease. I've not really done much RE myself, but with a powerful, military-grade tool such as this, it might be a whole lot easier to get into. I'll let you know more when I've had a chance to play around with it. If you are interested...

As we know, there are ~235 billion emails sent per day, a number that keeps growing year-on-year. A staggering 48% of that traffic is spam of one description or another, a figure that has actually come down 21% in the past 4 years alone. Despite varying scams and spam being prevalent and well-known, still people fall for them and shell out hundreds of thousands of pounds to cyber criminals each year. Today, I’m going to take a look at an interesting blackmail spam email I received and break down how to identify this as something obviously a scam, and why it is also a phishing expedition as opposed to real blackmail. I’ve taken out my email details, but the rest is exactly how I got it: A Fun Blackmail Scam attempt The first to check, with every email you get not just the ones you suspect of being dodgy, is the sender name and email address. Now even a neo-luddite can spot that something is fishy here: 986@501.416 is clearly not a real email address. If you aren’t sur...

Following on from my last article, here’s some more information on changing industries for managers. Hopefully I didn’t put too many of you off switching careers in my previous article, where I explored what managerial life would look like in the InfoSec world. As a continuation, this post looks at which certifications are best to get you the necessary managerial competence in the field to start your new career. Some of these do include a certain amount of technical training in the course material, others just look at concepts instead. Should you choose one of those, I would recommend at least doing some research into the technical side of things. While exploring free, online learning resources might not cut it completely, they are better then nothing and will help give you a grounding for when you choose to complete a recognised technical qualification. Certifications This will be by no means a comprehensive list of certs, but it will be enough to get you started and point...

So far, a large portion of this blog has been dedicated to helping people begin their careers within the Cyber Security sector from the beginning, i.e. straight from college or university. This week, I’d like to explore the options for those looking to make the move from other career paths, specifically with an eye to those looking at managerial positions. If you are already coming from an IT background, this post might have one or two things you might find useful, but you’ll probably have access to other resources that might be better suited to your needs. I want to note here that while this will guide you through some of the options and a few certifications that will help move into CyberSec, some technical competency is a must. A good level of understanding of the technologies and principles underlying those technologies is unavoidable in this field, as you’ll see below. My suggestion would be to look at my earlier blogs and some looking around, as I won’t go into depth about t...

Today, I want to look at soft skills; more precisely, one soft skill in particular, namely problem solving. Yes, that old chestnut, the one everyone seems to need to put on their CV, from janitorial staff and burger flippers to IT practitioners of all flavours. But why am I writing about it now? Because it’s not a very well understood skill, and it is only half of what a CyberSec pro needs. Confused? I’ll explain. As I’ve mentioned previously, one way for CyberSec personnel to test themselves and keep their skill sharp, while learning or while actively engaged in a position, is wargames (you can find a good list of them here ). Hack boxes, CTF’s (Capture the Flag) and so on are a great way to introduce you into thinking about the issue faced and the problems that need solving in context. It helps build your problem-solving skills by presenting you with common, and not so common, challenges, which you must overcome with your wits and technical know-how. Problem solving as we ...

Yes, this is the inevitable blog about Cambridge Analytica, Strategic Communications Laboratories and Facebook, because this is a cyber security blog and this counts as compromised security. First things first, the old admonition: if you are getting something for free, you are the product. Maybe it’s not that old, but it definitely applies. Facebook offers a lot, and offers it, ostensibly, for free. Now you could say that advertising revenue pays for it, and to some degree you would be correct, but one thing the former Harvard female ranking website has plenty of is information: data. And data, particularly the specific kinds you feed the Zuckerbergian Machine every 30 seconds, is worth more than its weight in gold. Machine Learning and AI companies need as much as possible to teach their silicon brains, and advertising departments and companies love knowing how to manipulate you into buying things help you choose their products. Here’s where Cambridge Analytica, and their parent ...

Fact 1 of Cyber Security Club: Users are the weakest security link. Fact 2 of Cyber Security Club: Users are always the weakest security link. Fact 3 of Cyber Security Club: Who the frell needs users anyway? (Feel free to enlarge the above and use it as a poster for your office. You know you want to.) As CyberSec professionals (or even those in training), we know tips and tricks to keep our digital identities clean and reasonably secure. We know the importance of good password practices (passphrases are very good, randomised character strings of 8 characters or more is the least you can do), of clearing caches and cookies (if you have to accept cookies in the first place), and not clicking on anything that screams in loud, epileptic-fit-inducing, flashing colours “click me”. These things are the least of our knowledge, to the point that we forget, that somehow, they are not common knowledge. 20+ years of the internet being common, and people still think that 50 toolbar...

Roll-up! Roll-Up! Step right up, ladies, gentlemen and all manner of horrible creatures! Welcome to my domain, one and all. As you walk in, please check you haven't left your humour at the door, and that you have some idea why you are here! This is going to be a bit of an odd blog. That is because it isn't one blog, it is a weird amalgamation of several blogs: one large part Cyber Security (shared with my main CyberSec blog for CoderSource.io); one part technology review and tutorial; three shakes of writing, and a smattering of philosophy, politics (local and global), and anything else that takes my fancy. As for me? Well, I am a student, both auto-didactic and actual academic (kind-of, I'm taking a break) of many different domains, although primarily Cyber Security. While I won't feature all of my work for CoderSource (a coders recruitment agency) here, most of it will end up on these pages, as will all kinds of supplementary information and resources to keep i...