I’m seeking new opportunities

After nearly 3 1/2 years in my previous role, I have decided to move on to find to pastures new.

Security is a personal passion of mine as you may have seen from my Twitter account (@SPCoulson) and I want to now bring security to the doorstep of organisations and help highlight and repair weaknesses, but also demonstrate how they can effectively prevent themselves becoming a victim of crime.

So many organisations spend vast amounts of time, money and resources to create powerful brands and great products but because security is often seen as a barrier to innovation, it only gets added on afterwards, usually in a reactionary way, and rarely implemented well.

Having seen and heard the pain that organisations go through during breaches and compromises, I want to reach out and use my knowledge and expertise to guide organisations to safer and securer times so their people, physical and data assets, and intellectual property are appropriately protected.

If you think you might be able to use my services, or have a position I may be relevant for – please get in touch. I am actively hunting so there is a chance you are on my radar !

As I have a broad set of skills, you may find this list of some guidance :

* Commercial –

Business Development, Business Process Management, Project Management, Process Re-Organisation, Project Build, Market Research, Sector Analysis, Competitor Research,

* Educational –

Training, Coaching & Mentoring, Side-by-Side Coaching, Researcher, Speaker.

* Compliance –

Quality Management, ISO 9001, ISO27001, ISO14001, PAS 2060, Basic PCI

* Security –

Ethical Security Testing, Social Engineering, Penetration Testing, Vulnerability Scanning, Security Professional, Physical Security Design,

* Datacentres –

Datacentre Design, Operation and Security.

[LINK] – Reduced CV for download, full CV available on request

[LINK] – Link to my LinkedIn Profile

 

Get in touch if you think I can help you !

When a bug goes viral.

It was 3pm GMT when a 19-year-old Austrian nicknamed Firo was sending a tweet. There were millions of us tweeting too and his actions were not unusual. As he typed his tweet, he inserted a heart character and noticed that two appeared. Curiosity got the better of him and he started playing with his tweet. His discovery was that he could insert code into his tweet and yet it was only showing his love heart.

 

The thing about Twitter is that it attracts like-minded individuals together. When Firo’s followers received his tweet in Tweetdeck, they got a pop-up box with some text in it. When they re-tweeted it, so did their followers and so we see an initial growth. Firo knows computing, his friends know computing too and their circles are all in the same areas. After 30 minutes, the UK was receiving these curious messages and word was out…

 

XSS in Tweetdeck

 

When the tinkerers saw what they could do with simple script, they had a field day sending funny messages over Twitter. As the Tweets grew, so did the curiosity, Firo was past playing with the bug and the message was spreading. Within 2 hours, Tweetdeck was almost becoming a ghost town as the message sank in…

 

There is an XSS in Tweetdeck

– this is serious.

 

We shut it down, un-linked our Twitter accounts. Two hours after the initial finding of the bug, the users were savvy enough to understand its severity and was protecting itself.

 

Shortly after this was where we saw the self a propagating tweet. Using the same framework, it gave you the pop-up message but you automatically re-tweeted it. When this variant hit the BBC breaking site, 10.1 million followers received that tweet. Any using Tweetdeck automatically re-tweeted it. This was now a dangerous game and Tweetdeck pulled the plug.

A wise move by all accounts, had it been allowed to proliferate, Twitter could have fast become overrun and more harmful code code have been injected into a Tweet. Fingers were pointed to bad programming, the Twitter takeover and yes, I dare say the Governments probably got a finger pointed or two.

Bugs exist in code because we write code. Humans write code. We are not perfect. Bugs are found every day, some are low impact and some critical. A bug is simple to introduce by accident and can lay in some cases for over a decade (OpenSSL).

 

Firo did no wrong, he is a good definition of a hacker, he got curious and worked out what it could do. The media should not demonify him for his actions, in the same way Codenomicon should not be demonified for finding HeartBleed. Firo is a hacker. The media should learn that this is a good thing. He is not a criminal. Someone who finds bugs and has the intent to cause harm is a criminal. We need to separate these terms and this is a perfect opportunity.

 

Well done to the hacker Firo for finding this bug even if it was by accident (as most great discoveries are!).

We must also applaud Tweetdeck for such a fantastic and speedy resolution to the bug fix. I have no idea how many thousand lines of code they had to go through, but they did and they fix it.

I wonder what the next bug will be that is found today ?

I wonder if it will be in an 90s game that if you press IDDQD, IDKFA, IDCLIP ……..

 

Associated articles :
Original article identifying Firo
Doom

XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

Security Valentines

So for Valentines, I decided to create a Hashtag #SecurityValentine partly for some fun but also to get some ideas together for simple security messages.

Roses are red,
Violets are blue,
I’m sat here,
Waiting to help you.

Roses are red
Violets are blue
All my base
Are belong to you

Snort is good
Kali is better
Get that signature
On the authorising letter

I hacked in
Found the data
I’m zipping it up
To exfiltrate later

Talk to me

I’m a Social Engineer
I won’t use your password
There’s nothing to fear (honest!)

I really regret
The hacker I dated
Get me a WAF
I’ve been penetrated. (Source David Powell)

I’m a virus
I’m here to destroy
There’s also a backdoor
That was my ploy

Give me your money
Ransomware is here
I’ll give you your data
After I’ve had this beer

Roses are red
Your password was weak
You’re now in a Pastebin
For hackers to seek. (Source @DeathsPirate)

Some malware is bad
But Cryptolocker is clever
I know your tactics
Click that Link – NEVER !

Roses are #C91D1D
Violets are #6411D5
…or would you prefer those in RGB?

Security gets me down
My Password is my DoB
What do you mean I’ve been hacked
Thought my AV was there to protect me

Valentines Day
Girls love me
I clicked this girls profile
Worst infection I coulda got me !

The roses have wilted
The violets have died
I didn’t do patch management
I’ve just been fired.

Website is down
Log files are blank
Fixing this stuff
Is not going to be fun at all is it ?

Compliance is dull
And sometime is effective
Its trying to implement it
To the great collective

Scada attack
Wow that sounds quite a fright
I’ll be OK
Hey, who turned out the light ?

Burp is the best,
Zap is nice too,
But stay inside scope,
Or you’ll end up in poo. (Source @PMason00)

I’m a script kiddie
I’m a DDoS king
Does that make me a Leet Hacker?
Or an annoying little thing ?

Roses are red
Pineapple’s yellow
Auto connecting …
Beware of the peril!(Source @DeathsPirate)

“I know who is
Who’s behind the @th3j35ter ”
Yet another troll out there
Reputation to be messed up !

Roses are red
This hat is white
Network Security’s
an ongoing fight!(Source @DeathsPirate)

Lock picking is fun
Use an electric gun
But using a bump kep
Is just as fun

Roses are red
Defcon badges are blue
Who’ll pay for a ticket
For Defcon #22 ?

I have a risk register
It did us some harm
I’ve never updated it
No need for alarm!
(is there?)

Log files are read
Language is blue
Firewalls opened up
Who was it .. was it you ?

Buried in the basement
Where no-one can see
Sysadmins everywhere
Are protecting you and me

Ethical hacking
Pen Testing too
Whatever you call it
Finding holes for you

Love em or hate em
Whistleblowers are here
It’s the data the still have
The govts/companies fear

Roses are red
Violets are blue
My security is weak
The hackers for through !

#FF 03 January 2014

It’s a bit later than usual but with a death in the family, I couldn’t commit as usual. Thank you everyone for your support.

I would normally do my #FF list as a deck of cards but as there are a whole host of people to thanks, this is just a big list !

(Note : It’s alphabetical and not in some special order !!)

@__Freakyclown__
@AaronMoorcroft
@B1gGaGa
@bhconsulting
@BigLesp
@BillBrenner70
@BrianHonan
@Cephurs
@cisecurity
@ColetteWeston
@CyberSolicitor
@DanchoDanchev
@digininja
@drjessicabarker
@FrankMorris
@hackerfantastic
@KevinMitnick
@KPoulsen
@krypt3ia
@lothie
@Mikko
@Moxie
@NakedScientists
@NeiraJones
@nuWARP
@PMason00
@Prohest
@rjacksix
@security_faqs
@SecurityAffairs
@SecurityNinja
@serachewhi
@Spacerog
@TeamCymru
@tekwizz123
@TripwireInc
@TroyHunt
@Wh1t3Rabbit
@wmpllc
@WTF

Thanks everyone – if you have any suggestions then drop me a note !

#FF 08 November 2013

It’s that time of the month where I give you my #FFs as a deck of cards.

I got the inspiration for this from Mafia Cards. One of these days when I get round to this I’ll actually do the cards too but until then … enjoy my list !

Thanks to everyone who has Fav, RT, MT or #FF’d this month, it has been a really interesting month to be fair. Thank you everyone.

I also want to give a special shout to @Wh1t3Rabbit on the birth of his twins. Congratulations Raf and good luck !
Welcome to the world you two – look after your mum and dad !!

Aces = These are people who have been outstanding and need special recognition.

#FF Aces : α

@Tech_Geek_Girl @TeamCymru @BrianHonan @Prohest

– thanks for your support and fun this month!

Hearts = Big Love, people I want to specifically mention for being awesome !
#FF Hearts : 

@Tech_Geek_Girl @ColetteWeston @Dick_Turpin

@TripwireInc @DPWallace @Futurian

@MethodDan @MrKoot

Diamonds = Top People and inspirations. Thanks.
#FF Diamonds : 

@Wh1t3Rabbit @__Freakyclown__ @TeamCymru

@BillBrenner70 @NeiraJones @nuWARP

@Mikko

Clubs = Hack Work interesting crew to watch and learn from (and by hack I don’t necessarily mean criminal)
#FF Clubs : 

@DigiNinja @Prohest @Essobi @HackerFantastic

@Cephurs @Les_Diaboliques @Steel_Con

Spade = Great Research. Some great researchers – keep the content coming !

#FF Spades : 

@Lothie @BrianHonan @DanchoDanchev

@SecurityAffairs @bhconsulting @drjessicabarker

@Viss

Is there a Joker?

#FF Joker :  

No Joker this month. I wanted to do something about the Million Mask March … but equally I don’t want to get my blog attacked !!

Thanks everyone – if you have any suggestions then drop me a note !

#FF 04 October 2013

It’s that time of the month where I give you my #FFs as a deck of cards :

It’s been a great month since the last #FF list and I want to thank everyone who has favourited, re-tweeted and engaged in conversation with me. Thank you everyone.

Aces = These are people who have been outstanding and need special recognition.

#FF Aces :

@ColetteWeston @3poundbrain @hackerfantastic @SecurityAffairs

– thanks for your support and fun this month!

Hearts = Big Love, people I want to specifically mention for being awesome !
#FF Hearts :

@nuWARP @BigLesp @WTF @TripwireInc

@BillBrenner70 @ColetteWeston @drjessicabarker

@hackerfantastic @tekwizz123 @AaronMoorcroft

Diamonds = Top People and inspirations. Thanks.
#FF Diamonds :

@Wh1t3Rabbit @NeiraJones @Mikko

@FrankMorris @BrianHonan @TeamCymru

@KevinMitnick @Spacerog @KPoulsen @Moxie

Clubs = Hack Work interesting crew to watch and learn from (and by hack I don’t necessarily mean criminal)
#FF Clubs :

@Prohest @B1gGaGa @3poundbrain @SecurityNinja

@NakedScientists @hackerfantastic @rjacksix @Cephurs

@krypt3ia  @__Freakyclown__ @PMason00 @TroyHunt

Spade = Great Research. Some great researchers – keep the content coming !
#FF Spades :

@DanchoDanchev @lothie  @digininja

@serachewhi  @CyberSolicitor @SecurityAffairs

@bhconsulting @security_faqs @cisecurity @wmpllc

Is there a Joker?

#FF Joker :

I’ll claim this spot this month for my wonderful gaffe :

@BillBrenner70
Silk Road, Tor and the Threat of DDoS – The Akamai Blog: https://blogs.akamai.com/2013/10/silk-road-tor-and-the-threat-of-ddos.html …

@SPCoulson
@BillBrenner70 to be fair, there aren’t any websites up at the moment apart from http://notice.usa.gov  ! Not much to DDoS !

@BillBrenner70
@SPCoulson True. But we’ll see what the coming days bring. I’ll be pleased if proven wrong.

‏@SPCoulson
@BillBrenner70 It is definitely one of those moments when you crack open the popcorn and sit back and watch !

‏@BillBrenner70
@SPCoulson Given the subject matter, your use of the word “crack” amuses me. 🙂

Yep – thanks to @SecurityNinja for pointing out my OPSEC mistake !

” I shall either feed the troll or fear the community”
Thanks everyone – if you have any suggestions then drop me a note !