Javvad Malik

JULY 5, 2024

As I sit here, reflecting on the recent news of the ransomware attack on pathology lab Synnovis, I can’t help but feel a sense of unease wash over me. It’s not just another headline or statistic; this time, it’s a bit more personal. My neighbour, Oliver Dowson , is one of the many individuals directly affected by this breach, his heart valve replacement surgery postponed indefinitely due to the fallout.

Healthcare 208

Healthcare Data breaches Cybercrime Cybersecurity 208

Javvad Malik

JUNE 6, 2024

Another year another Infosec EU. So, how did it go down? I must admit, I grumble whenever I have to attend an event at the soulless warehouse that is ExCel, located in what can only be described as the appendix of London. However, it is a nice ride on the motorbike to get there, and parking is free (for motorbikes, not cars, but other bikers don’t like it if you park too close ).

InfoSec 162

InfoSec Education 162

Javvad Malik

APRIL 25, 2024

I was taking a walk the other day and saw this pathway which is shared by two houses. The house on the right got their pressure washer and cleaned their half of the path. Part of me secretly admires the pettiness of this move. But the truth is that it is one path and just using one half is not practical. If it needs repair at any point, it’s a joint responsibility, you can’t just fix your bit and expect things to be fine… a bit like using the cloud or outsourcing work to a thir

113

113

Javvad Malik

JULY 20, 2023

The Internet is a treacherous playground, and wouldn’t you know it, Google, the wise old seer of the digital realm, is suggesting that its employees disconnect from the very beast they helped create. Yes, you heard that right, my friends. CNBC’s Jennifer Elias lays it bare for us: Google is embarking on a pilot program where certain employees will find themselves trapped within the confines of internet-free desktop PCs.

Internet 100

Internet Internet Phishing Government 100

Javvad Malik

FEBRUARY 27, 2023

I saw a video on the BBC about a wind Turbine catching fire after a lightning strike. The video looked kind of cool as the flaming blades were spinning creating rings of smoke. With a bit of digging, it transpired that lightning strikes on wind turbines are very common and is only set to get worse as turbines get taller and blades are increasingly made of carbon.

Insurance 140

Insurance Social Engineering Manufacturing Cybercrime 140

Javvad Malik

JANUARY 4, 2023

Cops in Santa Cruz, California, were out in full force, arresting a 19-year-old they allege was behind a sinister plot to swindle unsuspecting beachgoers out of their hard-earned cash. The suspect, Damian Vela of Watsonville, had been placing counterfeit parking tickets on vehicles near the shoreline, complete with a QR code that victims could scan to pay the bogus fines.

Scams 29

Scams 29

Javvad Malik

DECEMBER 29, 2022

The search for a job has never been easy, but with the commoditisation of AI tools, it’s becoming a bit easier for the ambitious jobseeker. Recently, one such individual used AI to apply for nearly 200 jobs in the span of two days – a feat most of us can only dream of achieving. @jerryjhlee Replying to @jaymie_inc this is how you apply to 200 jobs in 2 days — perfect timing with the holidays #resume #jobtips ♬ Betty (Get Money) – Yung Gravy.

Technology 113

Technology 113

Javvad Malik

DECEMBER 28, 2022

It was bound to happen – welcome to the future! Mom took her daughter to see a show. AI facial recognition software recognizes her and she’s unceremoniously escorted out by security. . Her offence? Her employer, a huge law firm (not her) is in protracted litigation with the owner MSG Entertainment, and MSG has a policy that precludes attorneys pursuing active litigation against the company from attending events at their venues.

Government 100

Government Surveillance Advertising Software 100

Javvad Malik

DECEMBER 12, 2022

As I wandered through the psychedelic chaos of Black Hat Europe 2022, I couldn’t help but feel like I had stumbled into the belly of the beast. The vendor area was a tacky nightmare of flashing lights and buzzword-laden sales pitches, but I knew there was something deeper lurking beneath the surface. And then, like a shot of pure adrenaline to the heart, Dan Cuthbert’s opening keynote began and the conference was suddenly alive with the raw energy of truth and rebellion.

Social Engineering 234

Social Engineering Engineering Cybersecurity 234

Javvad Malik

DECEMBER 5, 2022

I saw this picture somewhere on social media of these many locks securing the bolt. However, upon closer inspection, you can see that by simply removing any one of the locks, you unlock the whole thing. I hope you’ll allow me the opportunity of dragging this out into a cybersecurity analogy. But, sometimes the sheer number of products and hoops we deploy end up looking a bit like this picture.

Media 147

Media Cybersecurity 147

Javvad Malik

NOVEMBER 24, 2022

Mercedes is one of the latest car companies to think, “hey, what do we do in a global downturn when new sales are low… I know, let’s limit some features on our car, then when people buy them, charge them extra to unlock it via a subscription model. If it’s worked for SaaS, it can work for us!” According to their site , a mere $1200 a month can give you a “noticeable improvement in acceleration of 0.8 to 1.0 seconds (0-60MPH)” I kind of get it when car ma

Manufacturing 113

Manufacturing 113

Javvad Malik

SEPTEMBER 23, 2022

I love myself a good Security BSides, and I’ve never been to Tallin in Estonia. So when I saw the CFP was open I submitted and was delighted to be selected. View of Riga, Latvia. Unable to find a reliable direct flight to Tallin, and horrendously long connecting flights – I opted for the scenic route which involved flying into Riga in Latvia, and then driving across the border to Tallinn in the fastest car ever made… a rental car.

Phishing 182

Phishing Architecture Education Banking 182

Javvad Malik

SEPTEMBER 21, 2022

I’m filing this one under I’m a bit cynical about it. According to this story there have been a bunch of people who have paid to have their fingerprints surgically altered. Some of the people were workers in Kuwait who had been deported for criminal activity. By having their fingerprints altered, and a new identity created in the Indian ID system Aadhaar, they were able to apply for a new visa to Kuwait.

113

113

Javvad Malik

AUGUST 23, 2022

In Japan, someone registered a trademark for CUGGL as a clothing brand in Japan. GUCCI tried to sue for copyright, but the Japan trademark office stated that CUGGL is not similar enough to GUCCI to warrant enforcement. Well, maybe not in the written word, but what do you think about the partially obscured logo? I am both disgusted and impressed by this. ( Credit to Halvar Flake for the find ).

182

182

Javvad Malik

AUGUST 22, 2022

Lloyds of London has told its members to exclude nation state cyber attacks from insurance policies beginning in 2023, saying they pose unacceptable levels or risk. Hmm so where do we begin to unpack this one? Attribution is never easy, even in the best of times. So who will decide whether an attack is a nation state or just little Timmy trying to impress his friends on the Discord channel?

Insurance 145

Insurance Cyber Attacks Social Engineering Cyber Insurance 145

Javvad Malik

AUGUST 9, 2022

Twilio was recently compromised after a couple of employees handed over their credentials to an attacker. The unsuspecting employees were targeted by a Smishing attack in which they received a text message on their phone saying their passwords had expired and they needed to re-authenticate. A useful link was provided which took the employees to a spoofed page into which they entered their credentials.

Authentication 140

Authentication Passwords Security Awareness 140

Javvad Malik

AUGUST 1, 2022

Group-IB have published a very well researched report on fake investment scams in Europe. The scam follows a well-established set of steps:1. The bogus come-on is published on social media. 2. The victim is taken to a phony investment website. 3. The victim enters personal information in a form on the scam site. 4. A call center contacts the victim, offering more information about the fraudulent investment prospectus. 5.

Scams 113

Scams Media Cybersecurity 113

Javvad Malik

JULY 25, 2022

I saw this post on linkedin and was part disgusted, but also slightly admired the professionalism and thought that went into this scam. An unsuspecting victim was sent a USB drive that for all intents and purposes looked like it came from Microsoft. The packaging and logo all looks legit. This is where people’s biases will come into play. If they plug it in and there’s a popup asking “Are you sure” then unless they’re a bit savvy or paranoid, most people will click

Scams 182

Scams Malware 182

Javvad Malik

JULY 22, 2022

I was recently reminded of this headline from a few years ago where a couple left their bikes unlocked to lure thieves and then proceeded to beat them up with baseball bats. I don’t advocate violence, and nor do I approve of vigilante behaviour. But police around the world use this trick all the time. They will leave cars and wait for thieves to try to steal them.

Cybersecurity 29

Cybersecurity 29

Javvad Malik

JULY 19, 2022

Some interesting research from Malwarebytes Labs. The first was around verified Twitter accounts receiving direct messages apparently from Twitter which claimed their accounts had been flagged for hate speech. They would then be redirected to a fake Twitter help centre to input their login credentials. The second was a Discord phishing campaign where people would recieve messages being accsed of sending explicit photos.

Accountability 113

Accountability Phishing Media 113

Javvad Malik

JULY 15, 2022

We see many discussions these days around deep fakes and how AI will be able to create content that the human eye cannot spot as being fake, leading us to be easily manipulated. However, the reality is that people can be fooled far more easily. The BBC reports that a fake IPL Cricket match was put on by a few villagers who cleared out a ground, nailed down a bit of cloth to resemble a “pitch” and live streamed it on YouTube.

Scams 140

Scams Technology 140

Javvad Malik

JULY 14, 2022

In a paper titled Unintended consequences of smart thermostats in the transition to electrified heating , researchers discovered that most people don’t bother changing the default heating times on these thermostats. As a result at 6am, the strain on the electricity grid peaks as every thermostat clicks on. Akin to launching an inadvertent DDoS attack.

DDOS 113

DDOS Passwords Software Cybersecurity 113

Javvad Malik

JULY 13, 2022

BMW, a brand known for its amazing cars, a model for everyone – built with the infamous German engineering and now offering a whole bunch of options as a monthly subscription. In some ways it makes sense. Streamline your production and build each and every car with the exact same hardware, but then limit options to those who are willing to pay out extra.

Software 113

Software Engineering Hacking Risk 113

Javvad Malik

JULY 12, 2022

The Rolling Pwn vulnerability can be used against some keyless Honda’s to unlock, start and drive off. It allows you to eavesdrop on a remote key fob from about 100 feet away (which for my American friends is the distance from pitchers mount to the outfield grass). On Twitter, @RobDrivesCars replicated the bug in a nice video to confirm that yes, the bug definitely works. .

IoT 182

IoT Technology 182

Javvad Malik

JULY 7, 2022

Over here in the UK we’ve had dozens of MPs (members of parliament) tender their resignation over the last day or so. While I’m not interested in politics, seeing so many resignation letters did provide me with the template to create the perfect letter. It consists of a few steps. 1. Yellow paper (not the white one peasants write on). 2.

Authentication 306

Authentication 306

Javvad Malik

JANUARY 24, 2022

Back in the olden times (in 2005) a website was setup called the Million Dollar Homepage. A brainchild of student Alex Tew who wanted to raise some money for university. The concept was simple, get a webpage composed of a million pixels and sell them all for $1 each. They were sold in 10 x 10 pixel blocks. Whoever bought the block could provide an image, logo, text, link etc.

Advertising 113

Advertising Internet Internet 113

Javvad Malik

DECEMBER 30, 2021

It’s been another weird year for many. Most of the world had vaccines, came out of lockdown, only to be hit by another variant, and ending up in a weird limbo lockdown all over again. As someone who has predominantly worked from home for the last 8 years, I have welcomed the last couple of years. I no longer get the, “oh, so you’re working huh” nudge nudge wink wink from people.

Media 100

Media Cryptocurrency Scams Ransomware 100

Javvad Malik

DECEMBER 17, 2021

“How does your degree compare to my 10 years practical work experience?”. This was something my very first manager used to say often to me and other fresh-faced graduates. He had a point – we knew nothing about the business, any of the tools, or the job compared to him, or indeed anyone else who had been working more than three days at the bank. But we had come in on the exclusive ‘graduate programme’ touted as the future of the workforce.

Security Awareness 113

Security Awareness Education Banking Technology 113

Javvad Malik

DECEMBER 3, 2021

I’m no writer of novels, but I allowed myself to be influenced by national November novel writing month and thought it would be a good idea to attempt a blog a day through the month. In the end, I wrote 17 blogs during November, the most I’ve written in a long time, perhaps ever. There are another 3 which ended up in drafts that will likely never see the light of day.

CISO 208

CISO 208

Javvad Malik

DECEMBER 2, 2021

It was T’s first week in a new organisation and they went into a project meeting for a new product that was about to be released. T: Has this product been pen tested? Project manager (PM): We don’t usually do pen tests on most systems, unless they’re really high risk, and even then we wait 6-12 months after they’ve gone live to do so.

Risk 154

Risk 154

Javvad Malik

DECEMBER 1, 2021

I recently argued that I don’t really care about an aeroplane’s engine and that I only cared about the experience I have travelling on it. Some people argued with me that the engine is very important and without an engine the aeroplane won’t fly. Allow me to elaborate my thinking with the example of a road. When you’re building a road, engineering is of utmost importance.

Engineering 113

Engineering Technology 113

Javvad Malik

NOVEMBER 30, 2021

Along my journey, I cross paths with a stranger. We have never met before, and will probably never meet again. We are aware of each others presence and acknowledge each other without acknowledgement. To each other, we are familiar strangers. There are many familiar strangers, all on their own journeys. Each with their own precious cargo. Some have exquisite rings, others with grand sparkling crowns, and some have small trinkets.

113

113

Javvad Malik

NOVEMBER 29, 2021

I have flown many times in my life, but I’ve never really known the difference between a Boeing 747, 787, or whatever the numbers are. It’s not that I’m not interested in planes. I still look up in the sky when I see one flying overhead and ask myself where it’s coming from and going to. Flying is really a marvel of engineering, and it blows my mind every time I get on a flight.

Engineering 140

Engineering Advertising Encryption Passwords 140

Javvad Malik

NOVEMBER 23, 2021

I saw an article on The Register today entitled, Crypto for cryptographers! Infosec types revolt against use of ancient abbreviation by Bitcoin and NFT devotees. TL;DR the argument is whether or not crypto should mean cryptography or cryptocurrency. Now, I get it, it can be an emotional topic for some – but really? The majority of the population don’t even understand what cryptography actually is.

InfoSec 100

InfoSec Encryption Cryptocurrency Banking 100

Javvad Malik

NOVEMBER 22, 2021

I’m not a CISO, I never have been and hope I never will be. It seems like a lot of hard work and stress, and if you’re the CISO at a company when you suffer a breach it’s difficult to blame the intern without a mob of security professionals criticising you. But I do observe CISO’s very closely, and as a result I have figured out how to be an awesome CISO.

CISO 195

CISO Risk Firewall Cybersecurity 195

Javvad Malik

NOVEMBER 19, 2021

Buy 10,000 trophies from China (max $1 each including shipping) Buy an engraver Register a fancy domain, like, “WorldsBestSecurity.com” Send emails to companies saying they’ve “won” an award in some <random category> For a mere $1000 they can get featured in the WorldsBestSecurity.com listing and receive an engraved trophy. . 10,000 * 1000 = 10,000,000 .

113

113

Javvad Malik

NOVEMBER 18, 2021

If you’ve been on LinkedIn recently, you’ve probably seen your feed littered with polling questions. It could be something simple as, “which of these items do you like for breakfast” or something more specific such as, “Zero Trust is good because…” Either way, I have a bit of an issue with how these are framed, run, and subsequently interpreted.

Firewall 182

Firewall Data breaches Marketing Risk 182