Today’s D-List interview is with Forensic 4Cast host and Ricky Gervais stunt-double Lee Whitfield. I first met Lee at the SANS 2010 Forensic and Incident Response Summit and immediately knew that I wanted to be his friend for life – well, maybe we’ll start as Twitter and Facebook friends and see where it goes from there. On with the interview…

Q: Tell us a little about yourself.

I’ve worked as a digital forensic investigator for 5 years. By day I’m responsible for all computer investigations at Disklabs, but by night I produce and host a little-known podcast by the name of Forensic 4cast. I have a tremendous passion for forensics and consume copious amounts or data on the subject – much to the despair of my ever-patient wife. I have 3 children and each of them has me wrapped around their little fingers in their own way.

Q: How did you get interested in information security?

I’ve always been fascinated by computers. I’ve tinkered with computers since getting a 286 when I was in school. I’d always end up breaking something which would drive my dad crazy. He’d then make me sit there for hours and fix the problem. Through this I got to know quite a bit about computers.

Skipping forward a few years (and many fixed disasters) later I met a man named Larry Sewell. He told me about the wonderful world of computer forensics. I was caught up in the romantic notion of pulling out data in impossible situations and started studying the subject at university. At that point I was bitten by the bug and there was no going back.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I graduated from the University of Central Lancashire in 2006 with a BSc in Computing (Forensics). This gave me a good grounding but I felt like I learned more in my first two months in the field than I did in my time at school.

I’ve also done the rounds with Guidance training, getting my EnCE in the process. I’m also a CCE and GCFA. I am tempted to go for more but I’m worried that people might think I’m trying to overcompensate for something.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a professional footballer (soccer player). At 33 years old I’m too old to follow that particular dream anymore but I’m quite satisfied with what I’ve accomplished in forensics thus far and I’m looking forward to achieving a lot more in the future. The only thing that would pull me away from forensics would be if Hugh Hefner offered me a position as photographer.

Seriously though, I love working in this field. No, it is not as romantic or cool as I thought it would be but I learn so much on a daily basis. I get to test and experiment with new software and hardware regularly which is awesome as I’m a total geek.

Q: What projects (if any) are you working on right now?

Many things. First of all I did some research on Volume Shadow Copies with my good friend, Mark McKinnon. He and I are beta testing some software called “Shadow Analyzer” which will make investigating the content of these files significantly simpler than they are currently.

I’m also kept busy with Forensic 4cast. We have the third annual Forensic 4cast Awards coming up wherein people can vote for their favourite forensic person, company, tool, etc. The winners are presented with a cool looking award at our annual awards show.

Disklabs not only do forensics but also data recovery. I’ve been looking at the relation between the two and looking at how the knowledge of both can further the field. I’m hoping to share some of the results of that soon.

Q: What can you tell us about the Forensic 4Cast? What was your inspiration and ultimate goal for the podcast?

In 2007 I was working for CY4OR (pronounced “sigh-fore”) in Manchester. The business development team asked for any suggestions for getting CY4OR a more recognised brand. The idea popped into my head for a podcast. I suggested it but no-one seemed to be very interested so I thought I’d do it myself but didn’t want to do one of those podcasts where one person just talks all the time. It wasn’t until I moved to Zentek a year later that Forensic 4cast was born. My brother, Simon, was already working there and was keen to jump in so we recorded our first episode and that was it!
My long-term goal with Forensic 4cast is to get lots of money and eventually take over the world. Actually it has already served its purpose for me. It has helped to get my name out there. It has also served that purpose for others too.

I’d like it to become a more community-driven thing. As much as I’d like to dedicate time to recording and updating the site every day I just don’t have the time with a small family. If anyone wants to record or write something to publish on there please do. I’d love nothing more.

Q: What is your favorite security conference (and why)?

I’ve only been to 3 confererences – F3, SANS Forensic Summit, and the SANS EU Forensic Summit. I have to say that the SANS events are, by far, much more interesting that the F3 event. I also thought that the atmosphere at SANS was different. F3 seems so formal and typically British but the SANS events are more open. People seem much more approachable.

Sadly there’s not a lot happening in the UK in this regard. F3 only happens once a year and, aside from SANS, hardly anyone else puts anything on. There’s a BSides in London in April but I can’t get to that. Maybe I’ll try to host a BSides closer to home in the future.

I dream of the day that I can attend Blackhat and Defcon.

Thankfully I’ll be returning to the SANS Forensic Summit in Austin in June. If you’re there please come say hello.

Q: What do you like to do when you’re not “doing security”?

Its a running joke among my peers that I spend my idle time reading teen vampire novels and watching shows that paint me in a “less-than-masculine” light. Let me just say yes, I’ve read the Twilight books and I like Glee, and yes I cry when watching Extreme Makeover Home Edition, get over it. 😉

I’m also a massive football (soccer) fanatic. I spend a disgusting amount of time watching sports on TV. I also spend a lot of time with my family. Even though I have a passion for forensics I believe my kids are, and always will be, my greatest achievement. No matter where I go, or what I do in my work life nothing will ever compare to being a dad.

I’m also a committed church-goer. I spend several nights a month out trying to better myself and help others.

However, my favourite past-time is self-deprecation.

Q: What area of information security would you say is your strongest?

Definitely dead forensics. This is my comfort zone without question. My current job involves going on-site more than I ever have in the past and I find it quite exciting at times.

I have dabbled a little in other areas of computer security but nothing too seriously. I’m hoping to change this in the future and gain some much needed experience in incident response and even penetration testing. The problem is that there is so much to learn it is difficult to keep up with forensics and still find the time to expand my knowledge in other areas.

Q: What about your weakest?

Everything else. Like I’ve already said I want to increase my knowledge in other areas and some people in the field have been very helpful giving me pointers and suggestions as how to do this. I’ve been crowbarred into programming stuff and that has been a challenge as it has been a few years since I did anything like that, but I’m progressing, albeit slowly.

Q: What advice can you give to people who want to get into the information security field?

There’s so much. First up, start early. If you’re at school now get involved with something. Go to a conference, pay for training yourself, do anything you can to get a leg-up in the field. Start a blog, do some research, go and volunteer to work for free at a relevant company, just do anything. Even if this all seems futile in the short term you’ll end up with a CV that looks awesome. Also how cool would it be to walk in to an interview and for the person to say “I read your research on… and I was very impressed”?

Another thing that’ll help you is if people already know your name. Be active on LinkedIn, Twitter, and use all of these things to your advantage. Do some research, start a blog, just do something to get your name out there. Imagine how much easier your job hunt will be if someone already recognises your name and your work.

Q: What about for someone who wanted to get into forensics specifically?

Don’t be casual about it. Dive in and be prepared to learn something new every day. Start early. If you’re at college or university don’t wait for your education to finish before looking for work. Call people in the field and see if you can get either part-time work or an unpaid internship. Just get some experience somewhere, it’ll be invaluable once you start looking for full-time employment.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I’m on most of the major social networking sites:

On Twitter I’m @lee_whitfield

On Facebook I’m at http://facebook.com/schizophreud

I’m on LinkedIn

My podcast and blog is found at http://www.forensic4cast.com

I’m not hard to find.

We’re back with another interview from across the pond. Chris John Riley is a fairly well known name in security circles – mainly due to his long battles with a certain ‘hacker’ who shall remain nameless. I first met Chris at Shmoocon 2010 where I explained the finer points of the Superbowl and drank many a beer while we both waited for our rescheduled flights back home to our respective countries – in fact, I think he skipped out on the bill and left me paying for his drinks. On with the interview:

Q: Tell us a little about yourself.

Wow, starting off with the tough questions are we… Well, what is there to say? I work as a penetration tester for a large Austrian financial provider. On the side I do some research, blogging, podcasting and like to break things. All of which I do badly might I add 😉

Q: How did you get interested in information security?

I’ve always been interested in security I guess. Although I always used to think of it as an unhealthy interest in how things really worked under the hood. I’ve broken my fair share of systems by being a little too curious what would happen if I just changed or deleted this or that file. Then again, who hasn’t done that once in a while?

I guess if I had to give an exact time where I knew absolutely that I wanted to work in security; I’d have to say it was a Thursday morning, shortly before lunch. I remember distinctly because I was really hungry, and as I was working in Munich at the time, it was pizza day (as every good Thursday in Germany should be). Anyway, I digress. An interesting project had come across my desk (and by that I mean, my boss emailed me and said “get this done ASAP”). The project was a simple one. Install and configure an Intrusion Detection System to protect an external server farm, and schedule regular vulnerability scans. Finally an interesting project and the chance to play with some IDS stuff. Still, to tell you the truth, the project wasn’t really what made me want to do security, it was the response from management after the project was finished. I sat down with one of the managers after the project and started to go through one of the vulnerability reports I’d run. Lots of red and yellow alerts, lots things to change to make the environment more secure. His response was that the IDS and scans where simply a contractual requirement to win a customer bid. Nobody had the time or interest in changing things. We’d ticked that requirement box that said “IDS and run regular scans”, project done, move on, nothing to see here!

As you can imagine, this didn’t sit too well with me, but there wasn’t much I could do about it at the time. I was still learning German and couldn’t rock the boat much. So, moving on I tried to work security into the next couple of projects and found it increasingly hard to get the real issues across. I tried to convey the idea that security should be built in at the ground floor and not just ignored completely. Well to cut a long story short (yeah, I know, too late), I asked for 4 weeks leave to attend some training (self funded naturally) and was turned down flat. I had the holiday days saved up (yes, we actually get holiday days in Europe), but still I couldn’t get the time. At that point I had a real choice to make. Dive into security full time (as my heart said), or bite my tongue and keep my job (as my head said). So like any hot-headed idiot would do, I handed in my notice, did my training and made the move from Germany to Austria to be closer to my girlfriend.

After a few months of sitting in-front of a computer screen, self training, reading books and generally making a pain of myself, I was lucky enough to interview for an IT Security Analyst position at a large financial institution in Austria. Despite my n00b status in security, they took me on as part of their CERT team and ever since then I’ve been working as a full-time penetration tester. That was 3 years ago now… and I still feel like a n00b every day. There’s always something new to learn.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I never really did the whole university thing that most people say is a requirement. I came out of college in the UK and stepped right into a job. That led to another job, and another. Leaving and going to university just didn’t seem like it was worthwhile at the time. Alongside a lot of self-learning I also concentrated a lot on industry certs on and off. I did the whole MCSE thing (as I was working a lot with MS technology), but that was all before I moved into security.

Once I’d made the choice to move into security, I felt the need to get some basic certs to show I knew what end of the firewall was what. As such I finished up my MCSE: Security and tagged on a compTIA Security+ and some very poorly taught EC-Council certs (C|EH and ECSA) to the mix. Although I didn’t put much stock in the C|EH (still don’t) it did open a few doors for me, and prompted some interesting conversations with companies when interviewing for positions. After I started working as a penetration tester I began attending regular SANS courses (more for the knowledge than the piece of paper afterwards).

Certification for me was never really an end goal. Anybody can pass a cert by remembering the answers to the questions… just take a look at the millions of MCSE certified people out there if you need proof. At least a section of those are paper MCSE. I’d rather have the knowledge and no cert, than have the cert and no knowledge!

“The wisest man is he who knows that he knows nothing”

Q: What did you want to be when you grew up? Would you rather be doing that?

When I grow up I want to be just like you Andrew… except I don’t want to drink Bass beer! Oh, and with spiky hair… red maybe! Red is cool right?

[Andrew’s Note: Chris likes to fault me for drinking Bass…but he loves Corona. He may quite possibly be the worst European ever.]

Q: What projects (if any) are you working on right now?

Wow, that’s a long list. Like most people in security (I’d guess), I’ve got a long list of active, semi-active, inactive, yet to be active, style projects. Most exist solely in my head, but might one day see the light of day!

I’ve been working a lot on the UATester tool I release last year at BruCON. It’s not really about the tool, but I’m trying to get the message across the HTTP headers are cool… Yeah, I’ve got a long way to go on that one I guess. Still, I’m getting there! I’ve recently been working with the man behind Shodan to analyze HTTP headers of the top 10,000 websites. That’s bringing up some interesting edge cases that really show why people should be paying more attention to the little things. You never know what you might be missing!

I’m also working on some SAP stuff on the side. I’ve written a few Metasploit modules for an SAP Information Disclosure issue I found last year. They recently went into the Metasploit main SVN and seem to be getting good reviews. At least, I’ve had some good feedback. There are still a few SAP modules I’m working on, but people will have to wait on those.

The project that’s really taking up most of my time and energy right now though is BSides Vienna. I’m arranging a 1-day BSides on June 18th, straight after the 23rd annual FIRST conference takes place in Vienna. I never knew it was this hard to setup a conference… so many small things that you never consider. Still, things are rolling. So get over to http://bsidesvienna.eventbrite.com and sign-up for a ticket and http://cfp.bsidesvienna.com to send in you entry for the Call For Participation (presentations, workshops, lightning talks….). The more the merrier!

Q: What is your favourite security conference (and why)?

I get to a lot of conferences, and most have their own special charm. DefCon is cool because of the people you get to meet (if you can find them in the crowd). BlackHat Europe is a good one as it’s got all the great content without the 19 tracks associated with BlackHat Vegas ;). I guess I’d have to go with BruCON as my number one conference. It’s small enough to be personal, but big enough to get the great speakers from all over to come. Brilliant location, great company, and the beer helps too!

Q: What do you like to do when you’re not “doing security”?

Sleep mostly! I’d like to say I’m joking, but don’t we all live this stuff???

Q: What area of information security would you say is your strongest?

I hate when people call themselves experts. I guess it’s a pet peeve of mine, and maybe others wee it differently. I like to keep my options open when it comes to thing and as such I spread myself about a lot. Jack of all trades, master of none is one way to describe it. A bit shit at everything, is probably more accurate though 😉

Q: What about your weakest?

Time management… there’s never enough time to do everything I need to do and still manage to eat/sleep as well! I’d get so much more research done if I didn’t have to go to work!

Q: What advice can you give to people who want to get into the information security field?

Just do it… but don’t think it’s the easy life. Working in infosec is hard! If you’re in it for the money then don’t bother applying… Oh and if you think gather CPE credits to maintain your certs might be an issue, then just stay in bed.

Too harsh? Sorry, life in infosec isn’t easy. There are a lot of easier to handle jobs than this and it’s best people go into this with their eyes wide open.

Q: What suggestions would you give to someone interested in becoming a penetration tester?

I may be ruffling some feathers here, but I’d say my first piece of advice would be, don’t do an ethical hacking degree! I’ve spoken to enough people who’ve been through the courses to know that you’re not going to come out the end as a penetration tester. Being a penetration tester is more about drawing on your years of experience as a network admin, developer, telecom expert, . If all you’ve got is a few years learning how to use nmap and Metasploit, then it’s going to be a tough road ahead. Take your time and work as a network admin for a few years. The experience you get will help you more than you’ll ever know!

Q: You’re involved in the PTES right? Can you tell us a little about that?

Yep, I’ve been involved with PTES since the start, although looking at the other names on the list I’m still not sure why. PTES for those that don’t know yet, is the “Penetration Testing Execution Standard”. Although it’s only in it’s early stages, it’s already gaining a lot of momentum in certain parts of the industry. Talking about PTES is a whole interview in itself as it’s such a broad topic. So To keep it brief, our goal with PTES is to design a common language for businesses and security service providers. This includes some pretty detailed information on what a penetration test really is, and what constitutes a penetration test. A lot of people throw the phrase around, but there’s a lot of confusion from both business and the security industry on what it really is. Quite a lot of the time you’re comparing apples to oranges when looking at penetration testing quotes. The hope is, that we can form a standard set of activities so testers and businesses can speak the same language. If you want more information, head over to http://www.pentest-standard.org for a full breakdown of the goals and some alpha release information.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I’d like to say just whisper my name and I’ll find you, mostly because it sounds really mysterious… but I can’t. So I guess my blog (http://blog.c22.cc) and twitter (@ChrisJohnRiley) would be best. If you’ve got time on your hands and maybe insomnia, you can also listen to the Eurotrash Security podcast (http://www.eurotrashsecurity.eu / @eurotrashsec).

Other than that, I’ll probably be at every single security conference… because I need more free t-shirts!

After a looooong hiatus the Security D-List Interviews are back! To ring in the New Year and get the ball rolling once again we interview author, hacker, speaker and all around nice guy, Jayson E. Street.

Q: Tell us a little about yourself.

Wow what a loaded question to start with ;-). I am a person looking for questions to help answer who I am, an author who loves to read, a father who gets grounded, a husband always on the first date, a human who is saddened by humanity (but sometimes uplifted by it) and an INFOSEC professional who does not see this as a profession. I am not an expert, cynical, or a mature person. I have a lot more serious info about me out there on the web, so no need to put your readers through all of that.

Q: How did you get interested in Information Security?

I’ve always loved the idea of being able to help others. I started in physical security over 20 years ago and at some point grew tired of being shot at, I have a lot of good stories from working on a Gang Task Force but not many good memories, so I answered an ad for computer tech support. Then in 2000 I learned you could do security + computers and, well, I never looked back. It has been an awesome time with no shoot outs (so far).

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

Though my childhood was not normal or pleasant, I had dreams of going to college and becoming an activist lawyer. I dropped out of high school in the 11th grade to get a job to help support the family, but the main truth is I just was not in a place where I could see myself having a future, so I gave up. I do regret not completing high school and opting for a GED. I have always stated that it was the wrong turns, as well as the right ones that have brought me to the road I’ m on now and I wouldn’ t change where I am for anything.

As for certifications I started collecting them to have some kind of paper to show others that I did know something or at least, knew how to pass a test. I firmly believe though no matter the degree or the certification the only way to know how qualified someone is would be by asking them questions and conversing with them. Judge them for what they know and contribute, not by what they can frame and hang on their wall.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a teacher, the “ captain my captain” kind (movie: Dead Poets Society), who didn’ t just teach but inspired. In a way, I feel that I am. Though I would like to do it more formally. The main reason I talk at conferences around the world and at local lunch meetings is simple, I want to teach and share the passion I have for Information Security.

From the baker to the banker information security is part of your life. Some may not realize it or think it only affects the wi-fi access point next door, so I want to help them to see the truth and empower them to protect themselves online.

Q: What projects (if any) are you working on right now?

The revised version of the book is completed and is available on Amazon ;-). Thanks to Brian Baskin, Marcus J. Carey & of course Syngress for getting it back out. I’ m now working on a movie deal for the fictional part of it. Plus working out the story for the sequel, which takes place mostly in Europe and will be a longer and more advanced storyline. Plus a few other battles here and there I’ m trying to win.

Q: What is your favorite security conference (and why)?

That is an obvious one DEFCON! When I was in Beijing at XCon people would call me DEFCON since every day I was wearing a DEFCON shirt and Jacket. Even at my conference ExcaliburCon that I co-founded in Wuxi China I was wearing my DEFCON shirts 🙂

The reason is because coming from America the main conference I heard about as I got more into hacking & INFOSEC was DEFCON I know if I was in Europe it would be CCC but even in Europe they want to come and experience the wonderful contained educational chaos that is DEFCON. The first time I made it to Vegas I knew I would be back every year and I have. I also fulfilled one of my personal dreams the last two years by speaking there.

Q: What do you like to do when you’re not “doing security”?

Not much, this is not a career choice but what I do for fun. Just one look at my Lab will tell you that. Some people invest in sailboats I instead have the hacker lab of my dreams. When I come home from work I am in the lab then some family time, then put the kids to bed then back in the lab to around 2 or 3 A.M., most days. The lab is not all INFOSEC. I do play World of Warcraft, Modern Warfare 2 and several other computer games. When I am actually AFK I try to spend time with my family and do things IRL. 🙂

Q: What area of information security would you say is your strongest?

Defense is my strong suit I love building a secure infrastructure. Not just making sure where the IDS/IPS or Firewalls go but all the different aspects of creating a secure environment. I love trying out how to break systems/networks then devising a defense for it. You have to be able to know how to attack if you want to effectively defend.

Q: What about your weakest?

Programming!! I can’ t even manage perl. I realized early on I was not going to be able to contribute to the community by creating a new tool or exploit. That is why I try to help the community by bridging the gap of the INFOSEC/Corporate world. I want to make people aware of the dangers computer criminals pose and at the same time educate them that being a hacker does not make you a bad person by default.

That is the main reason I started the Dissecting the Hack community at dissectingthehack.com. I want a place where people who were just getting into or just mildly interested in Information Security could go ask questions and not be judged. There are people in the INFOSEC industry who take great pride in being better than others and spend their time pointing out the wrong in everybody else with out giving proper input on how anyone can improve. We need to be shown the flaws but we should, at the same time, be willing to help educate and help others who have fallen or made mistakes. My site is not for the perfect to educate the ignorant, but a community helping each other to grow.

No one knows everything but together we can all teach each other something new and valuable we didn’ t know before.

Q: What advice can you give to people who want to get into the information security field?

Don’ t get into this field unless you have the commitment to fight the good fight. I tell people that if you get into this because you think it is a good career choice then you will fail because the people you are fighting are having a blast and having fun. We need to be able to match that zeal and passion, plus we are the good guys so we have that going for us as well 🙂

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

That is easy, I spam the inter-tubes with sites.

My personal site is http://F0rb1dd3n.com.

The book/community website is http://www.dissectingthehack.com.

You can find me on Twitter as http://www.twitter.com/jaysonstreet.

And if you ½ way know me, friend me on FaceBook 😉