Hacking Team: 5 Tips For Recovering From The Alleged Breach

Hacking Team, an Italian company that helps governments spy on its own citizens has apparently been hacked itself.

As the story is such big news today I’ll let you get the details elsewhere – Graham Cluley’s article is as good a place to start as any.

Brian Honan on the apparent Hacking Team breach

Instead, here are a few ideas for how the company can respond to the alleged incident:

1. Move quickly

If Hacking Team has indeed been breached then the speed with which they respond could be key to mitigating the effects.

We’ve already seen what appears to be torrents full of corporate data appear on the web and attract an undue amount of attention via social networks.

Given the sensitive nature of their business, and the even more sensitive makeup of their alleged client list, it would make sense to do whatever possible to limit any further exposure of the company’s corporate data.

Taking the website offline until it can be thoroughly checked for the point of entry – and fixed – could be a good starting point.

Hacking Team would also we well-advised to remember it has other public-facing assets on the web too, i.e. Twitter accounts which also appear to have been compromised. Taking those down, along with any other accounts on Facebook, Google or elsewhere would also be prudent until fixes are made.

2. Get help

Normally sound advice to a small company would be to employ the services of a security professional following a breach. Their particular field of expertise could prove invaluable to an organisation whose main line of business lays outside the security field.

In the case of Hacking Team, we can only assume that some top talent is already on the payroll but, given the line they operate in, I’d imagine it has friends within some pretty interesting government departments.

Time to call in some favours?

3. Own it

Telling the world you take security seriously after a breach which demonstrated that you didn’t beforehand is an increasingly lame way of doing business. Given Hacking Team’s client list, that’s not an approach that will win it much repeat business should the hack claims be true – and let’s not forget that the internet is awash with nothing more than opinion right now; I’ve seen nothing to say a breach categorically did occur.

That said, if the claims are true, Hacking Team would be well advised to own up, at least to its customers, and start working towards building their trust again.

Denials and delays never helped anyone.

4. Disclose it

Disclosure is always important after a breach, either for regulatory reasons or simply to maintain goodwill with customers current and future. In this case, if a hack did occur, Hacking Team would likely be talking to clients who already know what’s gone on. Even so, working with the authorities seems like it’s a given.

5. Ensure it doesn’t happen again

This is the big one.

If the company has been hacked once there is every chance it could be targeted again, especially given the nature of its business.

While no-one likes to think about lightning striking once, there is a real danger it could strike twice. If that is a sentiment that applies to Hacking Team, it may wish to brush off its disaster recovery plan, check its security procedures and, depending on how the alleged attack was initiated, look into some staff security training.

Even more importantly, the company may need to employ some expert negotiators if it wishes to continue attracting nation-state contracts for its services.

So there are my thoughts – can you offer Hacking Team any extra tips for coping with the apparent hack it has experienced?

image credit: Reactions to the Hacking Team breach

The Password Is Dead. Long Live… The Selfie?

Last month I wrote an article for Naked Security about how an innovative British company had come up with yet another alternative to the humble passcode.

Intelligent Environment’s system is based around the use of emojis (if you’re as old as me and don’t have children that means smiley faces and all manner of other characters, the likes of which you see in txt mssgs and on Facebook, or whatever the cool kids are using right now).

It sounds like a pretty good idea to me – I learned how the human brain is far better at picture association than recalling numbers – and also that, by using 4 emojis from a pool of 44, you would drastically improve the available number of combinations relative to just using the numbers 0-9.

I concluded that the system has drawbacks that are similar in nature to passwords and self-created PINs – some people would, undoubtedly, for instance, create a passcode that is 4 love hearts (you gotta love a romantic, eh?). Or pick the first four emojis from the first available line, in order. But that’s not a problem with the system, it’s an issue with the person picking the passcode (training, awareness, as ever).

So, beyond the lack of a suitable emoji password manager, its a system with potential. In my opinion.

Add to that other new developments, such as authentication via fingerprints, veins, smell and all manner of other gummi bear, hacksaw and, erm, hmm, scent-attributable counter-hacks and we now have quite a pool to choose from when deciding how to verify identity.

Are they all secure?

Maybe, maybe not. Some are better than others for sure.

So do we need an alternative?

Yes.

At least that’s what Mastercard thinks.

The credit card company is currently playing with a new app which will allow its customers to verify their payments by… taking a selfie.

Fortunately it appears to be geared towards online payments only which is great as I could otherwise imagine a scenario in which I would get held up in a queue at my local supermarket while someone fumbled around in their pocket and backpack, looking for their smartphone and selfie stick. So glad that won’t be a reality.

But anyways, I digress.

Mastercard currently uses a system called SecureCode for online purchases – it allows the cardholder to verify their identity by entering their password at the time of purchase. Now, we know that many people have a bit of trouble remembering stuff these days – it’s called Digital Amnesia by Kaspersky and the Google Effect by everyone else – so an alternative is obviously required. According to Mastercard.

Enter the selfie: Trialists in Mastercard’s new authentication experiment, which is also designed to overcome the issue of lost, stolen or intercepted cards, will be asked to take a picture of themselves when virtually checking out.

An app running on their device will then wizard the self-taken snap into a binary stream of 1s and 0s using facial recognition tech and send it to Mastercard which, in turn, will then compare the selfie to an image of the cardholder held on record.

As long as they haven’t donned a balaclava, put on an over-sized pair of shades or developed a hideous case of acne, the software will say “yes” and let the transaction proceed.

Speaking to CNN Money, MasterCard executive Ajay Bhalla said:

We want to identify people for who they are, not what they remember.

We have too many passwords to remember and this creates extra problems for consumers and businesses. The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it.

The trial, which incorporates 500 customers, appears to be in the early stages right now and is set for a wider rollout next year.

The privacy-conscious among you will be pleased to hear that Mastercard says it will not be able to reconstruct faces from the snapped images and the security aware will be glad to know that the process requires some blinking in order to block the potential for photographing still images.

Whether the system will prove to be effective or not is up for debate and, I guess, is a question best asked after the broader trial.

For now though, do you think it sounds like a good idea?

I’m not sure myself – I hate other people taking my photo, much less doing it myself.

So i guess it’s back to emojis for me, though I still have to learn how to identify them all. I mean, I’m still struggling with LOLs and LMAO FFS.

The Impact Of Digital Amnesia And The Google Effect On Security

‘The Google Effect’ – the thought that our reliance on the internet is making us dumber – was first put forward by Professor Betsy Sparrow of the University of Columbia, Professor Daniel Wegner of Harvard University and Jenny Liu of the University of Wisconsin-Madison in 2011.

Psychologists posited that our increased use of the web to discover new information was actually detrimental to our mental acuities because we had the ability to continually surf to the information we required, when we needed it, and didn’t have to commit as much to memory as in years gone by.

The theory, arguably since proven, has since been expanded upon by Kaspersky Lab which conducted its own survey into the effect it refers to as Digital Amnesia.

Focusing on UK consumers and the use of mobile devices, the study revealed how the majority of consumers in Blighty can no longer recall phone numbers from their own memory, instead having to rely on the digital memory stored within their handset. Now, before you think that’s just common sense in a world where we all have hundreds of ‘friends’ and ‘contacts’ due to our immersion in social networks, Kaspersky determined that it is not just the vaguest of phone numbers that pass through our sieve-like heads – we actually struggle to remember our kids’ phone numbers, our significant other’s number and even the digits required to call into work.

Offering up light proof that it’s a tech thing, the survey determined that respondents were better at remembering numbers from the past – about the same number of respondents knew their home phone number from when they were kids as knew their current partner’s number.

So, what does this mean from a security perspective?

As you may imagine, Kaspersky has an interest in certain products and services, so it’s hardly surprising to realise that our inability to recall simple strings of numbers, associated with people we presumably care about, can be tied to their business model.

That aside, another survey of 6,000 European consumers – aged 16 and over – threw up some interesting data:

Just over half of the respondents (53%) in the 16-24 year-old range said they relied upon their smartphone to store everything they feel they need to know.

What if that smartphone became lost or stolen? Do they have backups of their data? Tracking apps installed?

According to the survey, the answers are probably not what we’d hope – 40% of the younger age group and 44% of women said they would be devastated if they lost their device because they had priceless memories stored on them. Thirty-eight and twenty-five percent respectively said the loss of their device would leave them in a panic as they had no backups.

The study – and this is Kaspersky’s angle – also discovered that only around a quarter of all smartphone users install any kind of security software.

Ok, so maybe it could be argued that the security threats seen in the media are a tad overplayed, at least where some mobile OSes are concerned, but its still alarming that people are not taking security seriously with every device they own, especially as we head into an ever more interconnected world.

David Emm, Principal Security Researcher, Kaspersky Lab had the following to say:

Connected devices enrich our lives but they have also given rise to Digital Amnesia.  We need to understand the long term implications of this for how we remember and how we protect those memories. The phone numbers of those who matter most to us are now just a click away – so we no longer bother to memorise the details. Further, an overwhelming 86% of those surveyed say that in our increasingly hyper-connected world people simply have too many numbers, addresses, handles etc. for them to remember even if they wanted to. We discovered that the loss or compromise of this precious information would not just be an inconvenience, it would leave many people deeply distressed.

Interestingly, what Emm and the report failed to address was a far more obvious problem associated with shrinking memories – the topic of passwords.

We’ve all read the post-breach stories and ingested the advice about never using the same password twice and always picking complex credentials that don’t look like ‘123456’ or ‘passw0rd’.

And we all know that people continue to make the same bad choices regardless.

Perhaps now, we can look at the Google Effect and have some sympathy, or at least some understanding, for why some people keep on trying to keep things simple, why they store passwords in their phones, or on post-it notes.

Such activity may seem silly to some of us but there’s a huge difference between someone who is paid to be security conscious for a living and someone who is not.

As we’ve said before, and will say again, security is all about people. Or at least it should be.

Smartphone apps, password managers – pah! – what good are they if we can’t get the right messages out to people who simply forget the importance of what we take for granted.

More awareness is certainly required.

But sometimes I think we are taking the wrong approach – perhaps it’s security professionals who sometimes need the awareness training – so that they can then understand the topic from the point of view of those who reside outside of the industry?

Ransomware – Would Your Organisation Feel Compelled To Negotiate With The Data Hostage Takers?

I’ve just finished reading an interesting mini-report from ESET that was compiled during InfoSec earlier this month.

Based on the responses of 200 security professionals, the security vendor has deduced that a whopping 84% of them believe their company would be screwed if its systems became infected with ransomware (bogus claims of illegal activity on your part, the suggestion that you’ve been caught watching porn on your computer, the hint that your system is infected with malware or, more commonly, the encryption of everything on your hard drive – basically something you’ll have to pay to rectify).

In fact the problem is so bad that 31% of them say the’d do the unthinkable and pay up to get their data back or otherwise make the problem go away.

Now that, in my opinion, is rather alarming.

That a small one-person company could find itself in the position where it had no viable off-site backups in place is an unfortunate scenario. That a non-security-centric business could have a workforce that isn’t sufficiently trained and aware of the risks associated with malicious email attachments, messages from strangers on social networks and the dangers of visiting ‘dodgy’ or otherwise corrupted website links is a problem we’d all like to think is a thing of the past, though we can almost understand it.

But for an organisation of a certain size; the size that dictates they employ at least one security professional who made the trip to Olympia earlier this month, to be in the position where they see the risk of ransomware getting onto their systems as such a huge issue is, well, unforgivable.

Isn’t it?

Ok, maybe that’s a bit harsh – even the best can potentially get caught out and fall prey to data-taking malware (training, awareness, did I mention those?) but to not have suitable backups in place is bordering on the reckless.

Given how ransomware has hit the headlines recently – a return on investment of 1,500% really is rather impressive – and how the cost of duplicating data is relatively low, what exactly is the excuse for not backing up I wonder?

Ransomware is a real problem once it takes hold, offering the simple choice of paying up or losing everything. If you pay up, like the Maine Police Department recently did, you’re funding the very criminals who create the ransomware in the first place. If you don’t pay, and don’t have untainted backups, you’re in trouble.

So, please do install security software. Please train your staff. Please keep off-site backups that you update and check regularly. And do keep everything else patched and up to date.

As Brian would say,

In the case of ransomware, prevention is really better than the cure.

Toshiba Working On “Unbreakable” Encryption Tech

Asian tech firm Toshiba Corp, has grand plans for encryption – it wants to make it completely unbreakable.

The ambitious plan, which Toshiba hopes will come to fruition by 2020, will attempt to address the issue of transferring encryption keys securely in a world where even mail carriers could be engaging in espionage.

The key to Toshiba’s system is a quantum-cryptography system that will make use of photons – light particles – that will be deliverable via custom-made fiber optic cable. No internet required.

According to the Wall Street Journal,

Due to the nature of the particles, any interception or wiretapping activities on the cable would change the form of data, making any spying attempts detectable. And the one-time key would be the same size as the encrypted data, meaning there will be no repeated use of the pattern, which would make decoding without the correct key impossible, analysts say.

The company, which is better known for its TVs, laptops and computer components, will test its new quantum-cryptography system for a period of two years. If it proves to be successful, we could expect to see the company take it to market in ten to twenty years which, beyond being a long way into the future, is also a huge pita for anyone looking for an alternative to RSA and ElGamal encryptions.

Currently able to transmit photons at a distance of 100 km without a repeater, Toshiba’s experts will take the system out of its own labs and into Japan’s Tohoku University in August for further testing.

Whether the new system will prove to be the silver bullet we’re all looking for remains to be seen – as Tripwire’s Ken Westin says:

It is great to see new innovations and research focused on better methods of encrypting data, however when I hear “unbreakable encryption” or “100% secure” I immediately think of the Titanic. Making such claims in the world of security, particularly when it involves new technology is getting a bit ahead of ourselves, particularly when it will not be deployed for another decade. A component of security that is often overlooked which is critical to adoption of new security technology is usability and actual adoption of the technology.

Not only that, Toshiba also has to contend with domestic competition from NEC Corp. and other non-Japanese firms who are also looking into new types of encryption technology. Add the fact that development of such tech doesn’t come cheaply – the WSJ says Toshiba’s servers cost $81,000 a pop – and technical issues such as heat and vibration caused by far-travelling protons, and it’s hard to see the company’s dream of providing “perfect” encryption to everyone becoming a reality any time soon.

And talking of perfect, there are no guarantees that Toshiba’s system will deliver that promise either with Westin saying:

Even if new technologies are able to completely ensure the encryption of data in transit, this does not ensure that the data is encrypted at rest, so many of the challenges with securing data we see today could still exist. We will see a lot can changes over the next ten years and it’s hard to know how effective newer encryption technologies will be when they are deployed.

But what if a completely unbreakable form of encryption was developed?

How would the various governments of the world react? Do you think they’d be pleased? :-)

Computer Issues Ground Polish Planes But Was It A Hack?

I’ve often seen it said that flying is the safest form of travel (don’t believe it myself, damn phobia) but, according to recent events, it also appears to be the most hacked too.

Just one month on from all the hoo-ha about Chris Roberts hacking into a plane’s systems to steer the aircraft, and two months after American Airlines flights experienced significant downtime after the iPads they use for distributing flight plans crashed, we’ve now seen further flights apparently grounded by hackers.

Over the weekend, some 1,400 passengers were stranded in Warsaw after Poland’s national airline – LOT – discovered it could not log the flight plans for its departing aircraft.

That, according to Reuters, was because hackers had targeted the ground computer systems at Chopin airport.

Company spokesman Adrian Kubicki said the afternoon hack affected flights for around five hours, grounding ten of them and delaying a dozen more.

In a press release, LOT said:

Today afternoon LOT encountered IT attack, that affected our ground operation systems. As a result we’re not able to create flight plans and outbound flights from Warsaw are not able to depart. We’d like to underline, that it has no influence on plane systems. Aircrafts, that are already airborne will continue their flights. Planes with flight plans already filed will return to Warsaw normally.

In a subsequent release the airline explained how it regained control of its IT systems quickly and was working to restore normal service just as fast as it could.

With further details of the claimed attack hard to come by, speculation has been rife over just what really happened. Given how airline hack stories are ‘hot’ in the media right now, it is understandable that this incident would be labelled such but it is, until confirmed otherwise, just as likely to be a computer glitch, a hypothesis first put forward by ‘Information Security Pornstar’ the grugq who said:

The story doesn’t make sense, and most of the actual info so far suggests a “glitch” caused by an unauthorized user.

Whatever the case may be, the grounding of Polish airplanes, along with iPad glitches and the confirmed hacking of inflight entertainment systems certainly should be raising some eyebrows and prompting security and staff training reviews, or so I would hope.

As our CEO Brian Honan wrote for CSO Online,

Like so many other business sectors around the world airlines are taking advantage of the benefits computer systems can bring in improving their processes, enhancing the customer experience, and reducing costs. Given the nature of their business the security of these computer systems, both in the air and on the ground, is of tantamount importance to airlines and their passengers.  The events of today in Poland and the other previous events have raised more questions than answers regarding airline security.

LOT continues to investigate the incident and says it will share what it learns with law enforcement agencies. Kubicki suggested the biggest concern was the fact that LOT’s systems were the same ones used by other airlines, meaning an attack (if that is what this is) could be equally successful against them too.

Minds.com – Would You Join A New Social Network Supported By Anonymous?

Social networks – most of us are part of one or more nowadays – but most people still aren’t aware of the ‘dangers’ that come with membership.

I’m not just talking about the risk of having an account hacked, clicking on a shared but malicious link or posting an embarrassing photo when drunk. There are other factors to consider too – and these are the ones most people give little thought to – such as the need for the firms behind them to make money in order to appease their investors.

How does a Facebook or a Twitter do that without a product to sell, or a monthly subscription to charge?

Simple – they make YOU the product.

Or, to be more precise, they make your data the currency with which they do business.

Even though we live in a post-Snowden world in which some people claim to value their privacy, the fact of the matter is – as Graham Cluley recently pointed out – most people “just don’t care”.

But they should.

Minds

Enter Minds.com, a new social network which promises to deliver a similar experience to its competitors, i.e. the ability to follow and interact with other people and share content, while promising privacy, security and transparency about how posts are promoted — making it the DuckDuckGo of social, if you like.

Unlike the more popular social sites, Minds.com will not seek to make money from data collection and will, instead, encrypt all messages shared across the service, thus ensuring they cannot be read by advertising companies or the various nosy governments of the world.

The site – which has been launched with both desktop and mobile apps – is open source, meaning anyone can contribute to its design and the upkeep of the network.

Based on a rewards system, Minds.com favours those who upload and share content or leave votes or comments, giving them points which they can then use to promote their own work:

For every mobile vote, comment, remind, swipe & upload you earn points which can be exchanged for views on posts of your choice. It’s a new web paradigm that gives everyone a voice.

With such a transparent system at it’s heart, what’s not to like?

As Mark James, security specialist at ESET, says:

The trouble with any type of social network is that it is only as good as the user base, whether it’s Friends Reunited or Facebook, without users and continuous support it cannot last long or sustain a large following.

Social networks are about the ability to connect with all your friends and find old or new contacts, there have been many instances of these attempting to take on the giant Facebook but few have come close.

Now I am not saying it doesn’t have a place, privacy, security and transparency about how posts are promoted is a great idea and I think it will have a loyal base of followers but it won’t be a Facebook killer. There will always be the association of malware with any social network as it’s a large captive audience with a high degree of trust from “friend” to “friend”.

And maybe the fact that it’s also heavily supported by the hacktivist collective Anonymous – the Robin Hoods of the internet or cyber terrorists, depending upon your point of view – who said:

Let us collaborate to help build minds.com and other open-source, encrypted networks to co-create a top site of the people, by the people and for the people.

Does Minds.com sound appealing to you?

Downing Street – The Place Where Information Security Goes A Little Too Far?

There was an interesting piece in the Financial Times yesterday (registration/payment required, unfortunately) about the topic of information security/data protection within the heart of the UK government.

It seems as though politicians and civil servants got a little bit tetchy back in 2004, just before the then Labour government introduced the Freedom of Information Act.

Coincidentally, or as a consequence – it’s not clear which – the email system running on Downing Street computers was changed so that emails would no longer be archived indefinitely. Instead, all emailed communication was set up to be automatically deleted after three months, unless specifically saved by one of the individuals involved in the electronic exchange.

The Financial Times says the Cabinet Office suggested other departments should also adopt the same policy, though not when emails related to policy development or ministerial advice.

An unnamed official said the timing of the system change was unplanned and based upon advice from the National Archives on “best records management”.

While it goes without saying that some emails should probably not be archived for evermore, on the grounds of security, the fairly blanket approach to purging nigh on everything proved to be “hugely frustrating,” according to one aide who spoke to the FT.

Sean Kemp, a former aide to Nick Clegg, claimed the system made people in government extremely nervous about saying anything of substance in emails, adding that:

Some people delete their emails on an almost daily basis, others just try to avoid putting anything potentially interesting in an email in the first place.

So, what are the consequences of such a system?

On the positive side, there is the fact that nothing of value to an outsider is likely to be sitting on an email server in the heart of government. At least for not too long. We hope.

But on the flip side, as the Financial Times article suggests, the whole system was actually counter-productive, forcing people away from the convenience afforded by the email system and back into old-fashioned forms of communication, away from prying eyes, where no witnesses could log what was being discussed and few participants could ever fully recall what was said.

Even more curiously, the article also alludes to the fact that at least one permanent secretary was unaware of the system in the first place, assuming that disappearing emails was a feature of his BlackBerry phone… so I guess we can also conclude that security training (anyone care to teach Mr Cameron about encryption?) and awareness are an issue within government too perhaps?

How does your organisation compare with the highest administrative body in the land?

Are you protecting your information adequately? Or are you maybe being a tad over-zealous in your security measures?

Just like the UK government, you have to assess what needs protecting and what doesn’t. It’s a question of risk and appetite.

Twitter Ye Not – Microblogging Site Blamed For ‘Endangering National Security’

Over the weekend one of the biggest stories surrounded the Sunday Times article about Edward Snowden and how his actions may have placed US and UK spies’ lives in danger. With every source for that article hiding behind the cloak of anonymity, it has been widely trashed by the security community. And probably rightly so.

But what the story did do was detract from something else of interest – a piece in the Telegraph about how one of Britain’s top cops has suggested Twitter could be ‘endangering national security’ by tipping off users who may be under surveillance.

On the back of the news that Twitter blocks two-thirds of the UK government’s requests for information, Sir Hugh Orde, former president of the Association of Chief Police Officers and Northern Ireland chief constable, said the approach of Twitter and other tech firms “needs to be addressed”.

Prime Minister David Cameron, who favours the abolition of encryption, also waded in, suggesting that social media companies have a responsibility to the safety of the British public which could only be honoured by handing over terrorism-related data whenever asked for.

Responding to a report by the government’s independent reviewer of terror laws, which claimed Twitter and others had alerted terror suspects that they were being monitored by the authorities, Orde said:

Clearly this needs to be addressed. It’s a statement of the blindingly obvious that this is endangering national security. Anyone who thinks it’s sensible to compromise investigations is acting in an extremely irresponsible way. It certainly needs to be looked at.

Adding to the wave of condemnation, Professor Anthony Glees, from the University of Buckingham’s Centre for Security and Intelligence Studies, said Twitter’s behaviour was “deeply offensive” and driven by profit:

The implication is that Twitter views itself as neutral in the fight for a decent and safe society. The people who use Twitter will be horrified. It shows the depths to which people who make money out of the lack of regulation on the internet are prepared to go.

So, I guess the question is, just how horrified are you?

Are you horrified that Twitter and other social networks don’t simply hand all of your data over to the authorities whenever they click their fingers?

Maybe you are horrified at the thought of Twitter informing people – who have not been convicted of any crime – that they are being spied upon?

Perhaps you are horrified that two online newspapers have run ‘scary’ stories within days of each other?

Or are you just horrified that the government and other authoritive figures don’t have a grasp on topics such as privacy and how the internet works as they continue to promote “The Snooper’s Charter” as the solution to a problem arguably of their own making?

Congratulations Lee

jackleebrianAs many of you know we are extremely luck to the have the ever talented Lee Munson as our Social Media Manager. Lee also writes for his own excellent blog, Security FAQs, and is a contributor to the Sophos Naked Security blog.

The beginning of this month saw the third European Security Blogger Awards which were held during Infosec Europe.

We were delighted to see Lee not win in one category, or indeed in two, but in fact he won in three categories.

Lee’s own blog Security FAQs won

  • The Best Personal Blog Category and
  • The Best European Personal Blog Category

Not only was his great work and contribution to the community recognised for his own blog, but Lee also bagged an award as part of the team for the Sophos Naked Security blog.

I, and the rest of BH Consulting, are thrilled at Lee getting this well deserved recognition. He has been a long time contributor to the information security community. His ability to explain complex issues in a clear manner is a rare skill, which is further backed up by his enthusiasm.

Congratulations Lee and we look forward to more success for you in the future

Infosec Europe have a great overview of the awards night on their blog, with some great pictures from the night, including one of Lee giving his winning acceptance speech. The picture above is of me and Jack Daniel congratulating Lee after his win.