In honor of this week’s security conference triple header of Black Hat, Defcon, and BsidesLV, we thought it pertinent to highlight some of the best and brightest infosec pros in the business – some of whom are long-standing veterans who deserve more attention, and some are emerging influencers we should all be paying attention to.
We privately surveyed a broad spectrum of thought leaders in the field of security and risk management and asked them to recommend candidates in three general areas – Defenders, Educators, and Hackers.
Two weeks ago we featured The Defenders and then last week we followed up with The Educators, and the response from the security community was astounding. This week it’s time to recognize some of the leading hackers in the field – yes, the hackers – because even though the mainstream media gets it wrong every time, hacker is not a derogatory term.
These are the pros who do something really important, and they do it well: They break stuff. When they break stuff, they write about it, they disclose it to those who can fix the vulnerabilities, and they help make all the technology everyone takes for granted more secure.
Hackers are the catalysts for innovation.
Please note that this is not an attempt at ranking these individuals, as the finalists are simply presented here in alphabetical order, and we also realize the list is far from being all-inclusive.
With the caveats aside, let’s give kudos to The Hackers!
Mo Amin, Information Security Analyst at Sainsbury’s
Mo is renowned by his admirers as a first rate security analyst, and a genuinely nice guy with a passion for knowledge who really enjoys getting involved with the security community, such as speaking on the rookie track at BsidesLondon this year. Those who have worked with Mo say that he is a very dedicated professional with a wide variety of talents, as well as being extremely self-motivated. His skills make him one of those security pros who can adapt rapidly to a variety of work conditions. Mo is known for being technically astute, hard working and for having an inherent knack for analytics. Expect to see more from Mo on the conference front now that he has taken the plunge. Editor’s Note: Mo really would have been better suited for the Educator’s list for his focus on security awareness, and the error was pointed out to me post-publication. Apologies Mo!
Dan Borges, Penetration Tester at AppSec Consulting
(@ezs33d)(LinkedIn)(Personal Website)(Hacking and Forensics 101)
First off, Borges just initiated his Twitter account, so click the link above and give him a follow so he doesn’t look like such a n00b – and join the Hacking and Forensics 101 group on Facebook that he runs, one of the most informative on the platform for infosec pros – linked above as well. Borges is an up-and-comer who is extremely passionate about both computer science and information security, and this shows up in the quality of his work. When he sets his mind to a project, he persists until he reaches a level of perfection beyond what is required, if only to satisfy his own work ethic. Borges is a web application and network penetration tester who conducts full spectrum testing of network infrastructures and web and mobile applications, including high quality blackbox testing and full source code reviews. Borges has installed and managed IT systems including LDAP, Database, Wiki, Forum, VoIP, CCTV, and Virtual Servers running a myriad of Linux and Windows penetration testing tools. Borges is definitely one to keep your eye on.
Jonathan Claudius, Senior Security Researcher at Trustwave SpiderLabs
Claudius is a member of Trustwave’s SpiderLabs – the security team focused on penetration testing, incident response, and application security, and he has over twelve years experience in the IT industry, most of time specializing in security. Claudius is the creator of the BNAT-Suite, a set of tools for detecting, exploiting, and fixing publicly available BNAT scenarios, as well as being a regular presenter at numerous conferences including BSides, Thotcon, Source, Defcon, and Black Hat. Claudius is also a member of the Vulnerability Assessment Team (VAT) at SpiderLabs developing network protocols, application fingerprints, vulnerability tests and Trustwave’s core scanning engine. Claudius has a deep knowledge of security that he readily shares it with the community, and like a few others, he could have easily been any of these three lists.
Ryan Dewhurst, Security Engineer at RandomStorm
Dewhurst is another talented upstart with experience is in black box web application security assessments, penetration testing, social engineering, and secure software development, as well as presenting and leading workshops at local ‘geek meets’, OWASP chapters, and at BruCON. Dewhurst is noted for his work on the Damn Vulnerable Web Application (DVWA) project, where security professionals can test their skills and tools in a legal environment in order to help web developers better understand the processes of securing web applications. Dewhurst is not in security for the notoriety, he simply does it because he is passionate about the work, and it shows.
Matt Erasmus, System Engineer at Norman ASA
Erasmus is said to be a hacker to keep an eye on. He is a South African penetration tester living in Norway who is known for being creative, willing to walk the extra mile on a project, and able to find that vulnerability you never thought you would have. Erasmus is described as a low-key person who may fool you into thinking he is not as skilled or knowledgeable of a security professional as he really is. Erasmus is a someone who very well may show up on the future agenda of a Black Hat conference, as he is willing to share his passion for security and deep technical knowledge. Keep an eye out for him.
Barnaby Jack, Director of Embedded Device Security at IOActive
As this article was being written, news broke that Barnaby Jack had passed away quite unexpectedly, sending a shock-wave through the security community. Though already quite well known for his amazing ATM and medical device hacks, Jack could still easily be described both a rising star and a gem in the field. His untimely passing is a major blow to the security community, and it would be difficult if not impossible to find any equivalent loss in this industry, as Jack was truly a one of a kind. Aside from his groundbreaking vulnerability research, Jack was also known for his passion, his humble and unpresuming nature, and his fun-loving personality. His scheduled talk at Black Hat this week has quickly been re-purposed as an impromptu memorial and celebration of his life and accomplishments, with friends and family putting together a slideshow and sharing the warmest of memories for our friend and comrade. Friends of Jack have also initiated a fund in his honor, with some proceeds going to assist his family with funeral arrangements, and the bulk being given to The Barnaby Jack HacKid Fund, which will underwrite a safe, innovative, creative community for future hackers. We encourage you to donate today and in the future to help preserve Jack’s legacy and innumerable contributions to the security field.
Matias Katz, Director of Professional Services at Mkit
Katz is the consummate white hat hacker, and is described as being a very competent, creative security thinker who can appreciate both the attacker and defender perspectives. Katz is very active in security in Argentina and South America overall, where he oversees the secure development of applications and enforces the use of good coding practices in software development, performing vulnerability analyses of applications prior to their going into production. Katz also teaches the Computer Security Specialist postgraduate courses at Universidad Tecnologica Nacional, as well as the Systems Engineering, Information Security, and Information Security Director postgraduate courses for students at Universidad CAECE. Watch for more from this rising star.
Jeff McJunkin, Systems Security Professional
McJunkin is a web and network penetration tester telecommuting for a bay area consulting firm, who has done very well at a number of Capture-the-Flag and other competitions in the past, including winning a regional NetWars, the United States Cyber Challenge CTF, and placing 3rd in the NetWars Tournament of Champions. McJunkin will be at Defcon and BSidesLV this week, doing the Red Cell-Blue Cell competition. McJunkin will also be teaching a series of information security classes to students at Southern Oregon University this fall, with special focus on the Collegiate Cyber Defense Competition, which SOU will be competing in for the first time in 2014. McJunkin has a lot of potential in the security realm but is still fairly unknown – hopefully this mention will help change that.
Xavier Mertens, Security Consultant
Mertens was pitched as being “a European guy who is gaining fame for his awesome post-conference roundups. He captures the essence of a conference really well.” Mertens says he enjoys doing both offensive and defensive security to better protect assets because we need to understand how attackers operate in order to better defend against their tactics. Mertens’ expertise includes pentesting, social engineering, security audits, incident management, security architectures, SIEM and security visualization. A security blogger at night, Mertens is also co-organizer of the BruCON, and applies his innovative thinking to staying ahead of the evolving threat landscape. Mertens is said to be one who gets the job done, and is a natural leader, organizer, and front-man for the security community as a whole. Expect to hear more of his achievements.
Nicolle Neulist, Associate Security Consultant at Accuvant
Neulist is a lawyer turned hacker with a strong interest in network security, application security, and Linux. As a creative problem solver, Neulist work with a team to implement and maintain a secure IT infrastructure, perform vulnerability assessments, and conduct in-depth penetration testing, as well as providing her clients with a clear picture of their security posture and how they can improve it. Neulist is a popular speaker and ever-present force at some of the biggest security conferences and events in the business, and is known for being direct and assertive in applying her knowledge and expertise. If Neulist has not popped up on your radar yet, use this opportunity to take note of her prowess as a hacker, innovator, and thinker.
J. Oquendo, Lead Security Engineer at E-Fensive Security
Oquendo is a security practitioner with a broad range of experience and expertise in networking, systems administration, design, engineering, and exploitation, as well as being responsible for incident handling, penetration testing, information risk assessments, audits and compliance testing. Oquendo’s research has produced exploitable discoveries for IBM, Microsoft, Cisco, F5, VMWare, SAP, and more. Oquendo has also developed proprietary penetration testing tools and processes, a proprietary SIEM based on an open source tools framework, and has taught offensive security, malware analysis and reverse engineering for the Cyber Security Forum Initiative’s (CSFI) Defensive Cyberspace Operations Engineer course. Oquendo could best be described as a hacker’s hacker, and is force to be reckoned with.
Fabienne Serriere, Systems Engineer at SysEleven
Serriere is known as a real mover and shaker in the hardware hacking world, and is also a fervent social activist who describes herself as a “futurist at heart, but one who believes that the future should be present during the present.” She divides her time between hardware hacking and wide variety of personal interests not connected to security, though all of which could fairly be described as being quite innovative. She has written for the Weblogs network (now owned by AOL) since 2005 and for numerous other blogs on topics including hardware hacking and open source technology. She appears to be ever gaining momentum, and we can expect to see some impressive work from Serriere in the years to come.
Kat Z. Sweet
While Sweet’s upcoming presentation at BSidesLV on the 3D printing of – well, lets just call them intimate fulfillment devices – might be considered NSFW, some renowned infosec influencers believe she is the embodiment of what a ‘hacker’ really is – taking technology and tinkering with it to make it her very own. Not your typical hacker-type, Sweet has a degree in gender and women’s studies, an academic path that she says gave her the opportunity to compose numerous and heavily researched papers about, er… those personal devices. The provocative nature of her interests and forthcoming BSidesLV presentation are illustrative of her dedication to independent thought, a valuable trait for a hacker. We should expect big things from her going forward.
Ken Westin, Security Researcher and Creative Technologist
Ken is a security researcher at Tripwire with 14 years experience building and breaking things through the use/misuse of technology, and is the Founder of the popular GadgetTrak cross-platform mobile security and data protection software, which he first launched in 2007. Westin’s technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, New York Times, The Economist, and Portland Business Journal included Westin in their 2013 “40 Under 40”. Westin has won awards from MIT, CTIA, Oregon Technology Awards, SXSW, and his endpoint security research and tools are included in the Certified Ethical Hacker training materials and other publications. Westin is often sought out as a subject matter expert in areas of cyber security, privacy and surveillance, and we can expect to see more from him in the way of innovation in the years to come.
Leron Zinatullin, Information Security Expert
Zinatullin, a recent presenter at BSideLondon, resides in the UK where he is finishing his Master’s degree in infosec and apparently already has a job lined up at KPMG. He is described as being one of those really hard working guys who will no doubt end up making a good name for himself in the field. While he is at first glance a business-oriented security specialist with experience in legal and regulatory compliance, GRC and privacy issues, he has identified security gaps for a large energy company and was responsible for implementing required changes to the infrastructure. Zinatullin has conducted numerous vulnerability, threat, and risk assessments, as well as designing layered information security system architectures. While not your typical hacker type, he applies his vulnerability assessment skills to breaking and fixing, and that is the the mainstay of any good hacker.
We know there are many, many more out there – so who would you suggest? Make your recommendations in a comment below, or shoot me an email at afreed at tripwire dot com and we can include them in a subsequent article. Cheers all!
- Follow the Top Defenders list on Twitter HERE
- Follow the Top Educators list on Twitter HERE
- Follow the Top Hackers list on Twitter HERE
Editor’s Note: A special thanks to the many infosec pros – and you know who you are – who helped us identify these fine defenders and put this list together – we appreciate your time, input, and above all else your candor. Additional data gleaned from publicly available LinkedIn profiles.
- Infosec’s Rising Stars and Hidden Gems: The Educators
- Infosec’s Rising Stars and Hidden Gems: The Defenders
- Top 25 Influencers in Security You Should Be Following
- 25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock