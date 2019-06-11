Ken Munro has spent the last 20+ years making a name for himself in security, picking holes in Internet of Things (IoT) and smart devices to unearth security flaws in them, before going down the right and proper channels to make those flaws known to promote better security design and practice. Why, you may ask? We live in a world where the IoT is a real part of everyday life. So much so in fact, it’s now become practically impossible to purchase any sort of tech device without some kind of connectivity function built in as standard. TVs, fridges, toothbrushes, wearables, cars, home heating units, sex toys…yep – you read me right on that last one; all manner of ‘smart’ devices come off the shelf with the capability of internet connectivity, whether consumers know it or not. Internet connectivity in devices can be a great thing; control your home heating from your mobile device, track your heartbeat throughout your day with a snazzy watch, have your fridge let you know when you’re running low on milk – it’s a tech enthusiast’s dream. The problem is, all-too-common IoT and smart device security design flaws can be far less fun, not to mention possibly very dangerous. That’s where Ken comes in. The work that he and his team carry out is, in many ways, pretty damn important. The types of vulnerabilities that he discovers sometimes have the potential to cause significant harm and damage to innocent and unknowing users. However, if there’s one thing to say about Ken, it’s that even when he’s looking into potential IoT threats, he’s always willing to have a bit of fun (and push a few boundaries) along the way. So how do you get into that sort of gig? For Ken, it was something that began when, after dropping out of university and the applied physics course he was studying for and taking jobs in the hospitality industry, he discovered he had a talent for hacking by persuading a till to print out mortgage amortizations. Till Tampering and Dr Solomon’s “I was working at a hotel in Tring in 1995,” he says, “and the point of sale and till system fascinated me. I found that I could get the till to bomb out to DOS – a very early version of DOS – and found a few of the old basic files. I started messing around a bit with them, and discovered I could print off my mortgage amortization statement onto a restaurant receipt.” It would be safe to say that Ken’s then boss was less than impressed, and he made it clear that he felt Ken’s career path probably lay elsewhere. Ken agreed, but it was a slice of good fortune that showed him just where that might be. At the time, S&S International (later and better known as Dr. Solomon’s Software Ltd, and famed for producing the Dr Solomon’s Antivirus Toolkit) was a fast growing IT security company, and also just so happened to be a regular customer at the hotel at which Ken worked, often booking it as a conference venue. Having always found IT tech interesting and keen to see what the IT security profession had to offer, Ken approached S&S International and was able to secure a job working in sales admin support, analyzing data. “A lot of people who are very well known in the infosec industry have cut their teeth at Dr Solomon’s,” he explains. “I worked there for two-and-a-half years, and I was there when the acquisition by McAfee took place. Solomon’s was bloody amazing! What I took from there, particularly from Alan Solomon himself, is that when you’re doing a conference presentation or working at trade shows, you don’t pitch your product – you tell a story. Alan Solomon was brilliant at it. He would tell a story and let people draw their own conclusions, rather than trying to sell something and ramming it down their throats. “It was great – we had a fantastic time,” Ken smiles, “running distributor incentives, looking at motivating people to help sell the product into the channel. We grew it massively in a couple of years.” The company, over that period, evolved into the leading European manufacturer of anti-virus software. The purchase by McAfee in 1998 did bring about significant change though, for both Dr Solomon’s and Ken. “I’d never been through any acquisition before,” he admits, “but things did get a bit weird for a year.” Ken was put in charge of e-commerce just as it was starting to emerge as a sector, and he learned a lot, but the role wasn’t the right fit for him anymore, and so he moved onto pastures new. After a “random” (by Ken’s own admission) and brief stint working in advertising, PR and website design, he found himself back in the security game with a vulnerability assessment vendor called Vigilante. “They tried to set up a competitor to Qualys, but unfortunately their growth rates didn’t quite work. Two years later, parts of the company were put into receivership.” That led the organization to bankruptcy, and Ken was out of a job, not long after buying a house and getting married. Ironically, he describes it as “the best bit of luck” he has ever had.

Going it Alone “If you look at most people who start their own business, 80% or 90% of them do so because they’ve lost their job.” Ken had lost his, but he was eager to bounce back and now had nothing to lose. So, with a tech colleague, he founded SecureTest, a penetration testing business that quickly established a reputation for delivering high spec services. It was a move that not only got him back on his feet, but more importantly, cemented a zeal and penchant for pen testing that has defined his career ever since. “We ran that for five years,” he says, “before eventually selling it to NCC Group. It was great, as together we created one of the largest pen testing firms in the UK (if not the world) at the time, and it was an interesting experience.” However, upon selling the firm to NCC, Ken felt the cultures of the two companies did not align particularly well. “What I learned from that experience was that you can have two similar companies in terms of what they do, but if the cultures are different, it’s like trying to put chalk and cheese together. Both cultures were perfectly valid, but different. I stuck it out for over two years, I worked with some great people there, but the cultures of the businesses were just too different.” Pen Test Partners Ken then took a year out from work – he tells me he spent a lot of his time honing his gardening skills and contemplating his next step. Towards the end of that hiatus, Ken noticed that the number of former SecureTest colleagues leaving NCC Group continued to rise, and he could not help but feel that he had, in some way, let his previous colleagues down. “Conversations started about doing something new, something a bit different, and starting again,” he says. That something new was Pen Test Partners, the ethical pen testing business which Ken and his team founded in 2010. In the last nine years, Pen Test Partners has grown substantially and now boasts some great ethical hackers, many of whom have a stake in the firm. “What’s been really great about what we’ve done is that, having experienced starting from scratch before, we’re not making the same mistakes – we’re making new, different mistakes,” Ken laughs. “It’s allowed us to grow much faster, offer a much higher quality of delivery and be more efficient. We use all the skills we’ve learned over the years just to be better at what we do. It’s allowed us to focus a great deal more on research, which is a big part of our business – doing new, random, crazy stuff!” Ken’s not joking when he says he’s been involved in some “random, crazy” projects. From research into hotel key cards and driverless cars to home control systems, Ken and his team at Pen Test Partners have made some truly groundbreaking IoT and smart tech vulnerability discoveries over the years. I wonder then, if he had to choose his personal highlights, what would he pick?

“One thing I have always wanted to do is to successfully set fire to something through a hack”