David Cannings

David Cannings

Cyber Security

Biography

This is the personal webpage of David Cannings. I work in IT security, my hobbies are varied and include coding, reverse engineering, playing the drums, board games and electronics.

The site is updated very infrequently, most technical work is now done for my current employer.

All opinions stated on this site are my own.

Interests
  • Incident Response
  • Threat Intelligence
  • Reverse Engineering

Experience

 
 
 
 
 
PwC (UK)
Director - Cyber Threat Operations
PwC (UK)
September 2019 – Present UK
Technical & operational director in a busy team covering Incident Response, Threat Intelligence and Managed Services.
 
 
 
 
 
NCC Group
Regional Head of Incident Response & Threat Intelligence
NCC Group
May 2014 – August 2019 UK
Responsible for leading a team of cyber security specialists, providing incident response & threat intelligence services to clients.
 
 
 
 
 
UK Government
Cyber Security Specialist
UK Government
August 2005 – April 2014 UK
Various roles, including technical research, vulnerability management, and incident response for the Critical National Infrastructure.

Recent Posts

Updating HP enterprise SSD firmware on Debian
I recently bought two used HP enterprise SSDs for VM storage on Proxmox. These are rebranded Intel drives, the specific ones I bought are designed for read intensive workloads because that’s what was available second hand.
David Cannings
Feb 9, 2025 7 min read Computing
cloudflared on Debian with Ansible
Today I wanted to make a web service internet facing without exposing the origin server. Cloudflare offers cloudflared, a tool that tunnels traffic from the origin server to Cloudflare’s network. This gives the benefit of Cloudflare’s protection.
David Cannings
Sep 21, 2024 1 min read Computing
Servicing a Chamsys PC Wing
After months of searching I managed to purchase a used Chamsys PC Wing from eBay at a good price. Described as “owned from new by a nightclub venue” and “cosmetically very poor” it was sold as not working.
David Cannings
Aug 26, 2024 3 min read Electronics
An interesting Callisto YARA rule
Yesterday Félix Aimé posted on X (formerly known as Twitter) a neat YARA rule to detect PDF documents. Tweet by @felixaime These documents relate to the Callisto group, which is attributed to the Russian FSB by various Western intelligence agencies.
David Cannings
Jun 26, 2024 9 min read Computing
Testing Magika

Google recently announced the release of Magika, an “AI-powered file-type identification system”. I tested this on a corpus of nearly 125k files to see how it fared.

David Cannings
Mar 24, 2024 9 min read Computing
See all posts

Pages

Measuring PIC Vdd with no external components using the FVR

Microchip’s Application Note AN1333 hints at a useful technique for measuring the Vdd of a PIC using only the internal Fixed Voltage Reference (FVR) module.

This page explores how to use this for a rough measurement of the current Vdd, saving pins and reducing complexity.

Electronics
The ST7565 display controller

This page covers the theory of using a graphic LCD based on the ST7565 controller. These are widely available with popular sizes of 132x32 and 128x64, a number cost below £10.
Electronics
Networking UML using bridging
Archived content - preserved for historical purposes. This HOWTO covers connecting User-mode Linux sessions to a physical network by means of the 802.1d Ethernet bridging support available in the Linux kernel.
Computing

Projects

*
All Electronics PCBs Computing Graphics Archived
Kart Timing Mk1
A basic kart timing system, built from scratch
Kart Timing Mk1
PCB0001 - 18F breakout
A PIC 18F breakout board, suitable for prototyping
PCB0001 - 18F breakout
PCB0003 - Breadboard supply
A 5v / 3.3v breadboard power supply circuit
PCB0003 - Breadboard supply
PCB0006 - RFM12 breakout
A breakout for the popular RFM12 radio module
PCB0006 - RFM12 breakout
PCB0002 - LED matrix
A simple 8x8 LED matrix, with a cute ghost :)
PCB0002 - LED matrix
Eagle library
Some useful components for Cadsoft Eagle
Eagle library
GNU Screen Config
A tabbed setup for screen (archived content)
GNU Screen Config
Nautical signal flags
Free flags for use in projects (SVG / PNG / ICO formats available)
Nautical signal flags
VB6 RichTextBox control
Extending VB6 controls with the Win32 API (archived content)
VB6 RichTextBox control
VB6 reverse DNS
Obtaining PTR records using Visual Basic 6 (archived content)
VB6 reverse DNS
MOTD maker
Easily create coloured MOTD messages (archived content)
MOTD maker
ROT Util
The Caesar cipher in a simple Windows GUI (archived content)
ROT Util

Featured Publications

Ahmed Zaki, David Cannings
April, 2017 NCC Group
Red Leaves malware analysis

This technical note discusses a relatively undocumented implant used by the APT10 group. This is named “Red Leaves” after strings found in the malware. The sample discussed was found during an incident response engagement in March 2017. The earliest evidence obtained shows it has been in use since at least November 2016.
PDF Project Signatures
David Cannings
April, 2016 By NCC Group
Sakula DLL planting analysis

This technical note discusses a version of Sakula uploaded to VirusTotal on the 25th April 2016. The sample initially looked interesting as it uses a signed Kaspersky binary to load itself, presumably to avoid UAC.
PDF Project Signatures
David Cannings
June, 2014 NCC Group
Extracting the payload from a CVE-2014-1761 RTF document

In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which appears to have been used in a targeted attack. In this blog we show one method of analysing the shellcode manually to extract the payload.
Original blog Local mirror

Recent Publications

Quickly discover relevant content by filtering publications.
David Cannings (2020). Essential skills for working in incident response. CREST.

Video

David Cannings (2014). Automating IOC extraction from malware. NCC Group.

Project Slides

David Cannings (2014). Understanding ransomware. NCC Group.

PDF Project

Popular Topics

Annoyances Apt Archived Bugs Computing Dogm Dspam Eagle Electronics Glcd Horde IPhone Linux Pcb Pcbs Perl Reverse Engineering Security St7565 Website