A coffee with… Kieran Human, special projects engineer, ThreatLocker

Kieran Human is a special projects engineer at ThreatLocker, a Zero Trust cybersecurity solutions firm. With a keen mind for threats that often fly under the radar, Human is at the front line of researching and evaluating emerging attack vectors—particularly those that use everyday hardware in unexpected ways.

Originally from Australia, Human now calls Orlando home. He holds a master’s degree in cyber security and privacy from the University of Central Florida, where his research explored the complex interplay between cryptocurrencies and cybercrime.

At ThreatLocker, he contributes to white papers, helps shape new product directions, and leads seminars that straddle the cutting edge of practical cyber awareness.

He’s particularly focused on physical vector attacks—like Rubber Duckies, O.MG cables, and WiFi Pineapples—that can infiltrate networks without users ever clicking a malicious link.

In February, he took the stage at ThreatLocker’s Zero Trust World (ZTW) conference in Orlando, where he ran hands-on hacking labs and demonstrated exactly how these seemingly innocent tools can be leveraged to bypass defences and compromise systems.

Over a thousand attendees left his sessions not just with a better understanding of how cyber threats work—but with the literal tools in hand to test them for themselves.

We caught up with Kieran to talk about his passion for cyber security, what keeps him up at night, and why he takes his coffee like a true Canadian (despite growing up in Perth!).

What do people need to know about rubber duckies?

A rubber ducky looks like a regular USB flash drive, but what it does is act like a keyboard. It mimics human typing—only it types at lightning speed. As soon as it’s plugged into a computer, it can open Notepad, launch PowerShell, and execute a payload that might exfiltrate data, disable antivirus tools, or even encrypt your files.

At Zero Trust World, we showed attendees how easy it is to use one to disable Windows Defender with just a few lines of code. But it’s not all malicious. I used a ducky at ZTW to connect 600 laptops to the WiFi network—we didn’t want to type the password manually into each one. It took me 10 minutes to write a script, and within seconds of plugging each one in, the machines were online.

It’s versatile but limited in the same way a keyboard is—so you need a machine that’s unlocked, even briefly. You can execute an entire attack in two seconds flat if you have the right script. At our labs, we handed out over 1,000 duckies and let people explore data exfiltration and stealth techniques. In the advanced sessions, we got into bypassing Defender, running ransomware simulations—real hands-on stuff.

What are some practical defences against this kind of attack?

It’s tricky, because we don’t apply Zero Trust principles to keyboards—you need those to use a computer. But we can control what happens after the keystrokes begin. Take PowerShell: most users don’t need it, and those who do likely don’t need it to access the internet or every file on their system. With ThreatLocker, you can ringfence it—limit its file and network access to specific folders and URLs. Even if a Ducky script opens PowerShell, it won’t be able to do much damage.

Similarly, we block access to settings pages in Defender. It’s far easier to defend against the behaviour of malware than to try and block every variation of malware itself.

If the attack needs to be physical—plugged in—how does that happen in a secure environment?

People love free stuff. There was a study—by the US government, actually—where they left USBs in parking lots. Over half were plugged into machines. At events, it’s worse. You hand someone a branded USB stick and say “Hey, here’s a free tool or presentation.” That’s all it takes. The script runs in a second. You turn around to grab a coffee and the attack’s over before you’ve taken a sip.

I’ve had people tell me they plan to test their IT team by handing them a USB with a payload and see what happens. It’s a sobering reminder of how easy it is to exploit human trust.

Why is cookie-stealing such a big concern?

Cookies authenticate you to websites. If I can steal your session cookie, I don’t need your username, password, or even your MFA token—I’m just you. I show people four ways to do this in under an hour during the labs. One of the most shocking for attendees is Slack token theft. With that, I can access your messages, bypass MFA, and impersonate you within your organisation.

Can you explain what a WiFi Pineapple is and why it’s dangerous?

A WiFi Pineapple pretends to be a familiar wireless network. Your phone or laptop might auto-connect to “Office WiFi” without realising it’s a rogue access point. Once you connect, the attacker can intercept traffic, harvest credentials, and launch attacks from there.

ThreatLocker’s Cloud Control can help mitigate this. If someone steals your credentials and tries to log in from an unrecognised IP or geolocation, we can block the login or quarantine the session. Even if they get in, they can’t do much.

Are there any other threats we should be aware of?

O.MG cables. They look just like regular mobile phone charging cords, but they’re fitted with hardware that can perform the same functions as a Rubber Ducky. You leave one at an airport, trade show, wherever. Someone picks it up, thinks “Free iPhone cable!” and plugs it in. Now you’ve got control of their device. The best defence? Use a data blocker—those little USB adapters that only allow power through, not data. You can get them for a few quid at any tech shop.

Are these types of attacks usually targeted or more opportunistic?

Mostly opportunistic. Targeted attacks do happen, of course—especially with Advanced Persistent Threats (APTs)—but most cybercrime is about scale. You send a phishing campaign to 100,000 people. If 0.1% fall for it, that’s still a lot of access. Automation has made low-effort, high-reward attacks the norm.

Your master’s thesis explored the link between crypto and cybercrime—what did you find?

I analysed current literature to identify where research was focused, and what was being overlooked. One key finding: certain cryptocurrencies, like Monero, are heavily tied to cybercrime due to their privacy features. One study showed around 5% of Monero in circulation was mined using stolen hardware—crypto jacking, basically.

How do you take your coffee?

Two milks, two sugars. In Canada, that’s called a “double-double.”

Are you Canadian? We’ve been trying to work out your accent…

Ha! No. I’m Australian. But my dad’s South African, my mum’s Irish, I had a posh English speech therapist when I was little, lived in Canada, and now I’m in Orlando. No one can quite place it.

What do you get up to in Orlando when you’re not thinking about cyber threats?

Honestly? I’m a nerd. I mostly play video games with friends. I used to have a Disney annual pass and still hit the UCF chess club from time to time. Maybe a bit of tennis on the weekends. But yeah, I’m usually behind a screen, even in the Sunshine State!