CESG Certified Professionals
CESG Certified Cyber-Security Consultancy
Company InformationCompany profile
Certifications and qualifications
News and comment <
Why choose BladeSec IA?
Products and ServicesTypical work
Terms and conditions
Latest News & Comment
Comment: 2018/03/01 - Scottish IISP Personal Development Event.
Save the date: 29/03 from 14:00 in Edinburgh.
Unfortunately, we must restrict this to IISP members only so don't register unless you're happy to be caught out if you're not.
More information - when it's available - in the usual place.
Comment: 2018/02/28 - An Apple round up.
Well done lads... well done....
Comment: 2018/02/35 - Huawei and ZTE phones - Update.
One of my very first encounters with a Pan-Government Accreditor was to do with the CAPS approval of firewall manufactured by a well known networking equipment supplier. Seemingly, the device that had been submitted for approval was manufactured in the US. Various hardware revisions had occurred and the new devices were still going out with CAPS approval despite being "Made in China". The PGA concerned also differentiated between China and Taiwan - but this is going back several years.
I always think that it's like the scene on the Russian Space Station in Armageddon.
Comment: 2018/02/17 - Huawei and ZTE phones.
Whilst almost all electronic equipment uses components from the far east, what's so special about Huawei and ZTE? I do recall working with a security consultant that felt that he was unable to use the Huawei mobile phone his employer had given him. What do the CIA, FBI and NSA know? What's less wrong with Samsung, Motorola and BlackBerry Mobile?
The fact remains that it's unlikely to make the blindest bit of difference to Joe Public. None of us are actually as interesting as we think we are!
Comment: 2018/02/16 - BND, DGSE and MI6 meet to discuss international co-operation.
Comment: 2018/02/15 - NCSC announce Russian Military behind NotPetya.
Is anyone for cyber escalation?
Comment: 2018/02/14 - More Apple fails.
The biggest issue is the fact that the source code for the iBoot secure bootloader has been leaked to GitHub. Lawyers have issued a takedown notice. Without conducting extensive analysis, it's difficult to tell how damaging this is. It is for an old version of iOS, but even if it weren't, best practice for devops should keep secrets away from code.
In more bad news, there's a fault with the way that many iDevices render text. Information here.
Comment: 2018/02/13 - Sunset on revolutionary IT.
Following a fairly rocky path, where even the author said it was cancelled, itís been published. Itís been a wonderful trip back to when technology was personal, was simpler and wasnít about assimilating data and tracking you. I thoroughly recommend it as an alternative view of the IBM and Apple dominated history.
And in a very similar vein, here's a book about the downfall of Nokia. I still have used more Nokia phones than any other manufacturer over the years. (Seven Nokia devices from the 7110 to the E72 versus six BlackBerry devices from the 9800 Torch to the KeyONE.)
Comment: 2018/02/11 - Quick media update.
The Guardian are reporting that every NHS trust has failed a cyber security test. Whilst it's not clear what that test is, rumour has it that it's CyberEssentials (or CyberEssentials Plus).
The NHS have always been different when it comes to information security. They don't follow a traditional IA model - at least if you've got a background in anything other than healthcare security.
I've been called upon to respond to a devolved government consultation on improving cyber resilience. It made me laugh as it added nothing to the wider UK scheme, except that it allowed another administration to stand up and say they're doing something positive about cyber-security.
There are two bits that really annoyed me about the consultation:-
The first is that they're mandating all public organisations achieve a minimum baseline of CyberEssentials Plus. They fail to recognise those public sector organisations who do other things that are better or more mature than that baseline such as ISO27001 certification, formal accreditation and even the NPIRMT GIRR. In essence, it's a waste of time and tax payers money.
The other thing that annoys me is the band wagon that certain consultancies have jumped on in order to provide CyberEssentials advice to those public sector organisations. These are being funded by the same devolved government. Look who "owns" the IPR for CyberEssentials. It's a company called IASME. IASME stands for "IA for Small and Medium Sized Enterprises". In the UK, a company is defined as being an SME if it meets two out of three following criteria: It has a turnover of less than £25m; it has fewer than 250 employees; & it has gross assets of less than £12.5m. The main USP of CyberEssentials is that it's largely simple enough for any organisation to do themselves, with the specialist advice being limited to the areas that add real benefit such as the pentest.
Comment: 2018/01/26 - A controversial update on Kaspersky Lab.
Comment: 2018/01/25 - More shockingly poor Apple engineering.
Comment: 2018/01/25 - Domestic Travel Advice 2018 Edition, Issue 1.
Comment: 2018/01/16 - Media roundup.
It would be sod's law that as soon as we published the most recent version of Domestic Travel Advice, the 2018 edition would rock up with very significant changes to the content and layout.
We hope to make it available on the website by the end of the month.
Comment: 2018/01/04 - Spectre and Meltdown CPU flaws.
The major IT vendors have known about this for a wee while now, and were attempting to co-ordinate updates and rumour has it, that it was supposed to be disclosed next week. It appears that The Register broke rank, and published the news early.
The flaw, which has been categorised into three different CVEs, are present because of the way that processors optimize performance. The original research paper for Spectre is here and for Meltdown, here.
The first advice from NCSC was laughable. That said, Iíve seen grown adults who pass themselves off as security professionals struggle to understand the implications of the flaw, with various knee jerk reactions highlighting the performance hit for patched systems. The situation is no-doubt compounded by the mainstream press coverage.
The initial advice from CERT highlighted that these vulnerabilities are unlikely to be entirely patchable.
NCSC eventually produced better advice with links to statements of fact from the various vendors. As an example of the BS surrounding this, The Register analysis of the Intel statement is worth a read.
It would be easy to laugh this off and put your head in the sand, but this is a fundamental flaw in the way that certain microprocessor architectures have been designed. Is it a co-incidence that Intelís CEO Brian Krzanich dumped a load of stock making about $25 million US in the month before the disclosure? Certainly it appears that Intel will be subject to an investigation.
Back in the real world, where do we stand? Having done considerable research, all the vulnerabilities still require a foothold on a compromised machine. Good "cyber-hygiene" will continue to prevent bad things happening.
Comment: 2018/01/03 - Website update.
Comment: 2018/01/01 - Happy New Year!
As usual: That means it's time for our tongue in cheek look at the last twelve months:-