CESG Certified Professionals
CESG Certified Cyber-Security Consultancy
Company InformationCompany profile
Certifications and qualifications
News and comment <
Why choose BladeSec IA?
Products and ServicesTypical work
Terms and conditions
Archived news and comment from 2016.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2016, not all links may work.
Comment: 2016/12/31 - Happy new year.
I know that he'd be the first to say that he wasn't worth the sadness. He was, afterall, a very cheery man. However, my maudlin state is a reflection of the impact that he had on my life (and that of my family). It's a reflection of the Tom shaped gap that's there, that I miss, that I celebrate his memory with a wee bit of self-indulgant sadness.
Comment: 2016/12/27 - Rest in peace.
Comment: 2016/12/24 - Rest in peace.
Comment: 2016/12/24 - Merry Christmas.
Comment: 2016/12/15 - Yahoo - again.
On a more positive note: Assuming you changed your password following the last disclosure, there's probably no need to do it again. Just remember to change your password on sites that you have reused your password for.
Comment: 2016/12/08 - Rest in peace.
That's the Christmas number one sorted out then. People maintain that "that song by The Pogues" is the best Christmas song ever. The fact that nobody remembers the name of The Fairytale of New York clearly shows they're wrong. It's definately, I Believe in Father Christmas.
Comment: 2016/11/20 - Open sesame!
Comment: 2016/11/07 - Tesco Bank's turn.
Comment: 2016/11/02 - NHS ransomware attack.
Update: It appears that the vulnerable system was a clinical IT system that presented an RDP port either with a default or legacy credential.
Comment: 2016/10/24 - The press is borked.
Am I missing something?
I'm trying - and failing - to think of an analogy.
In this day and age, it's like the cities of Glasgow, Edinburgh, Manchester and Birmingham simultaneously only having intermittent power for a day. (I emphasise "like". The situation is similar.)
As I write, there's more information coming out: It would appear that this is a non-nation state (Geez: What if Russia or China had decided to "let-go"?) group called the New World Hackers.
Some reports suggest that this is an "Internet-of-Things (IoT)" botnet known as Mirai. Initial analysis suggests that this may only have made up portion of the actual DDoS traffic. That said, the source code to Mirai was leaked on-line last month so it's feasible that it's been modified in some way.
The cynic in me would suggest that they didn't choose to take out anything terribly important. But what if they had? The size of the attack suggests that we would have been fairly powerless to do anything about it. We can't even break out the V90 modems to generate a backup peer to peer network. Most telephony is IP based these days....
It also reminds me of one of my favourite rules: Just because we can, doesn't mean to say that we should.
Are we so bored of the mundane, that we genuinely need IoT kettles, fridges and virtual assistants in the first place? Sell them (quite possibly, literally) as toasters and people abdicate their responsibility. Don't people remember what gave rise Slammer and Blaster? (People bought Windows XP systems and never actually bothered to patch them. The patch for Blaster was out over a year before it hit.)
Spot the difference.
Comment: 2016/10/21 - The internet is borked.
Seems there's a DDoS being targetted against Dyn.
Comment: 2016/10/20 - The Scottish IISP Inordinately Difficult Security Pub Quiz.
Many thanks to all that came - and we hope you enjoyed it. There will be drinks in the run up to Christmas. We're just in the process of sorting that out.
Finally, if you are an IISP member and can confirm at least one of the following:-
Comment: 2016/10/04 - Government security - two different aspects.
They do have nice offices though, based at Nova near Victoria Station.
Comment: 2016/09/23 - Security in theory and practice.
This is a truly monumental issue. E-mail passwords should be the single password that you choose and store more carefully than any other including on-line banking passwords. (I say this on the basis that banking is governed by red-tape and legalese that generally protects the consumer.) There are no such rights over your e-mail password; and if I have access to that, I can take over and control pretty much any other web account that you have simply by asking for the password to be reset. CERT page here.
Mind you... this goes to show that companies are simply exercising financial due diligence when they fail to secure systems properly. What it doesn't take into account is the cost and personal impact of the individuals who are affected - and in the case of the Yahoo hack, that's a colossal number. It really does beg the question what's so wrong with the security market when the solution is more expensive than the problem? We've seen the commoditisation of vulnerabilities and attacks, how long can the security industry continue with it's smoke and mirrors?
Comment: 2016/09/20 - Upcoming events.
Secondly.... It's time for the Scottish Branch of the IISP to hold their annual Hallowe'en Special - Waxy o'Connor's, Glasgow, Wednesday 19TH October. 18:00 until 22:00.
The Scottish Branch of The Institute of Information Security Professionals are delighted to be holding the annual Hallowe'en Special in Glasgow this year, at our usual location of Waxy O'Connors.
Following last year's press-ganging of delegates into reciting scary security stories, this year is going to highlight how little all of us actually know about security, assurance, cyber, digital and horror films. This year we're bringing you:-
There will be a prize for the individual with the highest score and the answers may, or may not be used to misrepresent the superiority of IA professionals in Glasgow over Edinburgh.
Following the IDSPQ, the usual socialising and networking shall resume under the watchful gaze of the random people that wander in trying to find a seat.
Once again, the event is open to all information security professionals, whether members of the IISP or not.
Admittance is strictly by pre-registration only. For health and safety reasons you must register, as we have to provide the number of attendees to the venue.
Please note: BladeSec IA Services are administrating this event on behalf of the Institute of Information Security Professionals. Any information you provide to BladeSec IA will not be used for any purpose except as required to keep you informed of the event and to help you. Your contact information will be provided to the IISP following the event.
Please register here.
Anybody that's too critical does not understand government. It's like bad winters. It's cyclical. That's why it's actually really difficult for modern government to actually achieve something that's truly, monumentally mind-blowing (or indeed fail epically).
Some people call it checks and balances, others may blame the civil service (as it never changes regardless of who's been elected), but the fact is, modern government keeps making information security decisions. Some are good, some are bad, most are mediocre. I would wager that all are made with the best of intentions, but we only ever hear about the bad ones.
It's easy for the armchair evangelists to point fingers and say, "I said that would happen". How often are these made after "Government IT project over runs" or "HMG IT project cancelled" appear in (alternatively) the left and right wing press? It's been happening for the last four decades.
It's the same old same old....
Give it five years, and the pendulum will swing back the other way.
Comment: 2016/09/07 - Network snooping on locked machines.
Comment: 2016/09/01 - DropBox have dropped something.
It would also appear that Opera were also hacked.
Comment: 2016/08/31 - Gremlins in the machine.
We'll try to keep a closer eye on things - we know how popular we are in some places.
Comment: 2016/08/25 - Apple iOS flaws.
Apple have released an emergency security update.
Comment: 2016/08/15 - The NSA wouldn't be lying would they?
A couple of days ago, group called Shadow Brokers claimed to have purloined a significant number of exploits from the Equation Group's servers. Because claims like this are often fake, Shadow Brokers published approximately 40% of their haul on various technical websites. Further analysis of this suggests that there are similar codenames in use to the NSA Tailored Access Operations catalogue, disclosed by Edward Snowden.
Whilst it could be fake, somebody has gone to an awful lot of effort to make the fraud stand up. But what makes this even more interesting is that whilst the exploit lists vulnerabilities in a number of routers and firewalls, both Fortinet and Watchguard have stated that the vulnerabilities are valid, albeit historic and patched. However out of two Cisco exploits, Cisco has determined that one of them is indeed a "zero day".
On the balance of probability... could this be from the NSA? Could they be lying about stockpiling vulnerabilities?
CERT-UK page here.
Comment: 2016/08/12 - BladeSec IA and the CESG Cyber Security Consultancy
As BladeSec IA's Principal Government Advisor, I raised the ante by certifying in two senior roles in 2014 (Security and Information Risk Advisor and also Accreditor). I was even one of the miniscule numbers of consultants who elected to become a full member of CLAS in 2014/2015 rather than just an Associate. At the time, we placed a great deal of importance on many of the things it gave us.
So...CESG launched the CESG Cyber Security Consultancy scheme. We had largely predicted what it was going to ask for, and we had an application ready to submit. Indeed, we had been speaking to CESG and had expected to become one of the first Scottish consultancies certified in this way.
What happened next is not for repeating in a public forum. What I can say is that my opinion changed. There formed a very strong question in my mind, whether CESG had ever intended their new scheme to be relevant for SME organisations. It was a bit of a bombshell when it hit me as I had been sanctioning year on year improvements to meet on-going CESG requirements.
Leap forward almost 12 months, and we're seeing another grass roots review of CESG schemes - including CCP - and that's needed to underpin the cyber security consultancy. So I'm still hanging fire before making my application - and the longer I wait, the longer I wonder whether I'll need it, because:-
Comment: 2016/08/08 - Android flaws.
Last year, I took delivery of a BlackBerry PRIV. Whilst I like the slider form factor, I didn't like the size - it's just too big. Thing is.... Regardless of all that... BlackBerry are pushing out Android patches faster than Google are to their own Nexus devices.
Patching is critical on any device - and manufacturers need to be clearer about their maintenance and support cycle. This makes for interesting reading.
News: 2016/07/05 - BladeSec IA awarded Cyber Essentials and IASME Certifications.
The IASME standard was developed over several years during a Technology Strategy Board funded project to create an achievable cyber security standard for small companies. The IASME standard is written along the same lines as ISO27001 but specifically for small companies. The gold standard of IASME demonstrates baseline compliance with the international standard. The IASME standard, at a realistic cost, allows the SMEs in a supply chain to demonstrate their level of cyber security and that they are able to properly protect their customers information.
Cyber Essentials was developed as part of the UK's National Cyber Security Programme and is supported by both government and industry to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. The Cyber Essentials scheme identifies five basic security controls that, when properly implemented, will help to protect against unskilled internet-based attackers using commodity capabilities - which are freely available on the internet.
BladeSec IA Director, Owen Birnie highlighted the success of the company. "We're delighted to have been certified against the IASME and Cyber Essentials standards for two years in a row now. And for the first time", he added, "with no minor non-conformities. It clearly demonstrates the epic amounts of governance at the very core of how we operate our business.
Comment: 2016/06/24 - Independence day?
As with all these things, it's a double edged sword. The sheer uncertainty of the next period is undoubtedly going to damage business and the economy, but equally, the requirement to deliver replacement services (such as new passports) will help to marginally lessen the impact.
In terms of security and intelligence, it remains to be seen whether this will lead to an improvement or not. I think it's fair to say that Gibraltar must be feeling very, very vulnerable at the minute. It does not take much of a leap of faith to see Spain simply closing the border.
There remains a number of questions over the protection of personal data. The existing Data Protection Act recognised universal controls throughout Europe. Will there be an immediate repatriation of off-shored data? What about the preparation of the General Data Protection Regulation? It could be argued that this approach is more business friendly, but it's feasible the governance (and hence the required security controls) will be significantly weaker.
I think it's fair to say that there will be interesting times ahead - and that we'll all need to be brave.
Comment: 2016/06/22 - Social networking.
Whilst this new research is an analysis of American employees, it still makes for interesting reading. I've long argued that organisations are unable to interfere with what an individual does in their private life - and that includes what they say on social media - but clearly, there are some aspects that significantly call into question the fealty that an employee has to their employer.
Once again, we're highlighting an area where security is not an appropriate tool to leverage control. This remains a cultural thing. (And for the avoidance of doubt, I still have no idea why anybody wants to give every little bit of data about themselves to a private sector organisation to mine.)
Comment: 2016/06/09 - Update from IISP meeting.
It all seemed rather fitting given that it marked our first birthday since the Scottish Branch had been rebooted.
The talks were all brilliant:-
As I said last night, we've nothing firm planned for the group, but please keep an eye on Pulse, IISP e-mails and our usual EventBrite page for more information when it becomes available. It's going to be a busy last six months of the year!
- Owen Birnie - Chair of the Scottish Branch of the IISP.
News: 2016/05/25 - Scottish Branch meeting of the IISP.
Whilst the popularity of the debate was almost universal, we've manage to line up a few interesting speakers (volunteers, no less) who have all agreed to endure "ten minute conversations without PowerPoint". The topics are:-
Admittance is strictly by pre-registration only. For Health & Safety reasons you must register, as we have to provide the number of attendees to the venue.
Please register here.
Hope to see you there.
Comment: 2016/04/25 - More on the QuickTime situation.
Comment: 2016/04/20 - Media round up.
I had cause to send some money to a friend - something that should be free according to PayPal, but I was stung for a credit card fee. Despite speaking to five different PayPal members of staff, they were unable to set up the card as a debit card and not a credit card. They blamed my bank and told me to speak to them.... Err.... No....
This is a brilliant scam, that they don't seem to keen on fixing.... And is why PayPal has now gone the way of eBay....
Comment: 2016/03/30 - FBI versus Apple.
The fact remains, that there was a huge amount of smoke and mirrors being thrown about by people who are unqualified to comment. The whole situation was incredibly polarising. I don't share the opinion that Apple consider themselves to be "unhackable" or "above the law". However I'm not in the least bit surprised that there is an organisation that is able to get into a locked iPhone 5C. It's not running the most recent version of iOS so there is always going to be flaws. (Whilst some may suggest that it's anti-Apple, I would suggest that the iPhone was produced to allow Apple to sell more music and monetise the "apps" run on smartphones. It wasn't an enterprise class communications service and as such, it introduced another layer of complexity to what is already a fairly intricate technology - that of the smartphone.)
Whether or not Apple complied with the FBI request to open one iPhone isn't the argument. (And needless to say, all the baggage that went with that request.) Those that insist that privacy is an uncompromisable tenet of modern life are wrong. As are those that believe that technology companies should allow backdoors to be installed into their products to help prevent terrorism or crime.
On the one side, the main argument appears to be that we should strive to have absolute security because that prevents it's exploitation by third parties. Indeed, we saw the feature creep of ID cards during WW2 - why should technology be any different? Aside from the irony that many (but not all) in the privacy camp continue to post every snippet of their lives to social media, or allow their web searches to be collated and analysed by the search engine highlights a discrepancy. Even those that don't do it, often miss the tranche of useful information that can be gleaned from meta-data associated with their activities. Surely this information requires protection too? Either way, there is no such thing as perfect security. As long as we continue to build security products, they will have flaws because we're not perfect.
The other camp counter with examples of terrorism and crime and say, "encryption let that happen", we need to have an absolute trust in the powers that be, to protect society. They insist that the bar for accessing private, personal information be set lower. The answer to that is similar. We're flawed and fundamentally power corrupts - especially in modern society and I've lost count of the times that I've been involved in professional investigations featuring trusted staff who all perverted their employers information or computational resources for their own gain.
Whilst we're on the topic, if we're going to backdoor technology because it helps keep people safe, then why stop there? Why not ban cigarettes, cars, hippos and prohibit people going out in thunderstorms? Statistically, they are more likely to kill you than terrorism. If you factor in firearms, rugs on polished floors, nails, young male drivers, hammers and stupidity, then we;d save the lives of tens of thousands every year.
I'm afraid, that neither polar opinion works in my view. No. As with all things, compromise is the order of the day - and that's a bigger issue than the very binary opinions expressed by many so far....
The real difficulty is: How do we structure society (because this is a cultural thing) to accommodate that middle ground with appropriate checks and balances? I'd suggest that's damn near impossible, but until we solve that one, we're destined to live in an imperfect society.
Comment: 2016/03/22 - Nous ne sommes pas peur.
News: 2016/03/09 - IISP Fellowship Award.
Late last year, Owen was nominated by industry legend and original Fellow, Peter Fischer. Following an interview where Owen was required to demonstrate his achievements, contributions and commitments, the IISP Accreditation Committee promoted him from a Full Member to a Fellow. This means that Owen joins the ranks of only sixteen other industry luminaries who have had their eminence, authority and seniority recognised as excelling in the field of information security.
Owen marked his award by appearing on a panel at The IISP Congress where the topic was, "Why are we so emotional in security?!". The panel debated several thought-provoking points, and whilst there were many strong opinions, the discussion was good-natured and interesting. It highlighted that there is still much to do in the field of information security. Owen felt that the particular highlight for him was Andrea Simmons linking the IISP Code of Ethics with a specific form of marketing popular at conferences. (Get all the vendors to stamp your card to enter a draw to win something!)
Speaking about his award, Owen said, "In my professional career, I've achieved lots of things, including some firsts, that other people have been proud of for me, but this is the first time that I can say that I am proud of me!"
The week rounded off a busy week for Owen which kicked off meeting students and lecturers at the Scottish Cyber Security Insight Camp being run by The Cyber Security Challenge. It was notable, as it marked Owen's first public appearance on social media.
News: 2016/02/18 - Scottish IISP Branch update and save the dates.
This gathering saw the return of the "ten minute talks without PowerPoint":-
We would like to extend our thanks to the speakers and delegates who attended our first meeting of 2016 and in line with our on-going firsts, we can provide the dates and locations of the next two meetings:-
Finally, just a reminder that there was a call for volunteers to assist in organising events within the Scottish Branch. There is no requirement for you to be a member of the IISP, however there is an expectation that you would become an associate in the time you are working with The Institute. The benefit to you is that you will have access to full members of The Institute who would be delighted to help you with your application. Please e-mail here for more information.
Comment: 2016/02/03 - Safe Harbour is dead. Long live Privacy Shield.
Comment: 2016/02/02 - Crypto and meta-data.
Interestingly, CESG have responded. That must be a first.
I would argue that there continues to be at least one notable, residual flaw with CESG's standard - specifically around the fact that it identifies the handset rather than the user. Should the user be permitted to implement a sub-standard passcode, or an attacker is allowed to compromise it somehow (videoing, for example), then any call set up will be secure (within reason), but not from the authorised user - exactly the same as a normal phone.
Comment: 2016/01/15 - Media update....
If you were to state what last year's software with the most vulnerabilities in it was, the chances are, you'd be wrong. It's Apple's OS X with 384 patched vulnerabilities. In second position is Apple's iOS with 375 patched vulnerabilities. Mind you, the report does prove that there are lies, damn lies and statistics....
Comment: 2016/01/11 - IISP Updates....
Secondly, the first Scottish IISP Branch meeting of the year is occuring the following week in Glasgow on 10TH February. We're returning to Waxy O'Connors near Queen Street Station again. For tickets and more information, please see here.
Finally, the Scottish IISP Branch is delighted to be assisting in the first Scottish Cyber Security Insight Camp being run by The Cyber Security Challenge. For more information, click here.
Comment: 2016/01/01 - Happy New Year!
That means that it's time for our irreverent look at the last twelve months:-