BladeSec Logo

Introduction

CLAS Consultancy
CESG Certified Professionals
CESG Certified Cyber-Security Consultancy

Company Information

Company profile
Certifications and qualifications
News and comment <
Why choose BladeSec IA?
References

Products and Services

Typical work
Specific highlights

Website

Contact us
Terms and conditions
Privacy statement
 

Latest News & Comment

Comment: 2016/12/31 – Happy new year.
It's that time of the year where everybody gets very reflective. In truth, this year, I don't feel very much like celebrating. I do actually feel quite down as this year marked the first time in my life that I lost a friend, Tom Murray. Coming from a big family, with representatives all over the world, I grew up knowing about funerals, but when Tom went, he was the first friend that I had ever lost. And tonight, I feel quite sad that he's not here.

I know that he'd be the first to say that he wasn't worth the sadness. He was, afterall, a very cheery man. However, my maudlin state is a reflection of the impact that he had on my life (and that of my family). It's a reflection of the Tom shaped gap that's there, that I miss, that I celebrate his memory with a wee bit of self-indulgant sadness.

Comment: 2016/12/27 – Rest in peace.
Carrie Fisher: October 1956 to December 2016.

Comment: 2016/12/24 – Rest in peace.
Rick Parfitt, OBE: October 1948 to December 2016.

Comment: 2016/12/24 – Merry Christmas.
We're not at BladeSec towers today... we're away.... but wherever you are, we hope you have a very merry Christmas.

Comment: 2016/12/15 – Yahoo - again.
Yahoo has let go again. Over a billion accounts have been compromised this time in a hack that dates from 2013. This is earlier - and different - to the hack disclosed in September that only compromised half a billion accounts in 2014.

On a more positive note: Assuming you changed your password following the last disclosure, there's probably no need to do it again. Just remember to change your password on sites that you have reused your password for.

Comment: 2016/12/14 – Malware calling home.
Doctor Web has discovered that firmware in certain mobile phones is sending data back to China.

Comment: 2016/12/08 – Rest in peace.
Greg Lake: November 1947 to December 2016.

That's the Christmas number one sorted out then. People maintain that "that song by The Pogues" is the best Christmas song ever. The fact that nobody remembers the name of The Fairytale of New York clearly shows they're wrong. It's definately, I Believe in Father Christmas.

Comment: 2016/11/20 – Open sesame!
In a continuation of an attack style we reported on in September, there comes PoisonTap. This is very much more intelligent with a number of available escalating exploits.

Comment: 2016/11/07 – Tesco Bank’s turn.
This is not good.

Comment: 2016/11/02 – NHS ransomware attack.
Hot on the heels of the Dyn DNS attack, the press has more widespread coverage of a virus incident at an NHS Trust. There is considerable speculation that this is a ransomware attack. Regardless of the cause, this proves that the cyber world can affect the physical world. Whilst the fallout is still be assessed, it is obvious that the Trust (and indeed an neighbouring one that shares some clinical systems) have cancelled elective operations and many outpatient appointments.

Update: It appears that the vulnerable system was a clinical IT system that presented an RDP port either with a default or legacy credential.

Comment: 2016/10/24 - The press is borked.
Okay..... Some bad people managed to knock out "normal" access to swathes of the most popular sites on the internet... and this isn’t headline news?

Am I missing something?

I'm trying - and failing - to think of an analogy.

In this day and age, it’s like the cities of Glasgow, Edinburgh, Manchester and Birmingham simultaneously only having intermittent power for a day. (I emphasise “like”. The situation is similar.)

As I write, there’s more information coming out: It would appear that this is a non-nation state (Geez: What if Russia or China had decided to “let-go”?) group called the New World Hackers.

Some reports suggest that this is an “Internet-of-Things (IoT)” botnet known as Mirai. Initial analysis suggests that this may only have made up portion of the actual DDoS traffic. That said, the source code to Mirai was leaked on-line last month so it’s feasible that it’s been modified in some way.

The cynic in me would suggest that they didn’t choose to take out anything terribly important. But what if they had? The size of the attack suggests that we would have been fairly powerless to do anything about it. We can’t even break out the V90 modems to generate a backup peer to peer network. Most telephony is IP based these days….

It also reminds me of one of my favourite rules: Just because we can, doesn’t mean to say that we should.

Are we so bored of the mundane, that we genuinely need IoT kettles, fridges and virtual assistants in the first place? Sell them (quite possibly, literally) as toasters and people abdicate their responsibility. Don’t people remember what gave rise Slammer and Blaster? (People bought Windows XP systems and never actually bothered to patch them. The patch for Blaster was out over a year before it hit.)

Spot the difference.

Comment: 2016/10/21 - The internet is borked.
Sitting watching Fast 6 with my lad, and he's moaning that he can't get onto Gumtree to look for a new "project car". Interestingly, the traditional sources of news were fairly slow off the mark, but the good old BBC were there.

Seems there's a DDoS being targetted against Dyn.

Comment: 2016/10/20 –The Scottish IISP Inordinately Difficult Security Pub Quiz.
Congratulations to Tony Kelly for winning – by half a point. And thanks to Alun Macglinchey for being a gentleman and withdrawing.... We’d never have heard the last of it if Tony hadn’t won and that’s just because Lisa got more points than him in the horror round….

Many thanks to all that came – and we hope you enjoyed it. There will be drinks in the run up to Christmas. We’re just in the process of sorting that out.

Finally, if you are an IISP member and can confirm at least one of the following:-

  • That you reside in Scotland;
  • That you work in Scotland;
  • That you have an interest in the dealings of the Scottish Branch of the IISP;
  • That you attends IISP branch meetings in Scotland; and / or
  • You are employed by The Institute.
Then please contact me to arrange access to the IISP Scotland mailing list. In general, if you are listed on the members’ directory, then adding you won’t be a problem, otherwise I’ll need to confirm with the Central Office. Please do not send me a scan of your certificate.

Comment: 2016/10/04 - Government security - two different aspects.
On the day that the new National Cyber Security Centre (NCSC) opens, Reuters reports that Yahoo (who are still in the news regarding their colossal hack) were searching all their customers incoming e-mails for search terms defined by the NSA or FBI.

One sounds like a James Bond plot, and the other sounds like they’ve been taking lessons from the old Labour Party.

They do have nice offices though, based at Nova near Victoria Station.

Comment: 2016/09/23 - Security in theory and practice.
The news is rife with information of an epic Yahoo breach. I was genuinely surprised how popular the site remains and then I realised: They've been providing e-mail services to ISPs such as Sky and BT for several years now.

This is a truly monumental issue. E-mail passwords should be the single password that you choose and store more carefully than any other including on-line banking passwords. (I say this on the basis that banking is governed by red-tape and legalese that generally protects the consumer.) There are no such rights over your e-mail password; and if I have access to that, I can take over and control pretty much any other web account that you have simply by asking for the password to be reset. CERT page here.

Mind you... this goes to show that companies are simply exercising financial due diligence when they fail to secure systems properly. What it doesn't take into account is the cost and personal impact of the individuals who are affected - and in the case of the Yahoo hack, that's a colossal number. It really does beg the question what's so wrong with the security market when the solution is more expensive than the problem? We've seen the commoditisation of vulnerabilities and attacks, how long can the security industry continue with it's smoke and mirrors?

Comment: 2016/09/20 - Upcoming events.
First off, whilst it is very late, Owen Birnie, is attending the International Conference on Cryptography and High Performance Computing at Edinburgh Napier University’s Cyber Academy representing The Institute of Information Security Professionals.

Secondly…. It’s time for the Scottish Branch of the IISP to hold their annual Hallowe’en Special – Waxy o’Connor’s, Glasgow, Wednesday 19TH October. 18:00 until 22:00.

The Scottish Branch of The Institute of Information Security Professionals are delighted to be holding the annual Hallowe'en Special in Glasgow this year, at our usual location of Waxy O’Connors.

Following last year's press-ganging of delegates into reciting scary security stories, this year is going to highlight how little all of us actually know about security, assurance, cyber, digital and horror films. This year we’re bringing you:-

The Inordinately Difficult Security Pub Quiz. (The IDSPQ.)

The questions for the IDSPQ are being generated by some of the finest IA brains in Europe (and some, not so fine – and - in terms of the horror film round – it’s a pretty mediocre brain, being honest!)

There will be a prize for the individual with the highest score and the answers may, or may not be used to misrepresent the superiority of IA professionals in Glasgow over Edinburgh.

Following the IDSPQ, the usual socialising and networking shall resume under the watchful gaze of the random people that wander in trying to find a seat.

Once again, the event is open to all information security professionals, whether members of the IISP or not.

Admittance is strictly by pre-registration only. For health and safety reasons you must register, as we have to provide the number of attendees to the venue.

Please note: BladeSec IA Services are administrating this event on behalf of the Institute of Information Security Professionals. Any information you provide to BladeSec IA will not be used for any purpose except as required to keep you informed of the event and to help you. Your contact information will be provided to the IISP following the event.

Please register here.

Comment: 2016/09/15 - National Audit Office report on Protecting information in government.
The report (summary and press release) makes for very uncomfortable reading for some.

Anybody that's too critical does not understand government. It's like bad winters. It's cyclical. That’s why it’s actually really difficult for modern government to actually achieve something that’s truly, monumentally mind-blowing (or indeed fail epically).

Some people call it checks and balances, others may blame the civil service (as it never changes regardless of who’s been elected), but the fact is, modern government keeps making information security decisions. Some are good, some are bad, most are mediocre. I would wager that all are made with the best of intentions, but we only ever hear about the bad ones.

It’s easy for the armchair evangelists to point fingers and say, "I said that would happen". How often are these made after “Government IT project over runs” or “HMG IT project cancelled” appear in (alternatively) the left and right wing press? It’s been happening for the last four decades.

It’s the same old same old....

Give it five years, and the pendulum will swing back the other way.

Comment: 2016/09/07 - Network snooping on locked machines.
Fascinating. And slightly scary....

Comment: 2016/09/01 - DropBox have dropped something.
Doh! If only it were that simple, but the real time-intensive issue is where people have used the same User ID / Password combination on a variety of other websites... In summary, you'd better go and change all those passwords too.... Good luck remembering....

It would also appear that Opera were also hacked.

Comment: 2016/08/31 - Gremlins in the machine.
We’re sorry that updates to this website haven't been percolating through. This did happen once before, and the prescribed fix, clearly didn’t.

We’ll try to keep a closer eye on things – we know how popular we are in some places.

Comment: 2016/08/25 - Apple iOS flaws.
Researchers with Citizen Lab and Lookout report that three separate iOS exploits are being chained together to provide extensive access to an infected Apple device. The exploit, which is triggered by visiting a trojaned webpage, has been called "Trident", and appears to be state-sponsored grade malware that is being used to target activists and reporters.

Apple have released an emergency security update.

Comment: 2016/08/15 - The NSA wouldn’t be lying would they?
Last year, Kaspersky linked the NSA to the Equation Group.

A couple of days ago, group called Shadow Brokers claimed to have purloined a significant number of exploits from the Equation Group’s servers. Because claims like this are often fake, Shadow Brokers published approximately 40% of their haul on various technical websites. Further analysis of this suggests that there are similar codenames in use to the NSA Tailored Access Operations catalogue, disclosed by Edward Snowden.

Whilst it could be fake, somebody has gone to an awful lot of effort to make the fraud stand up. But what makes this even more interesting is that whilst the exploit lists vulnerabilities in a number of routers and firewalls, both Fortinet and Watchguard have stated that the vulnerabilities are valid, albeit historic and patched. However out of two Cisco exploits, Cisco has determined that one of them is indeed a “zero day”.

On the balance of probability... could this be from the NSA? Could they be lying about stockpiling vulnerabilities?

Wow!

CERT-UK page here.

Comment: 2016/08/12 – BladeSec IA and the CESG Cyber Security Consultancy
CLAS was killed off in 2015 with the last memberships (ironically, due to people failing to maintain the necessary certifications) expiring in January this year. CLAS, in effect "licenced" an individual rather than an organisation, and in the last few years, it had placed increasing importance on CCP roles.

As BladeSec IA’s Principal Government Advisor, I raised the ante by certifying in two senior roles in 2014 (Security and Information Risk Advisor and also Accreditor). I was even one of the miniscule numbers of consultants who elected to become a full member of CLAS in 2014/2015 rather than just an Associate. At the time, we placed a great deal of importance on many of the things it gave us.

So...CESG launched the CESG Cyber Security Consultancy scheme. We had largely predicted what it was going to ask for, and we had an application ready to submit. Indeed, we had been speaking to CESG and had expected to become one of the first Scottish consultancies certified in this way.

What happened next is not for repeating in a public forum. What I can say is that my opinion changed. There formed a very strong question in my mind, whether CESG had ever intended their new scheme to be relevant for SME organisations. It was a bit of a bombshell when it hit me as I had been sanctioning year on year improvements to meet on-going CESG requirements.

Leap forward almost 12 months, and we’re seeing another grass roots review of CESG schemes – including CCP – and that’s needed to underpin the cyber security consultancy. So I’m still hanging fire before making my application – and the longer I wait, the longer I wonder whether I’ll need it, because:-

  • I’m still CCP, indeed I assess others’ suitability for CCP.
  • I still have a security clearance (indeed, I’m undergoing a renewal right now).
  • I still have access to CESG information – even the classified material as I still have access to the IAP Portfolio (although there’s very little new material there now.) Whilst much of CESG’s new guidance is appearing on the internet rather than closed websites, I’m a member of the UK CERT hosted on CiSP – so I still get information that way too.
  • I’m still a significant part within the Accreditor Community, indeed, I’m in Whitehall more regularly to share information than I was when I was CLAS – and that information is better quality.
  • The costs associated with going CESG certified would add between £60 and £80 per day to my baseline rate simply for access to threat information that I already have access to (and indeed compose on behalf of one of my customers), and marketing (I would appear on the CESG website).
  • From the customer perspective, the governance in place for the CESG cyber scheme mandates that it be “run” by a Senior or Lead CCP in the engaging commercial organisation. There is little doubt in my mind, that as soon as they win a piece of work under the auspices of the cyber scheme, that senior (or lead) will evaporate and the work will be carried out by a lesser mortal. So again, with me, I’m a known quality and quantity. BladeSec IA only ever deliver projects with Senior or Lead CCPs.
I’m afraid that I remain to be convinced of the value of the new consultancy scheme. But all that said, if it became beneficial, I would dust off our old application and get it submitted. Realistically, with “Official” space moving towards commercial security levels, I don’t think it’s going to happen.

Comment: 2016/08/08 - Android flaws.
The press is full of information about "Quadrouter". CERT-UK page here. (And this comes off the back of vulnerabilities in the Linux kernel used by most flavours of Android.)

Last year, I took delivery of a BlackBerry PRIV. Whilst I like the slider form factor, I didn’t like the size – it’s just too big. Thing is.... Regardless of all that... BlackBerry are pushing out Android patches faster than Google are to their own Nexus devices.

Patching is critical on any device – and manufacturers need to be clearer about their maintenance and support cycle. This makes for interesting reading.

News: 2016/07/05 - BladeSec IA awarded Cyber Essentials and IASME Certifications.
BladeSec IA are delighted to announce that they have successfully been certified against the Information Assurance for Small to Medium-sized Enterprises (IASME) Standard and also Cyber Essentials, both for the second year running.

The IASME standard was developed over several years during a Technology Strategy Board funded project to create an achievable cyber security standard for small companies. The IASME standard is written along the same lines as ISO27001 but specifically for small companies. The gold standard of IASME demonstrates baseline compliance with the international standard. The IASME standard, at a realistic cost, allows the SMEs in a supply chain to demonstrate their level of cyber security and that they are able to properly protect their customers information.

Cyber Essentials was developed as part of the UK’s National Cyber Security Programme and is supported by both government and industry to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. The Cyber Essentials scheme identifies five basic security controls that, when properly implemented, will help to protect against unskilled internet-based attackers using commodity capabilities – which are freely available on the internet.

BladeSec IA Director, Owen Birnie highlighted the success of the company. "We’re delighted to have been certified against the IASME and Cyber Essentials standards for two years in a row now. And for the first time", he added, "with no minor non-conformities. It clearly demonstrates the epic amounts of governance at the very core of how we operate our business.”

Comment: 2016/06/24 - Independence day?
Once again, the British people have voted on a monumentally important facet of life and we have chosen to leave the European Union.

As with all these things, it’s a double edged sword. The sheer uncertainty of the next period is undoubtedly going to damage business and the economy, but equally, the requirement to deliver replacement services (such as new passports) will help to marginally lessen the impact.

In terms of security and intelligence, it remains to be seen whether this will lead to an improvement or not. I think it’s fair to say that Gibraltar must be feeling very, very vulnerable at the minute. It does not take much of a leap of faith to see Spain simply closing the border.

There remains a number of questions over the protection of personal data. The existing Data Protection Act recognised universal controls throughout Europe. Will there be an immediate repatriation of off-shored data? What about the preparation of the General Data Protection Regulation? It could be argued that this approach is more business friendly, but it’s feasible the governance (and hence the required security controls) will be significantly weaker.

I think it’s fair to say that there will be interesting times ahead – and that we’ll all need to be brave.

Comment: 2016/06/22 - Social networking.
In January, a colleague from the National Crime Agency showed me this YouTube video. It’s well known that neither I, nor BladeSec IA have any social media presence, but I do think that the video makes a statement (and part of that is down to the music, Febelfin by Gregory Caron).

Whilst this new research is an analysis of American employees, it still makes for interesting reading. I’ve long argued that organisations are unable to interfere with what an individual does in their private life – and that includes what they say on social media – but clearly, there are some aspects that significantly call into question the fealty that an employee has to their employer.

Once again, we’re highlighting an area where security is not an appropriate tool to leverage control. This remains a cultural thing. (And for the avoidance of doubt, I still have no idea why anybody wants to give every little bit of data about themselves to a private sector organisation to mine.)

Comment: 2016/06/09 - Update from IISP meeting.
I think that it’s fair to say that last night’s meeting was the best we have held north of the border. Not only were the speakers all volunteers from the last meeting held in Glasgow, but this gathering saw the biggest turn-out of members ever, with several faces appearing for the first time.

It all seemed rather fitting given that it marked our first birthday since the Scottish Branch had been rebooted.

The talks were all brilliant:-

  • Karen Jackson-Morris provided an update from the Accreditation Specialism Advisory Group. She highlighted the work that was being undertaken to address the Transforming Government Security Review.
  • Next, Alastair Rennie, provided some anecdotes from his work using social engineering. As one of my clients is away to engage in this, it proved very timely, and very interesting – especially his views on dealing with the fallout of the event with senior management.
  • Finally, Simon Leila, provided an insight into his experience of a trade mission to Israel. In his talk, he highlighted the main differences in security research and development between the UK and Israel as well as providing some wonderful anecdotes of his time there.
Despite the closure of Queen Street station, I was even surprised by the number of people who ventured across from Edinburgh to support the event – no doubt swayed on by the stunning weather.

As I said last night, we've nothing firm planned for the group, but please keep an eye on Pulse, IISP e-mails and our usual EventBrite page for more information when it becomes available. It's going to be a busy last six months of the year!

- Owen Birnie – Chair of the Scottish Branch of the IISP.

News: 2016/05/25 - Scottish Branch meeting of the IISP.
Having debated the finer points of Apple versus FBI in Edinburgh, The Institute of Information Security Professionals are returning to the comfortable familiarity of The Library at Waxy O'Connors, Glasgow.

Whilst the popularity of the debate was almost universal, we've manage to line up a few interesting speakers (volunteers, no less) who have all agreed to endure "ten minute conversations without PowerPoint". The topics are:-

  • An quick update on what's been happening at the Accreditation Specialism Advisory Group;
  • Keeping ahead of the bad guys - how the UK needs to change; &
  • Social engineering anecdotes.
Once again, the event is open to all information security professionals, whether members of the IISP or not.

Admittance is strictly by pre-registration only. For Health & Safety reasons you must register, as we have to provide the number of attendees to the venue.

Please register here.

Hope to see you there.

Comment: 2016/04/25 - More on the QuickTime situation.
Whilst it was a bit slow off the mark, the CERT-UK page on the QuickTime issue has appeared.

Comment: 2016/04/20 - Media round up.
It’s been a wee while since we had a round-up of some stories from the media:-

  • In the face of a few serious vulnerabilities, Apple has dropped support for the Windows version of QuickTime - seemingly without warning. Universal advice? Delete it. Now.
  • Turns out the FBI haven't found anything useful on Syed Farook’s locked iPhone 5c - yet!
  • John Chen from BlackBerry provides another perspective on the FBI versus Apple issues. And in truth, it’s slightly closer to my own. Thing is, is it right that we trust an organisation to police the “middle ground”?
  • And on a similar topic, this is old news.... But it does beg the question how BIS is architected if they hand over a single "world-wide" root certificate?
  • (This is not new.)
  • Turns out that, on average, Apple complies with more court orders from the US government than any other government.
  • Ransomware has featured a couple of times in the last week or so. An anonymous security researcher has worked out how to unlock machines infected by Petya. Whilst it’s fairly specialised, he has put up a tool to rescue data. The story how they did it, is very interesting. Equally, the analysis of the BitcoinBlackMailler.exe (or JIGSAW) is worth a read as it adds theatre to the cryptolocking mix.
Finally, if you are one of the millions of Debit MasterCard users that also use PayPal, you might want to take a very close look at your account.

I had cause to send some money to a friend – something that should be free according to PayPal, but I was stung for a credit card fee. Despite speaking to five different PayPal members of staff, they were unable to set up the card as a debit card and not a credit card. They blamed my bank and told me to speak to them.... Err.... No....

This is a brilliant scam, that they don't seem to keen on fixing.... And is why PayPal has now gone the way of eBay....

Comment: 2016/03/30 - FBI versus Apple.
I have resisted the urge to comment on the FBI versus Apple debate, but now that it's come to a (sort of) conclusion, I thought that it might be worth providing an alternative view.

The fact remains, that there was a huge amount of smoke and mirrors being thrown about by people who are unqualified to comment. The whole situation was incredibly polarising. I don't share the opinion that Apple consider themselves to be "unhackable" or "above the law". However I'm not in the least bit surprised that there is an organisation that is able to get into a locked iPhone 5C. It's not running the most recent version of iOS so there is always going to be flaws. (Whilst some may suggest that it's anti-Apple, I would suggest that the iPhone was produced to allow Apple to sell more music and monetise the "apps" run on smartphones. It wasn't an enterprise class communications service and as such, it introduced another layer of complexity to what is already a fairly intricate technology – that of the smartphone.)

Whether or not Apple complied with the FBI request to open one iPhone isn't the argument. (And needless to say, all the baggage that went with that request.) Those that insist that privacy is an uncompromisable tenet of modern life are wrong. As are those that believe that technology companies should allow backdoors to be installed into their products to help prevent terrorism or crime.

On the one side, the main argument appears to be that we should strive to have absolute security because that prevents it's exploitation by third parties. Indeed, we saw the feature creep of ID cards during WW2 – why should technology be any different? Aside from the irony that many (but not all) in the privacy camp continue to post every snippet of their lives to social media, or allow their web searches to be collated and analysed by the search engine highlights a discrepancy. Even those that don’t do it, often miss the tranche of useful information that can be gleaned from meta-data associated with their activities. Surely this information requires protection too? Either way, there is no such thing as perfect security. As long as we continue to build security products, they will have flaws because we're not perfect.

The other camp counter with examples of terrorism and crime and say, “encryption let that happen”, we need to have an absolute trust in the powers that be, to protect society. They insist that the bar for accessing private, personal information be set lower. The answer to that is similar. We're flawed and fundamentally power corrupts – especially in modern society and I've lost count of the times that I've been involved in professional investigations featuring trusted staff who all perverted their employers information or computational resources for their own gain.

Whilst we’re on the topic, if we’re going to backdoor technology because it helps keep people safe, then why stop there? Why not ban cigarettes, cars, hippos and prohibit people going out in thunderstorms? Statistically, they are more likely to kill you than terrorism. If you factor in firearms, rugs on polished floors, nails, young male drivers, hammers and stupidity, then we’d save the lives of tens of thousands every year.

I’m afraid, that neither polar opinion works in my view. No. As with all things, compromise is the order of the day – and that’s a bigger issue than the very binary opinions expressed by many so far....

The real difficulty is: How do we structure society (because this is a cultural thing) to accommodate that middle ground with appropriate checks and balances? I’d suggest that’s damn near impossible, but until we solve that one, we’re destined to live in an imperfect society.

Comment: 2016/03/22 - Nous ne sommes pas peur.
Encore une fois, nos pensées sont avec nos amis Belges suivants terribles événements de ce matin. Les choses semblent sombres à la minute, mais nous devons rester forts. Nous ne devons pas changer nos habitudes. Nous ne devons pas être terrorisés. Nous ne sommes pas peur.

News: 2016/03/09 - IISP Fellowship Award.
IISP Congress, The Royal College of Surgeons of England, London: It is with immense pride that we announce that BladeSec IA director, Owen Birnie, was admitted as a Fellow of The Institute of Information Security Professionals.

Late last year, Owen was nominated by industry legend and original Fellow, Peter Fischer. Following an interview where Owen was required to demonstrate his achievements, contributions and commitments, the IISP Accreditation Committee promoted him from a Full Member to a Fellow. This means that Owen joins the ranks of only sixteen other industry luminaries who have had their eminence, authority and seniority recognised as excelling in the field of information security.

Owen marked his award by appearing on a panel at The IISP Congress where the topic was, "Why are we so emotional in security?!". The panel debated several thought-provoking points, and whilst there were many strong opinions, the discussion was good-natured and interesting. It highlighted that there is still much to do in the field of information security. Owen felt that the particular highlight for him was Andrea Simmons linking the IISP Code of Ethics with a specific form of marketing popular at conferences. (Get all the vendors to stamp your card to enter a draw to win something!)

Speaking about his award, Owen said, "In my professional career, I've achieved lots of things, including some firsts, that other people have been proud of for me, but this is the first time that I can say that I am proud of me!"

The week rounded off a busy week for Owen which kicked off meeting students and lecturers at the Scottish Cyber Security Insight Camp being run by The Cyber Security Challenge. It was notable, as it marked Owen's first public appearance on social media.

News: 2016/02/18 - Scottish IISP Branch update and save the dates.
The Scottish Branch of the IISP were delighted with the last social and networking event held in Waxy O'Connors in Glasgow last week. The turnout, whilst about average, was exemplary. Everybody who registered, bar one, turned up. Even the one that was a "no show" sent his apology the next day as he had got snarled up in traffic.

This gathering saw the return of the "ten minute talks without PowerPoint":-

  • The first talk was about different ways of highlighting IA requirements in procurement and contracts. It attracted a significant amount of debate from the fellow delegates and was in danger of pushing the boundaries of "ten minutes" to breaking point.
  • The second talk, from one of our younger delegates, reminded us what it was like to be on the receiving end of the recruitment process, what value there was in qualifications and how he approached that particular dilemma.
There were other firsts:-
  • The selection process for a Deputy Chair of the Scottish Branch was started.
  • The IISP members who were present agreed that they would be content with a "GroupSpace" style forum for Scottish members. Watch this space for more information.
  • The speakers for the next gathering were largely agreed.
(From the perspective of the Scottish Chair, the first two of these are important to address the wide geographical spread of this particular IISP branch.)

We would like to extend our thanks to the speakers and delegates who attended our first meeting of 2016 and in line with our on-going firsts, we can provide the dates and locations of the next two meetings:-

  • 6TH April, 2016: The Crypt Bar at Jekyll & Hyde's, 112 Hanover Street, Edinburgh. EH2 1DR.
  • 8TH June, 2016: The Library at Waxy O'Connor's, 44 West George Street, Glasgow. G2 1DH.
Make sure that you save those dates, and keep an eye on The Scottish IISP Branch EventBright page for more information and when pre-registration becomes available.

Finally, just a reminder that there was a call for volunteers to assist in organising events within the Scottish Branch. There is no requirement for you to be a member of the IISP, however there is an expectation that you would become an associate in the time you are working with The Institute. The benefit to you is that you will have access to full members of The Institute who would be delighted to help you with your application. Please e-mail here for more information.

Comment: 2016/02/03 - Safe Harbour is dead. Long live Privacy Shield.
It's well known that Safe Harbour was struck down in October last year. Negotiations for it's replacement went to the wire, but this announcement was released last night.

Comment: 2016/02/02 - Crypto and meta-data.
This highlights something that I've suspect for a while - the simple act of using tools like TOR and PGP attracts some attention.

Comment: 2016/01/28 - The MIKEY-SAKKE Debate.
Even the mainstream press have been criticising CESG's phone encryption protocol, MIKEY-SAKKE. (The original blog entry here).

Interestingly, CESG have responded. That must be a first.

I would argue that there continues to be at least one notable, residual flaw with CESG's standard – specifically around the fact that it identifies the handset rather than the user. Should the user be permitted to implement a sub-standard passcode, or an attacker is allowed to compromise it somehow (videoing, for example), then any call set up will be secure (within reason), but not from the authorised user – exactly the same as a normal phone.

Comment: 2016/01/15 - Media update....
It's been claimed that the encryption on BlackBerry devices has been cracked by a Dutch Police Unit. Media reports claim the actual decryption appears to have been undertaken by the Netherlands Forensic Institute using software from Isreali firm Cellebrite. Obviously, BlackBerry refute the statement.

If you were to state what last year's software with the most vulnerabilities in it was, the chances are, you'd be wrong. It's Apple's OS X with 384 patched vulnerabilites. In second position is Apple's iOS with 375 patched vulnerabilities. Mind you, the report does prove that there are lies, damn lies and statistics....

Comment: 2016/01/11 - IISP Updates....
Firstly, a note that the IISP AGM is on the 4TH February at Deloitte's in London. Register here.

Secondly, the first Scottish IISP Branch meeting of the year is occuring the following week in Glasgow on 10TH February. We're returning to Waxy O'Connors near Queen Street Station again. For tickets and more information, please see here.

Finally, the Scottish IISP Branch is delighted to be assisting in the first Scottish Cyber Security Insight Camp being run by The Cyber Security Challenge. For more information, click here.

Comment: 2016/01/01 - Happy New Year!
Once again, as the clock ticked past midnight, BladeSec IA Services became another year older as we celebrated our fourth birthday.

That means that it’s time for our irreverent look at the last twelve months:-

  • Miles to closest job: 3.1 miles.
  • Miles to farthest job: 618.3 miles.
  • Largest number of miles covered in a single job: 1533.6 miles (still at no cost to the customer!)
  • Number of products sold: Nil.
  • Number of different BladeSec services sold: 3.
  • Amount of money received for anything other than consultancy: £nil.
  • Number of customers assisted in the last twelve months: 8.
  • Number of individual projects worked on: 22.
  • New customers: 6.
  • Number of tenders submitted: 0.
  • Most interesting place visited: Edinburgh Castle – out of hours!
  • Number of new ties bought by our management team: 3.
  • Number of Specialised Risk Briefings conducted: 2.
Click here for older News & Comment.