Travel Advice

Comment: 2021/09/06 - Power interruption.
As part of the office estate's greening plans, a new hydro-electric generator is due to be wired into the mains on 15/09/2021. This means that the security cart shed will be without power from 09:00 until 16:30 on the day. This isn't the first time this has happened, and so we'll be dusting off our business continuity plans to maintain services.

It's never been a problem before, but we need to declare an "at risk period" in case it extends beyond 16:30, or something unplanned happens that takes down an external service.

We intend to take the BIAS secure server down from noon. This will permit customers to access overnight and previous day reports as normal. We will return the server to operation on restoration of the mains power and customers who urgently need reports and were unable to pick them up that morning can contact trust@bladesec.net as outlined in their customer documentation.

Comment: 2021/08/13 - Life imitating art.
This appears to be an exact case of life imitating art.

Comment: 2021/08/12 - Good, old-fashioned spycraft.
It's good to know that not everything treacherous is done in cyber-space. I've seen some analysis that suggests that despite all the disruption attributed to Russia in the digital-realm, they remain far more comfortable operating in Cold-War-esque dark alleys with cash in envelopes, working dead-drops and leaning on personal weaknesses in corrupt physical realm. There is some speculation that the west has simply forgotten how to do it as well as the east.

It is also interesting to note that the British are leaving the Germans to prosecute the individual, highlighting that The Official Secrets Act is outdated. That seems odd to me.

I suspect that there will be more to come out on many aspects of this.

Comment: 2021/07/30 - NCSC needs it's swanky office.
This made me laugh. The folk that have ever been to GCHQ's old London office(*), will know that it's worlds apart.
--
(*) No tales out of school. Most London cabbies know where it is....

Comment: 2021/07/29 - Action Fraud being shut down?
It seems odd that given the magnitude of the statement, this does not seem to have wider media coverage.

Comment: 2021/07/28 - Dusty Hill, 1949 to 2021.
I confess that it took me a while to get into ZZ Top. Sure, I was familiar with all the "classic" tracks such as Gimme all your lovin', Rough Boy and Legs, but the epiphany for me came when I bought Antenna expecting that same poppy-rock. It couldn't be further from the truth. Looking back, ZZ Top probably got me into Blues-rock long before the Black Crowes, Steve Earle and even Eric Clapton. Whilst Dusty's image mirrored Billy Gibbons (or vice-versa?), the irony was that the only guy in the band with no beard was called, Frank Beard. A couple of gigs followed, and I had no idea how three guys could layer so much sound at a live event. And with various film appearances, it was clear that - unlike too many people today - the band didn't take themselves too seriously. Makes me want to grow a "Texas-goatee".

Comment: 2021/07/23 - Guntrader breach.
In events that are a little close to home, we're seeing evidence of the Guntrader website (or at least the DB back-end) having been compromised. The point in El Reg's article about not trying to find a copy of the database yourself is also note-worthy.

Comment: 2021/07/22 - Voting for The Field gundog awards.
One of our directors, Owen Birnie, has a photograph that is up for an award in The Field gundog awards. Please vote for "Snow", here in the "In the field" category.

Comment: 2021/07/20 - NSO Group targets.
There is some speculation that the Israeli cyber-arms manufacturer, NSO Group has been hacked. It seems more likely that a whistle-blower has leaked a bunch of documents to Amnesty International and a French organisation, Forbidden Stories. Amongst the details are a list of phone numbers targetted by NSO since 2016 and they make for interesting reading.

NSO Group refute the assertions.

You can also check to see if your phone has been infected by Pegasus.

It is also worth noting this Microsoft 'blog post about another Israeli company, Candiru.

Comment: 2021/07/17 - REvil off-line?
The New York Times is reporting that one of Russia's most aggressive ransomware groups has disappeared.

Comment: 2021/07/08 - More good guys acting like the bad guys.
Seemingly, for years, the FBI have been offering a "secure", honeypot device to criminals. Just to be clear, this isn't about law enforcement breaking an existing network; this is about the FBI offering their own, compromised version. More from The Register here

Comment: 2021/06/25 - Dangers posed by evidential software.
An excellent article highlighting that flaws in code can raise legitimate questions over evidential integrity - just as we speculated back in April.

Comment: 2021/06/19 - Original GPRS algorithm deliberately weakened.
A new paper describing a cryptanalytic attack on the General Packet Radio Service GEA-1 and GEA-2 algorithms. The author strongly speculates that GEA-1 was deliberately weakened.

More here and here.

Comment: 2021/06/15 - Emphasising that the good guys can sometimes act like bad guys....
A good summary of the pros of the encryption and privacy debate that every government appears to ignore.

Comment: 2021/06/07 - Attack traffic, part 3.
As I mentioned previously, we're seeing a number of low-complexity attacks against one of our SSH hosts. It's easily blocked, but we saw a significant drop in attack traffic when we blocked two /16 addresses:-

• 209.141.*.*; &
• 205.185.*.*.

Comment: 2021/05/18 - So unlikely, it might be true.....
I had not heard this before. It's so unlikely it might be true. Indeed, there is evidence to support that it is.....

Comment: 2021/05/07 - Attack traffic part 2.
For Carlos, Obkio, Dimitri, Ho and all the others who are repeatedly knocking on the door of a BladeSec IA SSH server:-

• It is pointless trying to log in with "root", "admin", "ubuntu", "pi" or any other user ID. Default user IDs have been disabled. Oh, and logging in with *any* user ID has been disabled.
• It is pointless trying to offer weak crypto exchange keys. They have all been disabled. The server also has FIPS-certified crypto libraries - just in case you were curious.
• It is pointless hoping that a config error in SSH will creep in. The config is tested daily.
• It is pointless hoping that a vulnerability will appear. The server automatically downloads and installs updates every hour. It is also subject to enterprise management that will push security patches to it as soon as they become available.
• It is pointless trying to spray lots of traffic at it. The server is on a narrow bandwidth DSL line, so the rate limiting on the upstream firewall will prevent you flooding the server. Yes, we know a dDOS would take it off the Internet, but that's not really cricket, is it? Neither is it compromising the host.
• The server runs Tripwire and so any changes made to it will be discovered and reverted.
• The server will aggressively block all IPs that attempt to circumvent the security on it and an abuse complaint shall be made to your service provider.
• There is absolutely nothing of interest on it. Please move along.... It exists simply to attract "interesting" traffic.

Comment: 2021/05/04 - Spectre has risen from the dead.
The bottom line is that Spectre was always going to be difficult to fix despite the performance hit, and it's still not.

Comment: 2021/04/29 - First challenges to prosecutions.
There now appears to be reasonable doubt for any prosecution that has featured a Cellebrite product and as we predicted, prosecutions are being challenged. This is to be expected as Cellebrite's security engineering falls far below where it should be, and evdential integrity can no longer be guaranteed.

Comment: 2021/04/22 - Insight into Cellebrite.
The word "Cellebrite" has become known for it's for near mythological ability to unlock a fully patched Android device or Apple iPhone; never mind an older Window or BlackBerry phone. They claim to only sell their tools to law-enforcement agencies, but equally, it has been well reported that they don't deny some of those regimes are authoritarian, military juntas and oppressive governments.

Moxie Marlinspike, author of Signal has published an analysis of the Cellebrite software components having recently come into possession of what appears to be the full gamut of hardware and software. As well as being very readable, the content should be utterly alarming for any agency that has deployed a Cellebrite product as part of their legitimate interests. There now appears to be a reasonable concern that the device image generated by a Cellebrite product may not be as forensically sound as stated.

This is a bombshell for any prosecution that has relied upon Cellebrite to unlock, image or investigate a device, and it does appear that Signal will offer some resistance to any device being scanned. Expect the appeals process to kick off shortly.

Comment: 2021/03/11 - Exchange vulnerability timeline.
This is a scary analysis of the timeline associated with current MS Exchange vulnerability. It highlights that the original vulnerability was reported to Microsoft on 5/1, however it appears that exploits were in the wild from 3/1. Does this mean that the vulnerability was discovered by two researchers - one with integrity and the other malicious? Or does it mean that the research was stolen and exploited within hours? And days later, it iterates again and the vulnerability is weaponised by more than one criminal organisation?

Comment: 2021/03/10 - Attack traffic.
BladeSec IA maintain a number of small honeypots and the traffic analysis associated with that isn't normally terribly interesting. It is changing however:-

• There are a lot more attacks from the US than we'd expect. That can be written off to trojaned machines operating as friendly fire.
• The speed that the number of attacks ebb and flow is interesting. We'll see little directed traffic for at most, two days, and then the next day, we can be targetted by up to 15 different networks. Is that a fluke, or is there a brain behind that? Who knows - but it's interesting none-the-less.
• The most recent notable change has happened in the last 24 hours. There has been a widespread unilateral change to an attack vector that supports there being a single brain behind it. We might post some of the names associated with the attacks as they are not as universal as "administrator", "root", "anonymous" or "nobody". It's almost like the organ grinder has launched a new tool, and the monkeys driving it are using their real names!

There doesn't seem to be a day goes by whereby we discover another organisation has been compromised by bad guys. And some of those organisations aren't even on the roadmap for nation-state attacks. What they all have in common is that they are all alleged to be be high-complexity, sophisticated attacks.

And that pings my BS indicator.

For an attacker to perpetrate a long-term, highly sophisticated attack, the payout has to be commensurate. Cyber vandalism, for the most part is about trashing the very low hanging fruit. Hence, whilst I accept that some of those attacks are likely to be from well resourced foreign armies of chaos, there will be another significant number that are just down to bad luck such as not patching in time, not patching fully, having an excuse not to patch, failing to apply a patch, infrastructure complexity, or failing to be able to patch upstream vulnerabilities. None of these are complex attacks, they're down to failing to give appropriate priority to what should be job zero of any given IT department.

It's also worth noting when these attacks are happening. We're at the point where we've largely been working from home for ten months. Organisations, for the most part, seem to have adapted well - but staff training will have taken a hit. Equally, moving the corporate boundaries out to vulnerable home networks won't have helped.

Are all these successful, highly complex attacks by nation-state threat actors just indicative of security atrophy rather than the stated truth? In my experience, the simplest solution is the correct one nine times out of ten.

Comment: 2021/01/02 - Happy New Year!
So this year will mark ten years since bladesec.net was registered. Whilst this year is only beginning, as we get closer to the end of the year, we will look back at the events that resulted in BladeSec IA being formed. I will, however, save the blushes of the folk that had a hand in that!

As usual here is our tongue in cheek look at the last twelve months:-

• Average distance travelled to work: 3 yards - unsurprisingly it's fallen considerably this year!
• Distance to farthest job: 411 miles (in March).
• Most popular colour of facemasks used by staff: Black followed by red.
• Amount of money received for anything other than consultancy: £280 (A refund for an unused train ticket).
• Number of customers assisted in the last twelve months: 5.
• Most interesting place visited: "The Rhoddy Strip", Balbirnie, Fife (whilst armed!)
• Value of donatations to Wikipedia as a result of Travel Advice: £13.
• Value of donations made by BladeSec IA to support other good causes: £245.
• Number of new tattoos sported by BladeSec IA staff: Two.
• Amount of time donated by BladeSec IA staff pro-bono: 6 days.
• Number of redundant BlackBerry phones in the "spare handsets box": 3 (A number were securely disposed of this year).
• Model number of oldest BlackBerry in that box: Pearl Flip 8220.
• Number of pages printed on the office colour laser this year: 187.