Certifications and qualifications
Why choose BladeSec IA?
News and comment <
Products and ServicesTypical work
Terms and conditions
Equality and diversity statement
Archived news and comment from 2013.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2013, not all links may work.
Comment: 2013/12/31 - Worst security film in the world - ever.
Despite the fact that it was set slightly in the future, (and indeed ignoring the fact that it wasn't real), it really was a step too far. It showed a number of fundamental security flaws that designers of computer server rooms, datacenters and other sensitive areas wouldn't make. (A single security layer? No sacrificial protection? No option for retaliation? [Sorry - that one's for network designers]). It also didn't help that they broke so many of the rules for surviving horror films.
Happy New Year!
Comment: 2013/12/25 - Merry Christmas!
Comment: 2013/11/06 - Hallowe'en Security.
News: 2013/10/11 - The Scottish Local Authority Security Group.
Ten years ago, BladeSec IA director, Owen Birnie took over the inaugural chair of the group from Tony McNair, at CoSLA. The group was in its infancy, but despite the bumpy ride, it went to show that there was strength in numbers and the benefits of collaboration. The fact that the group has gone from strength to strength is a testament to the way it has been run, and to the on-going usefulness of the forum.
Following his defection to CLAS, Owen always wanted to go back to present to the group, so being given the opportunity to field questions about politics, network design, the Public Sector Network, Windows Mobile, security in Apple products, Government Security Classifications and a whole myriad of other topics made it better than a day in the office. It was even better to catch up with old friends and colleagues - some of which had not been seen for a number of years. In truth, Owen cannot help thinking that the consultants got away very, very lightly!
It was a thoroughly enjoyable day, and BladeSec IA would like to express their thanks to the current Chair, Paul Dick of Perth & Kinross Council, Andy Lawson of Aberdeenshire Council for hosting it, Steph Dawson of The Sopra Group, Neil Boyd and Tom Roberts of Pen Test Partners.
Apple TouchID has been broken within nine days. It's been ten years since I did a talk on biometrics. Back then, under perfect conditions fingerprint biometrics worked 98% of the time. In less than ideal conditions, it quickly dropped to 60% or even less. Seems things may not have improved.
News: 2013/09/09 - BladeSec IA Specialised Risk Briefing.
News: 2013/09/07 - Egress Switch.
As things have moved on, I've deployed Egress Switch in a couple of places. I like the assurance that the company gives me regarding the product. Things, such as the fact that it was certified under the legacy CCTM and is currently under evaluation with the CPA go a long way in government circles.
I keep encountering Egress in the most unexpected places. Indeed, one of my colleagues has suggested that as government moves more and more on-line, products like Egress Switch will be the best delivery mechanism to get secure material to the citizen.
Egress are hosting an event. Go along. Ask them difficult questions. I think you'll be impressed. See you there!
(Other than the fact that I've used Egress Switch personally and professionally, there is no relationship between Egress and BladeSec IA. They haven't paid anything to be recommended.)
Comment: 2013/07/31 - Professionalism
In effect, there is going to be three different questions that customers have:-
Comment: 2013/07/30 - Interesting snippits
(As an aside, I have a reputation for being brutal when it comes to cold calls. I had one such call a week or so back. In this case, the caller was overly familiar. When challenged, they then went on to be vague about who they worked for and what they wanted to achieve from the call. I can only conclude that openness, honesty and integrity means nothing to them and I do not deal with such individuals. That's three strikes - you're out!)
The question of assurance and integrity of foreign firms providing technology for government departments and agencies (and the UK CNI) is again in question. Rumour control would have us add Lenovo, to the list of foreign suppliers. The list already, justifiably, contains Huawei. Who's next? Kaspersky? McAfee? QnetiQ? (I say "justifiably", as there clearly has been a cock-up on allowing Huawei to audit themselves. There is no assurance in a scheme that is not independent.)
Comment: 2013/06/24 - Real World Security
The first element, was the ineffectiveness of the physical pat-downs and bag inspection on entry to the arena. It was never entirely clear what purpose they served, but I assumed that it was to enforce the admission policy. It was fairly clear that there was a failure on that front as several "banned" items made it into the arena over the three days.
On the other hand, having a three day pass, admission is granted by means of a wristband. The particular design employed by this festival had a large plastic bead with a mechanism inside to prevent the wristband being taken off easily. Whilst I resisted the urge for all of the three days, by the time Monday morning came, I was keen to get my parasitic attachment off. Cutting the wristband was one option, but I confess that curiosity got the better of me. It took exactly three minutes of close examination before I was able to remove the wristband - undamaged. Just to prove it wasn't a fluke, I showed my son how to do it, and he repeated the exercise.
Whilst the terms and conditions prohibited the transfer of the wristband, I doubt that it was sufficiently tamper evident for this purpose. It was, however, perfectly adequate to ensure that it could not accidentally slip off as well as providing an elementary resistance to casual removal. As far as I can see, the wristband was a reasonable security countermeasure, but the physical security was less effective unless....
Could it be that the countermeasure is not the physical security, but the security theatre generated by it? Is it feasible that it's designed to dissuade exactly the same level of casual disobedience that the wristband is, rather than enforce the admission policy?
And I hasten to add that whilst I am critical of the purpose of the security staff, they carried out their duties with incredibly good humour....
Comment: 2013/06/11 - PRISM and Privacy
Instead, I would like to highlight a different facet - and this one is controversial.
I suspect that my generation was the first to grow up with computers that were easily recognisable as computers. In order to get them to do things, you had to write code. In a home environment, they were never networked. Photographs were sent away on film in envelopes and returned a week later on paper. Music may have been starting to get digital (on the Compact Disc), but it was still bought in shops, next to vinyl and tape. Mobile phones eventually began to appear, but their battery life and functionality limited their impact. The only loyalty scheme was Green Shield Stamps.
The next generation had computers that were cleverer and were starting to get networked. It may have been dial up internet access, but information began to be easily exchanged including open source software and illegal pirated software. Digital cameras were beginning to appear, but the image quality was not great. Music had migrated almost completely to Compact Disc - occasionally bought from on-line retailers. Smart phones had begun to appear, but largely the "Short Message Service" delivered from a numeric keyboard had yet to give way to "texting" from a reduced sized QWERTY one. The supermarket loyalty card appeared and the shopping faithful got rewarded with vouchers for groceries they had been buying in competitors' shops.
The current generation must now be on-line whether it is by always on internet connection or by 3G/4G signal. The smart phone has developed a variety of non-communicative functions including a camera and a satellite navigation system. Photos taken with them are geotagged with their exact location and uploaded to photo sharing sites for family, friends and indeed, the rest of the world to view. Music would seemingly be rarely paid for, and even more rarely delivered on any form of physical media. Music is licensed to the purchaser for their life and no longer. Even the High-Definition Personal Video Recorder under your television has the facility to change adverts to ones that the "parent corporate" thinks you're more likely to watch. Huge corporations crunch all the data that they can get about you in order to better separate you from your money.
What's the point of this?
I'm pointing out that personal technology has moved on so quickly, with new features at every release. Every generation has given up a little piece of their privacy in return for some short-term perceived benefit. These things are largely cumulative, and are being exercised by the general population who once upon a time accused people like me of being nerds for "being into" computers. These are the same people that think I am some sort of Luddite for not being on Facebook, iTunes, Twitter or LinkedIn. How perspective changes?
So. What's all this about?
Here's the rub. I would suggest that in general, the population have no interest in maintaining their own privacy. It's not cool to read the Terms & Conditions of web services. They think it's okay to illegally copy anything that has no substance. They don't understand that the data they willingly hand over is being mined by commercial organisations who only wish to exploit that data. They think nothing of the value of the data they leave behind as they switch credit cards, banks, energy suppliers or mobile phone provider. They don't understand the risks of their lives lived permanently on-line. They don't get that the photo they posted to Facebook whilst drunk may well come back to haunt them - regardless of their security settings. They don't understand that as features on technology creep onwards, that it may have an impact on how they should use that technology. Frankly, it's difficult for even an expert to make this judgement call. How can the privacy illiterate(*) be expected to manage?
PRISM shows one set of problems - but what about the millions of people who have sleep walked into their technical, always-on lives. At some point, possibly like Neo in The Matrix, will they wake up and become horrified at what they have got themselves into? That will make PRISM look like a storm in a teacup.
(*) The privacy illiterate - I predict that this group will be given a name. Suggestions can be mailed to the usual address.
This narrative represents the personal opinion of Owen Birnie.
Comment: 2013/05/27 - Social Responsibility (Was Corporate Ethics, Part 2)
I have said for many, many years, companies have a responsibility. And that responsibility exceeds being ethical, or being green, being charitable, being socially responsible or being a caring employer. Sometimes it's about doing the morally right thing.
Here is a link to the current Code of Conduct for CESG Certified Professionals. You can be sure that BladeSec IA adopt not only the letter of this, but also the semantic meaning - even if it costs us work. Don't just judge us by our words, judge us by our actions. There's a reason that BladeSec IA uses trust@BladeSecIA.com.
News: 2013/05/24 - Corporate Ethics.
There is a watermark-type feature in all BladeSec IA proposals that delivery partners follow. Customers who have seen Mr. Birnie's name, qualifications or experience listed on a proposal and wish to confirm his involvement are invited to e-mail for confirmation.
BladeSec IA Services will not fulfil through organisations who undertake such unethical, underhand activity.
Comment: 2013/04/08 - Autism Rocks - Perthshire Battle of the Bands.
On Saturday night, my son, Jack, and his three friends, Blair, Cameron and Teague won the Perthshire Autism, Autism Rocks Battle of the Bands at The Corinna in Perth. Performing as "Paradise Found", they were the youngest participants and saw off five other bands.
As a Dad, you always hope they manage to hold their own, but this was their third ever gig - and they absolutely nailed it.
A video of them playing Seven Nation Army on the night is available from YouTube here.
News: 2013/03/28 - CESG Certified Professional.
More information on the CESG Certified Professional scheme is available, here.
Comment: 2013/03/19 - Cloud E-mail Upgrade
Some may be shocked that a security firm are adopting a public cloud service. BladeSec IA believe that e-mail is a good candidate for migration on the basis that since SMTP was invented, it's never been secure. What is unique is that BladeSec IA have designed a technical overlay that allows it to be accredited for Restricted e-mail. This overlay should be in place - following testing - by 23:00 on 2013/03/21.
Update: Normal e-mail services were resumed by 22:30.
Update#2: The encrypted overlay has been enabled at 15:00 on 2013/03/20. Some testing remains, but things have gone exceptionally well.
Comment: 2013/02/11 - The Public Services Network.
Many organisations are now at the stage of having to submit a PSN Code rather than a GSI, GCSX or GSX Code of Connection. There is a huge amount of misinformation being spread around about the PSN Code and so, to try and cut through the smoke and mirrors, I offer the following. Hopefully, it will be useful and I hasten to add that this is my understanding based on the work that I've been involved in. I also wish to point out that none of the material linked here is protectively marked, it is all publically available from the Cabinet Office website and none of this has been approved by either PSNA, the Cabinet Officer or CESG....
Contrary to many rumours, the PSN Code is, in my opinion, less onerous. There is a far greater emphasis placed on informed risk based decisions. This in itself can be a problem. If an organisation does not already have an established mechanism for managing and owning risk. This deficit is far more serious than filling in a PSN Code and therefore, I'm going to leave that particular predicament....
The official PSN page is here.
I personally dislike this page, as it's too fluffy and doesn't tell you what you need to know. About halfway down, there is a link that refers to the recent documentation from August last year. If you know what you're looking for, that link is the place to start.
The latest, official documentation is available here.
I know that I should tell you to read everything (and you should), but in reality, very few folk actually seem to. I'd suggest that you start with the FAQ.
I strongly advise you to make notes from this document as it contains very useful material about BPSS, what sections to complete, etc..
Next up, the PSN Code. Remember, not all sections need to be completed. It depends on what role your client is undertaking.
Next, you're going to have to wade through the unfathomable English that is the PSN Code Annex B. You'll see that Annex B highlights and cross references different documents. These are all available from the PSN website.
The most important for PSN Customers are:-IA Conditions Supporting Guidance is potentially the most useful resource for a PSN Customer.
When ill informed people say that "[the] PSN CoCo is just like the GSI CoCo", in reality, they're referring to the IA Conditions sheet in the PSN Code Annex B spreadsheet. The bad news is that every sheet in the PSN Code Annex B has to be completed to some degree or another. That said, there is more than a passing similarity between the IA Conditions sheet and the Controls sheet on an old GSI Code of Connection. This is reflected in the useful information contained in Annex C of the IA Conditions guidance.
Your client will also need to complete the annex from Contact Details.
Finally, there is a sample PSN Annex B Code. I have to say that I think it causes as many problems as it solves. It's passed off as a Customer PSN Code, but I suspect it's been made to look that way. I would urge you not just to copy the stock answers as I personally believe that there are errors in it.
I have my own sample PSN Code as well as a formatted, partially completed one for PSN Customers.
Comments and more information is available from trust@BladeSecIA.com.
Comment: 2013/01/01 - First Year
It's a shame that I can't disclose details of everything that BladeSec IA have had a finger in, or have planned, but there are things that I am immensely proud of. That said, here are some upcoming highlights:-
Click here for older News & Comment.