BladeSec IA Logo

Company Information

Company principles
Certifications and qualifications
Why choose BladeSec IA?
News and comment <

Products and Services

Typical work
Engaging us
Specific highlights

Travel Advice


Contact us
Privacy statement
Terms and conditions
Environment statement
Equality and diversity statement

Archived news and comment from 2014.

Please note: Because this is an archive of articles published on the BladeSec IA website in 2014, not all links may work.

Comment: 2014/12/24 - Merry Christmas!
(Comment removed.)

Comment: 2014/12/22 - The people make Glasgow.
(Reposted as the original never appeared.)

BladeSec IA had a couple of staff in Glasgow today. They were making their way back to Queen Street Station at approximately the same time as the terrible events were unfolding in George Square. They were there during the immediate aftermath. Had they been coming from a different customer today, they may never have made it home for Christmas with their families.

Sometimes fate deals you a break and you never know how grateful you should be. This time is different. This Christmas take your time with your loved ones - and in the coming year. There are a few folk tonight that won't be able to and our deepest sympathies go out to their families.

Comment: 2014/11/03 - Social Media.
BladeSec IA don't use social media. We never have, and it's highly unlikely we ever will. (We even have a company policy to this end.)

It has come to our attention that there are instances of our trademarks and our company name being used on social media sites. BladeSec IA wish to point out that we have no association or link with anybody on any social media site. They do not represent BladeSec IA nor do they have any association with the organisation. It should be noted that a number of these instances contain links to our website.

Comment: 2014/10/29 - Media round up.
As I write this, there are reports that an unclassified network in The White House has been hacked.

Samsung Knox has been approved by the US Government for classified material. A few days later, there's an allegation that things may not be as rosy as first thought. And needless to say, Samsung responded.

Meanwhile, as we predicted, SHELLSHOCK has been weaponised in a very unique manner.

Apple are getting it in the neck for uploading draft unsaved documents to their iCloud - seemingly without permission. There seems to be an awful lot of FUD about this at the minute. At first glance, the data is encrypted in transit and encrypted in the cloud. There would appear to be some minor nuances that need ironing out.

Finally, (for now at least), a Tor exit node has been infecting binaries with malware.

Comment: 2014/10/22 - Vulnerability in SSL version 3.
(20141029 - Edited to improve the English.)

I've resisted the urge to pass comment on the "POODLE" vulnerability until I had conducted a bit more analysis.

I found it a bit odd that whilst it was engineers from Google that found the flaw, the news appears to have been broken by The Register. This meant that I took the announcement with a pinch of salt. Don't get me wrong, I am an ardent reader of El Reg, but the fact that POODLE seemed to be missed by most of my usual sources for full disclosure, made the situation worthy of a bit more investigation. (As an aside, it didn't help that El Reg seemed to have a somewhat tabloid approach to the announcement.)

On investigation, it appears that POODLE is not a flaw, but a limitation of the SSL version 3 protocol. Whilst there are numerous web browser publishers that have now announced they will drop support for the protocol in the next version, the thing is... in order to exploit POODLE, you have to be in a position to capture your target's packets. You have to be in the privileged position of being able to conduct a man-in-the-middle attack. This sort of thing is highly likely at public Wi-Fi access points or as part of state-sponsored attacks, but realistically, there are so many issues about using public access points, POODLE is only one possible exploit in a whole army of potential vulnerabilities.

In essence, whilst patching and configuring end user devices properly is always worthwhile, sometimes the context of an attack needs to be understood and in this case, user training is paramount. People should not use "untrusted public networks" such as hotels, mobile hotspots, etc. for anything they expect to have some form of privacy for.

News: 2014/10/17 - The ICAREC Forum.
BladeSec IA were very proud to represent The Institute of Information Security Professionals at an event last night to support the resettlement of staff from Military Intelligence. The setting for the inaugural Intelligence Corps resettlement and networking event was the Castle Club in the "new" Barrack Block of Edinburgh Castle. Possibly due to it not being an IA specific event, there was an eclectic mixture of participants. Those attending included representatives from KPMG, Police Scotland, The Royal Bank of Scotland, The Scottish Football Association and Selex amongst others.

News: 2014/09/25 - BladeSec Tanto and Katana.
BladeSec IA can state that neither the Tanto or Katana appliances are vulnerable to SHELLSHOCK. Neither have Bash installed and do not have server side processing that calls out to a shell.

News: 2014/09/25 - Vulnerability in Bash (SHELLSHOCK).
Following on from the HeartBleed vulnerability in April this year, another vulnerability has been discovered, but this time in the Unix BASH shell. Whilst both have a CVSS score of ten, initial investigations by BladeSec IA suggest that SHELLSHOCK is going to be far more significant. This vulnerability can be exploited in such a way to easily Trojan a machine into a bot or to capture files from the file system. It could see the bad old days of a worm propagating networks like Slammer and Blaster did in the early noughties. The situation is exacerbated by the extent that security researchers just do not know the extent of devices that may be vulnerable to the flaw. These may include devices built on Unix such as Apple's OS X, Android tablets and mobile phones, home broadband routers and Unix internet servers.

Entry in the National Vulnerability Database here.

GovCERT UK page here.

News: 2014/09/19 - Scotland to remain part of the UK.
From a business and professional point of view, this is a double edged sword. On the one side, there, undoubtedly would have been a huge demand for BladeSec IA's services on the basis of their extensive knowledge, ability and experience. On the other, there was no immediate replacement for several fundamental requirements of an HMG consultancy service. There was no drop-in replacement for National Vetting, the CLAS scheme, CESG Certified Professionals and the IA Portfolio Portal.

In the lead-up to the vote, BladeSec IA committed to CESG and The CLAS Forum to work with all interested parties to resource and lead suitable transition planning in the event of a Yes vote as well as be involved in the development of appropriate government assurance schemes going forward.

It is currently unclear what additional devolved powers will be given to The Scottish Government. BladeSec IA remain committed to working with them, central government and the private sector IA consultants to ensure that there remains an appropriate and effective assurance wrap around government IA north of the border.

News: 2014/09/11 - Local Authority Training Course - Information Risk Management for HMG IA Practitioners - IS 1 & 2.
Due to overwhelming interest, BladeSec IA Services, Ltd., will be running Information Risk Management for HMG IA Practitioners - IS 1 & 2 specifically for representatives from Local Authorities. This is the same two day, CESG sanctioned course offered by QA, but with specific discussions pertaining to local authority issues.

Dates have to be confirmed for the course, but it is likely to be run towards the end of October or the beginning of November depending on the diaries of those confirmed delegates. Equally, the location is yet to be set in stone, but will be in a mutually agreed location.

There is currently only one remaining space for this course, however, if demand continues, further sessions will be run allowing delegates more flexibility in their choice of location and date.

For further details or to book, please click here.

News: 2014/08/27 - Training - Additional dates.
More dates have been added for QA training courses in Scotland:-

Please book through the above links.

News: 2014/08/22 - Reminder: Upcoming Training Courses.
Operated by QA for the first time ever, north of the border, BladeSec IA Director, CLAS Consultant and Senior CESG Certified Professional, Owen Birnie, is taking the following courses:-

Please book through the above links.

BladeSec IA is currently looking at the possibility of running the two day Information Risk Management course specifically for Scottish Local Authorities. Watch this space for more news.

News: 2014/08/04 - BladeSec IA Professional of the Year.
BladeSec IA is delighted to announce that the first Professional of the Year Award has been made.

Following a slight delay to verify some facts, the individual beat off six other nominated representatives from Local Authorities, Central Government, the Police and the NHS to be awarded the first ever BladeSec IA Professional of the Year Award for 2014.

Despite much debate, the winner has elected to remain anonymous over the award, but is pleased that they will shortly be joining the Institute of Information Security Professionals by having their membership paid for a year.

BladeSec IA Managing Director, Owen Birnie, said, "Having worked with his employer, I'd known of the individual for a few months. Despite not working in an IA role, he always seemed to inherently understand the requirements set by his security colleagues. In terms of his manager and peers, his professionalism was always second to none. The real turning point was when he and I travelled to London together and he set about challenging my way of thinking about a particular aspect of security that interested him. Yet further, was the level of understanding of some new exploits he had recently been trialling in his home network. I encourage him into the security arena as I believe him to be a great potential asset and offer my support to get a new career off the ground."

Nominations for the 2015 award can be sent here.

Comment: 2014/07/25 - More on TrueCrypt.
Nothing more seems to have come out about TrueCrypt. (As an aside this is interesting for a number of reasons.) In view of this, we've made the decision to migrate our TrueCrypt installs to BitLocker. Whilst we have existing installs of PGP Whole Disk Encryption and BitLocker (some with CESG key material), we opted to reflect the End User Device Security Guidance onto our Windows 8.1 Pro install.

The performance is interesting as I've never run BitLocker on the same platform that I've previously run other disc encryption on. And what is apparent is that BitLocker seems to be considerably faster than both TrueCrypt and PGP.

Comment: 2014/07/24 - Apple respond to recent criticism.
Apple's response.

More information from the security researcher, Jonathan Zdziarski.

Comment: 2014/07/22 - Media catch up....
Microsoft draws broadly the same conclusion on passwords as BladeSec IA did.

Interesting undocumented (privacy and security compromising) services that exist within iOS.

Have eBay been hacked again? I recieved another e-mail telling me to log in and change my password:-

eBay recently discovered a cyberattack on our corporate information network that
compromised a database containing encrypted eBay user passwords. We have no
evidence that financial information was accessed or compromised.

As a precautionary measure we're asking all eBay members to change their
passwords. We take security on eBay very seriously, and we want to ensure that you
feel safe and secure buying and selling on eBay.

Actually, whether or not I feel safe is irrelevant. I'm more interested in actually being safe. Even now, eBay are sending e-mails with active links. Still not good security engineering.

Comment: 2014/06/15 - Quis custodiet ipsos custodes?
Self-policing? Errr.... no....

News: 2014/06/11 - BladeSec IA Professional of the Year.
Due to unforseen circumstances, the award of the BladeSec IA Professional of the Year has had to be delayed by about one month. It is expected that the announcement will now be made at the end of July.

Comment: 2014/05/29 - TrueCrypt.
What is going on with TrueCrypt? Does this damage the assurance?

I'd advocate doing nothing until it's clearer what's going on, but it would appear that the current binaries being offered for download may be compromised.

BladeSec-Weaponised: 2014/05/24 - Policy update. This will be the last entry here!.
X-COMMENT: The Weaponised entries can be removed following full client update.

Comment: 2014/05/23 - eBay.
The eBay debarkle doesn't really surprise me. I had cause to close my eBay account last year over an issue with the supply of proven counterfeit software. eBay closed the dispute in favour of the vendor despite me sending them the proof from Microsoft six times. You can't make their security engineering up!

News: 2014/05/22 - Upcoming Training Courses.
Operated by QA for the first time ever, north of the border, BladeSec IA Director, CLAS Consultant and Senior CESG Certified Professional, Owen Birnie, is taking the following courses:-

Please book through the above links, or contact us if you want the courses run in other locations in Scotland.

Comment: 2014/05/17 - Come on you Saints.
Everybody at BladeSec IA wishes St Johnstone the very best of luck in today's Scottish Cup Final.

Last night's wee session by Paradise Found.

BladeSec-Weaponised: 2014/05/01 - This is a drill. Do not panic!
x-ray papa charlie tango QUEBEC 4 9 9 2 3 YANKEE 4 uniform 5 2 ROMEO victor 6 lima 3 lima 1 8 3 8 CHARLIE 5 x-ray 9 9 2 3 YANKEE BRAVO 8 1 KILO 9 tango DELTA QUEBEC 1 3 4 7 golf whiskey oscar X-RAY 4 lima NOVEMBER kilo 7 2 uniform 0 YANKEE BRAVO romeo

Comment: 2014/04/15 - OpenSSL fail...
I was out of the country when the Heartbleed vulnerability was made public and as a consequence of a fair amount of kneejerk reporting, it's been a bit difficult to track who was vulnerable, who has patched, who has changed their X.509 certificate, and therefore when you should change your password. Given that others may be in the same boat, this web page appears to be the best and most extensive list.

It's important to note, that there is no useful reason to change your password without ensuring that the service provider has done all the remedial work....

On the basis that lots of people will be having to change their passwords on lots of systems, is it worth pointing out that the effect of Heartbleed would be limited if people do not use the same password for different websites.

At the very least, passwords should be thought of in "categories":-

  • Probably the most important are your bank password and your e-mail password. These should be at least 15-20 characters, not a dictionary word and be complex (use upper, lower, numeric and punctuation characters).
  • Sites that you use for e-commerce (that is, ones that store a credit card number) are the next most important. Passwords should be at least 10-15 characters long, not a dictionary word and be complex. Ideally, these should be unique, but this can be hard to achieve, given how many they are. If possible break them down into different sub-categories such as "Travel", "Education", "Shopping" or such like.
  • To some, the next most important web sites are those that affect you as an individual such as social media. Again, passwords should be 10-15 characters long, not a dictionary word and be complex. On no accounts, should these be shared between websites within the same category.
  • The least important category is the buckshee "throwaway" registrations. These are the ones that have no information about you other than perhaps that which is publically available anyway such as your address, telephone number, etc. Passwords for these should be a minimum of 10 characters, be complex and non-dictionary. Sharing the same password is unlikely to do any harm.
News: 2014/04/03 - CESG Certified Professional Scheme.
BladeSec IA Services are delighted to announce that their Director, Owen Birnie, has been certified against an additional role as part of the CESG Certified Professional Scheme.

Owen, who was previously certified as a Security and Information Risk Advisor as part of his ITPC transfer, wasted no time proving his professionalism, knowledge and ability by applying for the same role at a Senior Level as well as Senior Accreditor. Both certificates were awarded by The Institute of Information Security Professionals Accreditation Committee on 1ST of April.

"Both these roles reflect the current functions that I am fulfilling for many of my customers", said Owen, "and clearly certifying to the higher level demonstrates BladeSec IA's commitment to professionalism within the government IA sector."

"There are major changes afoot in the Government IA world", added Owen, "and I am determined to ensure that there is no doubt that BladeSec IA are one of the best."

More information on the CESG Certified Professional scheme is available, here.

Comment: 2014/03/14 - PSN Scottish Design Group Workshop.
Yesterday, I participated in a couple of design workshops in conjunction with colleagues from the Scottish Local Authority Security Group, the Scottish Government and the PSN Authority. I was delighted to be involved as well as to catch up with a few old faces.

The feedback seems to suggest that it was significantly more technical, and far more useful than the workshops that occurred in London. It re-enforces the differences between Scottish and English Local Authorities and the issues faced by both. Problems around migration to a legacy IL2 platform will need to be fixed as part of the transition to PSN and to streamline the "community" formerly known as "the GSi".

Knowing the strength of feeling in the Scottish Local Authorities, it was very brave of the two PSN IA Assessors to make the trip north. They were placed on the spot on more than one occasion, but handled the situation exceptionally well, in addition to giving a useful insight into the approval process and the types of issue that may appear this year.

My thanks to all involved.

News: 2014/03/01 - Something wonderful is happening....
BladeSec IA Services have had an inordinately successful first two years of operations.

In that time, they've encountered some very interesting information assurance projects and identified a number of common problems. They've worked with a number of very clever Information Security Officers, network engineers and system administrators. BladeSec IA has always prided itself on being different to the majority of the other IA consultancies by:-

  • Its commitment to the IA community;
  • Its desire to "give back" to that community; &
  • Its desire to promote professionalism in that community.
The success of BladeSec IA is such that we are in a position to promote the company principles into the wider community by starting a number of initiatives:-
  • Firstly, on the eve of the Oscars', BladeSec IA is delighted to announce the creation of it's own Oscars - the BladeSec IA Professional of the Year. This is open to any IT professional within the UK IA community who is seen by BladeSec IA's management team as a stand out performer within their organisation, profession or community.

    Nominations can be sent here. Each nomination must be less than 500 words and explain why the individual should be appointed. It is important to note that this is open to individuals with little IA experience, but who are viewed as having significant promise as well as those who are more established. The official nominations are open now until 30THJune. The winner will be announced on the BladeSec IA website and receive one year's membership (either graduate, associate or full) of the Institute of Information Security Professionals.

  • The second initiative is in support of all the great IA ideas that organisations have that never seem to get progressed. BladeSec IA will support, assist, sponsor and / or fund any IA project within any UK organisation that has a tangible benefit to the public sector. There is limited qualifying criteria other than this, and so technically the sky is the limit. Wherever possible, preference will be given to those projects that produce intellectual property that is returned to the public domain. (In the interests of full disclosure, BladeSec IA is currently involved in two hardware "appliance" projects (the Katana and Tanto Projects) that remain outside of this initiative.)

    Requests for assistance to support projects should be e-mailed here. Nominations will remain open and may feature in future news items.

Comment: 2014/02/28 - Windows XP.
We're getting closer to the 8TH of April, 2014. This is the date etched into the psyche of many IT managers as the day that they inherit entire networks of machines running a Microsoft operating system that will no longer be supported.

Frankly, I have no sympathy. This is actually one of the best advertised end of life programmes that I can think of, for a product that is just a desktop operating system that supports file and print. We've known for years that this date was coming. If you continue to use an unsupported operating system after it's reached this stage, then you must prepare for the worst and hope for the best.

We already know that criminals are stockpiling vulnerabilities in Windows XP with a view to exploiting them when MS will not provide a fix. We already know that those same criminals will reverse engineer all the Vista patches to see if there is a similar vulnerability that can be exploited in XP. If you continue to use Windows XP without support, you are on borrowed time. Anybody that says you can get by with a personal firewall and anti-virus has no idea about the significance of the threat.

The only excuse that may be legitimate is cost. But you've known that this day has been coming for years (you have, haven't you?) so if you're not prepared, then somebody, somewhere in your organisation made a very bad decision.

Here, in BladeSec IA towers, we've been "tinkering". The desktop OS of choice has been Windows 7 Professional / Ultimate since about June last year, but we still had older operating systems (including Windows XP Professional and Windows Vista Professional) on a couple of machines for research purposes. As part of our research into the Cabinet Office End User Device Strategy, we obtained a few Windows 8 and Windows 8.1 licenses. We decided to take our tinkering to the extreme and take the opportunity to move some Windows licenses around.

The old Dell Latitude D610 that was running Vista fairly badly, now flies with Windows 8.1. The only drawback, so far, is the lack of a native graphics driver for the on-board Radeon x300. The generic driver is okay, but I think it would be marginally faster (and certainly consume less battery power and run cooler) if there was a native driver. We did track down a Vista 32 bit driver, but it failed to display properly on a cold boot. The audio driver was quickly re-installed from the Dell website and just worked. The lack of a touch screen is no big deal and I have to say that without the pressures of trying to use it professionally every day, it's actually okay. I don't like the interface formerly known as Metro and I do wonder whether Windows 9 will have API's for both interfaces baked into the OS so you can write once and exploit both GUIs without recoding - I hope!

So this freed up a Vista license. In the interests of practising what we preach (and to prevent us having to bin a perfectly servicable laptop), I needed to take our single remaining Windows XP Pro machine off the network. I fed an ancient Dell Latitude L110 the Vista boot disk and it installed. It works, but it's not great as it's fairly laggy. I tried feeding it Windows 8.1 in the vain hope of improving performance, but it still needs a bit of work. In the mean time, it works acceptably with a stripped down Vista install.

And all this on hardware that is over ten years old.....

So why am I telling you all this?

Well, it would appear that for the first time, Microsoft actually cites a minimum set of specs for Windows 8.1 that actually produces a usable platform. Newer Windows operating systems will work on old hardware and therefore it's better to try it and see, rather than assume it won't work and stick with Windows XP.

Comment: 2014/02/02 - Is it just me....
Or is this (behind The Sunday Times paywall) really, really odd? Why on earth would you allow members of a secretive club, exclusive rights to buy a fashion item that would uniquely identify them as being a member of that club?

Comment: 2014/01/29 - Sniglets.
Bad. Better. Is this an indicator of the potential of things to come?

Comment: 2014/01/01 - Year Two: Done!
So, BladeSec IA has been around for two years now. I think it's fair to say that we've made a bit of an impression! 2013 built upon the surprising level of success of 2012. We thought it would be interesting to share some statistics and trivia with you:-

  • Number of customers assisted in the last twelve months: 11.
  • Number of individual projects worked on: 21.
  • Number of PSN Code Annex B's completed: 6.
  • Number of customers successfully connected to the PSN: 6.
  • Number of Specialised Risk Briefings conducted: 4.
  • Number of accreditation decisions awarded by BladeSec IA: 5.
  • Number of HMG IS1/2 Technical Risk Assessments conducted: 9.
  • Number of RMADS written: 7.
  • Miles to closest job: 2.9 miles.
  • Miles to farthest job: 446 miles.
  • Number of different BladeSec IA services sold: 5.
  • Number of products sold: Nil.
  • Amount of money received for anything other than consultancy: £nil.
  • New customers: 7.
  • Number of tenders submitted: 7.
  • Number of failed bids: 2.
  • Number of corrective actions: 1.
  • Number of copies of The Chap read whilst staying in hotels: 6.
  • Most interesting place visited: Belfast, Northern Ireland.
Some more may follow....

And finally: Something wonderful is about to happen....

Here's to 2014....

Click here for older News & Comment.