Certifications and qualifications
Why choose BladeSec IA?
News and comment <
Products and ServicesTypical work
Terms and conditions
Equality and diversity statement
Archived news and comment from 2014.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2014, not all links may work.
Comment: 2014/12/24 - Merry Christmas!
Comment: 2014/12/22 - The people make Glasgow.
BladeSec IA had a couple of staff in Glasgow today. They were making their way back to Queen Street Station at approximately the same time as the terrible events were unfolding in George Square. They were there during the immediate aftermath. Had they been coming from a different customer today, they may never have made it home for Christmas with their families.
Sometimes fate deals you a break and you never know how grateful you should be. This time is different. This Christmas take your time with your loved ones - and in the coming year. There are a few folk tonight that won't be able to and our deepest sympathies go out to their families.
Comment: 2014/11/03 - Social Media.
It has come to our attention that there are instances of our trademarks and our company name being used on social media sites. BladeSec IA wish to point out that we have no association or link with anybody on any social media site. They do not represent BladeSec IA nor do they have any association with the organisation. It should be noted that a number of these instances contain links to our website.
Comment: 2014/10/29 - Media round up.
Samsung Knox has been approved by the US Government for classified material. A few days later, there's an allegation that things may not be as rosy as first thought. And needless to say, Samsung responded.
Meanwhile, as we predicted, SHELLSHOCK has been weaponised in a very unique manner.
Apple are getting it in the neck for uploading draft unsaved documents to their iCloud - seemingly without permission. There seems to be an awful lot of FUD about this at the minute. At first glance, the data is encrypted in transit and encrypted in the cloud. There would appear to be some minor nuances that need ironing out.
Finally, (for now at least), a Tor exit node has been infecting binaries with malware.
Comment: 2014/10/22 - Vulnerability in SSL version 3.
I've resisted the urge to pass comment on the "POODLE" vulnerability until I had conducted a bit more analysis.
I found it a bit odd that whilst it was engineers from Google that found the flaw, the news appears to have been broken by The Register. This meant that I took the announcement with a pinch of salt. Don't get me wrong, I am an ardent reader of El Reg, but the fact that POODLE seemed to be missed by most of my usual sources for full disclosure, made the situation worthy of a bit more investigation. (As an aside, it didn't help that El Reg seemed to have a somewhat tabloid approach to the announcement.)
On investigation, it appears that POODLE is not a flaw, but a limitation of the SSL version 3 protocol. Whilst there are numerous web browser publishers that have now announced they will drop support for the protocol in the next version, the thing is... in order to exploit POODLE, you have to be in a position to capture your target's packets. You have to be in the privileged position of being able to conduct a man-in-the-middle attack. This sort of thing is highly likely at public Wi-Fi access points or as part of state-sponsored attacks, but realistically, there are so many issues about using public access points, POODLE is only one possible exploit in a whole army of potential vulnerabilities.
In essence, whilst patching and configuring end user devices properly is always worthwhile, sometimes the context of an attack needs to be understood and in this case, user training is paramount. People should not use "untrusted public networks" such as hotels, mobile hotspots, etc. for anything they expect to have some form of privacy for.
News: 2014/10/17 - The ICAREC Forum.
News: 2014/09/25 - BladeSec Tanto and Katana.
News: 2014/09/25 - Vulnerability in Bash (SHELLSHOCK).
Entry in the National Vulnerability Database here.
GovCERT UK page here.
News: 2014/09/19 - Scotland to remain part of the UK.
In the lead-up to the vote, BladeSec IA committed to CESG and The CLAS Forum to work with all interested parties to resource and lead suitable transition planning in the event of a Yes vote as well as be involved in the development of appropriate government assurance schemes going forward.
It is currently unclear what additional devolved powers will be given to The Scottish Government. BladeSec IA remain committed to working with them, central government and the private sector IA consultants to ensure that there remains an appropriate and effective assurance wrap around government IA north of the border.
News: 2014/09/11 - Local Authority Training Course - Information Risk Management for HMG IA Practitioners - IS 1 & 2.
Dates have to be confirmed for the course, but it is likely to be run towards the end of October or the beginning of November depending on the diaries of those confirmed delegates. Equally, the location is yet to be set in stone, but will be in a mutually agreed location.
There is currently only one remaining space for this course, however, if demand continues, further sessions will be run allowing delegates more flexibility in their choice of location and date.
For further details or to book, please click here.
News: 2014/08/27 - Training - Additional dates.
News: 2014/08/22 - Reminder: Upcoming Training Courses.
BladeSec IA is currently looking at the possibility of running the two day Information Risk Management course specifically for Scottish Local Authorities. Watch this space for more news.
News: 2014/08/04 - BladeSec IA Professional of the Year.
Following a slight delay to verify some facts, the individual beat off six other nominated representatives from Local Authorities, Central Government, the Police and the NHS to be awarded the first ever BladeSec IA Professional of the Year Award for 2014.
Despite much debate, the winner has elected to remain anonymous over the award, but is pleased that they will shortly be joining the Institute of Information Security Professionals by having their membership paid for a year.
BladeSec IA Managing Director, Owen Birnie, said, "Having worked with his employer, I'd known of the individual for a few months. Despite not working in an IA role, he always seemed to inherently understand the requirements set by his security colleagues. In terms of his manager and peers, his professionalism was always second to none. The real turning point was when he and I travelled to London together and he set about challenging my way of thinking about a particular aspect of security that interested him. Yet further, was the level of understanding of some new exploits he had recently been trialling in his home network. I encourage him into the security arena as I believe him to be a great potential asset and offer my support to get a new career off the ground."
Nominations for the 2015 award can be sent here.
Comment: 2014/07/25 - More on TrueCrypt.
The performance is interesting as I've never run BitLocker on the same platform that I've previously run other disc encryption on. And what is apparent is that BitLocker seems to be considerably faster than both TrueCrypt and PGP.
Comment: 2014/07/24 - Apple respond to recent criticism.
More information from the security researcher, Jonathan Zdziarski.
Comment: 2014/07/22 - Media catch up....
Interesting undocumented (privacy and security compromising) services that exist within iOS.
Have eBay been hacked again? I recieved another e-mail telling me to log in and change my password:-
eBay recently discovered a cyberattack on our corporate information network that compromised a database containing encrypted eBay user passwords. We have no evidence that financial information was accessed or compromised. As a precautionary measure we're asking all eBay members to change their passwords. We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay.
Actually, whether or not I feel safe is irrelevant. I'm more interested in actually being safe. Even now, eBay are sending e-mails with active links. Still not good security engineering.
Comment: 2014/06/15 - Quis custodiet ipsos custodes?
News: 2014/06/11 - BladeSec IA Professional of the Year.
I'd advocate doing nothing until it's clearer what's going on, but it would appear that the current binaries being offered for download may be compromised.
BladeSec-Weaponised: 2014/05/24 - Policy update. This will be the last entry here!.
The eBay debarkle doesn't really surprise me. I had cause to close my eBay account last year over an issue with the supply of proven counterfeit software. eBay closed the dispute in favour of the vendor despite me sending them the proof from Microsoft six times. You can't make their security engineering up!
News: 2014/05/22 - Upcoming Training Courses.
Comment: 2014/05/17 - Come on you Saints.
BladeSec-Weaponised: 2014/05/01 - This is a drill. Do not panic!
I was out of the country when the Heartbleed vulnerability was made public and as a consequence of a fair amount of kneejerk reporting, it's been a bit difficult to track who was vulnerable, who has patched, who has changed their X.509 certificate, and therefore when you should change your password. Given that others may be in the same boat, this web page appears to be the best and most extensive list.
It's important to note, that there is no useful reason to change your password without ensuring that the service provider has done all the remedial work....
On the basis that lots of people will be having to change their passwords on lots of systems, is it worth pointing out that the effect of Heartbleed would be limited if people do not use the same password for different websites.
At the very least, passwords should be thought of in "categories":-
BladeSec IA Services are delighted to announce that their Director, Owen Birnie, has been certified against an additional role as part of the CESG Certified Professional Scheme.
Owen, who was previously certified as a Security and Information Risk Advisor as part of his ITPC transfer, wasted no time proving his professionalism, knowledge and ability by applying for the same role at a Senior Level as well as Senior Accreditor. Both certificates were awarded by The Institute of Information Security Professionals Accreditation Committee on 1ST of April.
"Both these roles reflect the current functions that I am fulfilling for many of my customers", said Owen, "and clearly certifying to the higher level demonstrates BladeSec IA's commitment to professionalism within the government IA sector."
"There are major changes afoot in the Government IA world", added Owen, "and I am determined to ensure that there is no doubt that BladeSec IA are one of the best."
More information on the CESG Certified Professional scheme is available, here.
Comment: 2014/03/14 - PSN Scottish Design Group Workshop.
The feedback seems to suggest that it was significantly more technical, and far more useful than the workshops that occurred in London. It re-enforces the differences between Scottish and English Local Authorities and the issues faced by both. Problems around migration to a legacy IL2 platform will need to be fixed as part of the transition to PSN and to streamline the "community" formerly known as "the GSi".
Knowing the strength of feeling in the Scottish Local Authorities, it was very brave of the two PSN IA Assessors to make the trip north. They were placed on the spot on more than one occasion, but handled the situation exceptionally well, in addition to giving a useful insight into the approval process and the types of issue that may appear this year.
My thanks to all involved.
News: 2014/03/01 - Something wonderful is happening....
In that time, they've encountered some very interesting information assurance projects and identified a number of common problems. They've worked with a number of very clever Information Security Officers, network engineers and system administrators. BladeSec IA has always prided itself on being different to the majority of the other IA consultancies by:-
We're getting closer to the 8TH of April, 2014. This is the date etched into the psyche of many IT managers as the day that they inherit entire networks of machines running a Microsoft operating system that will no longer be supported.
Frankly, I have no sympathy. This is actually one of the best advertised end of life programmes that I can think of, for a product that is just a desktop operating system that supports file and print. We've known for years that this date was coming. If you continue to use an unsupported operating system after it's reached this stage, then you must prepare for the worst and hope for the best.
We already know that criminals are stockpiling vulnerabilities in Windows XP with a view to exploiting them when MS will not provide a fix. We already know that those same criminals will reverse engineer all the Vista patches to see if there is a similar vulnerability that can be exploited in XP. If you continue to use Windows XP without support, you are on borrowed time. Anybody that says you can get by with a personal firewall and anti-virus has no idea about the significance of the threat.
The only excuse that may be legitimate is cost. But you've known that this day has been coming for years (you have, haven't you?) so if you're not prepared, then somebody, somewhere in your organisation made a very bad decision.
Here, in BladeSec IA towers, we've been "tinkering". The desktop OS of choice has been Windows 7 Professional / Ultimate since about June last year, but we still had older operating systems (including Windows XP Professional and Windows Vista Professional) on a couple of machines for research purposes. As part of our research into the Cabinet Office End User Device Strategy, we obtained a few Windows 8 and Windows 8.1 licenses. We decided to take our tinkering to the extreme and take the opportunity to move some Windows licenses around.
The old Dell Latitude D610 that was running Vista fairly badly, now flies with Windows 8.1. The only drawback, so far, is the lack of a native graphics driver for the on-board Radeon x300. The generic driver is okay, but I think it would be marginally faster (and certainly consume less battery power and run cooler) if there was a native driver. We did track down a Vista 32 bit driver, but it failed to display properly on a cold boot. The audio driver was quickly re-installed from the Dell website and just worked. The lack of a touch screen is no big deal and I have to say that without the pressures of trying to use it professionally every day, it's actually okay. I don't like the interface formerly known as Metro and I do wonder whether Windows 9 will have API's for both interfaces baked into the OS so you can write once and exploit both GUIs without recoding - I hope!
So this freed up a Vista license. In the interests of practising what we preach (and to prevent us having to bin a perfectly servicable laptop), I needed to take our single remaining Windows XP Pro machine off the network. I fed an ancient Dell Latitude L110 the Vista boot disk and it installed. It works, but it's not great as it's fairly laggy. I tried feeding it Windows 8.1 in the vain hope of improving performance, but it still needs a bit of work. In the mean time, it works acceptably with a stripped down Vista install.
And all this on hardware that is over ten years old.....
So why am I telling you all this?
Well, it would appear that for the first time, Microsoft actually cites a minimum set of specs for Windows 8.1 that actually produces a usable platform. Newer Windows operating systems will work on old hardware and therefore it's better to try it and see, rather than assume it won't work and stick with Windows XP.
Comment: 2014/02/02 - Is it just me....
Comment: 2014/01/01 - Year Two: Done!
And finally: Something wonderful is about to happen....
Here's to 2014....
Click here for older News & Comment.