Travel Advice

Please note: Because this is an archive of articles published on the BladeSec IA website in 2018, not all links may work.

Comment: 2018/12/24 - Merry Christmas.
This year, more than any other in BladeSec IA's history, has taken a very important turn. The year has ended with our consultants being horrifically busy. We've leaned on them more than we ever have because of the importance of a number of projects we've been selected for. Needless to say, the folks have delivered well beyond the expectations our clients and friends.

So at this time of year, like the folks from BladeSec IA, we hope you manage to take the time to spend it with your friends and family.

Comment: 2018/11/29 - Stockpiling vulnerabilities.
Position statement from NCSC, by the very chap who told me that they didn't.

Comment: 2018/10/30 - Quiet round here, isn't it?
Shortly after posting my personal tribute to Mr Blyth, I became aware of an organisation who were simply scraping our comments and reposting them as their own. It also marked the time that work went through the roof whilst we were in the process of also migrating all our consultants' laptops from Windows 7 and Windows 10 to Ubuntu(*). One of our die-hard associate consultants decided to go mainstream and get a proper job! (Congratulations, Gordon.)

To that end, we decided that we'd take stock of what we post. We made a decision to post more material that the folks at the security shed are interested in, that may not be security related. We've also decided to offer less analysis that may benefit competitors, whilst still maintaining links to interesting security articles. By the same token, right now it's just not a priority. We're changing the world in non-public meaningful ways right now, and we don't need to toot our own flute.
--
(*) We'd never fully migrated to Windows 10 and being honest the "telemetry" bothered me. If you're not paying for the service, you are the service is becoming more and more true. We ran some pilots with Debian 9 first, and then Ubuntu 18. Most of the success of the transition is down to Evolution that is a better mailer than anything else we've ever used. PlayOnLinux got Word, Excel and PowerPoint 2010 running sufficiently transparently. There's still some work to do (Visio 2010) but it's fair to say that Linux has come a long way in the 15 years since I last used it in anger. Indeed, the last time I had a desktop OS pique my interest as much as this was when I last used a Commodore Amiga.

Comment: 2018/09/30 - The British Touring Car Championship.
Obviously, here at the security shed, we're saddened that our team, Adrian Flux Subaru racing didn't win the manufacturers championship, nor did Ash Sutton win the championship again. However what we have born witness to in the very last race of the season is probably some of the finest driving I have ever seen.

Comment: 2018/09/22 - Chas Hodges RIP 1943 - 2018.
I regret never being able to see Chas and Dave. And for those that think he was a one-dimensional musician, they really should read his Wikipedia Page or the official bio.

From my own perspective, it was a joke purchase of Chas n' Dave's Christmas Jamboree Bag that led me to realise what a talented guy he was. Then I discovered who had the honour of playing with him.

Comment: 2018/09/16 - Dudley Sutton, RIP 1933 - 2018.
Lovejoy remains one of my favourite programmes. The reruns on Drama remind me of Sunday evenings, post homework, spent watching it with my Mother.

I've never read any of the books, but I'm told that Mr Sutton's interpretation of Tinker was not quite as debauched as Jonathan Gash intended. That's quite surprising when you go back and watch the very first series. He was very successfully portrayed as very bibulous.

Comment: 2018/06/09 - Jeremy Blyth, OBE.
I can't believe that it was ten years ago, that I was first involved with a number of small pieces of work at the Department of Transport. The Department were obviously pleased, as it started a fairly regular sojourn south of the border to review annual progress for three or four years.

Whilst down there, I met with a couple of the chaps who went under the guise of, "accreditors". They were called Chris Davis and Jeremy Blyth. It was in that guise of "accreditors", that I cut my teeth on what a good accreditation team looked like.

It was about the same time, that I started as the Lead Accreditor at Disclosure Scotland. Looking back, I can see my naivety, but in my defence, I was there simply to hold the post until a permanent civil servant could be placed into the role. In the coming months, I often found myself thinking, "What would Chris or Jeremy do?"

As my time with DS extended, and I became a fairly permanent installation, I was pleased that both Chris and Jeremy made me welcome into the accreditors' community. It was one that, from the outside, seemed to have more mysteries than the Freemasons, and even as a participant, there were times when discussions on "FIVE EYES" were completely lost on me.

When I qualified as a CCP Senior Accreditor, and my application was passed to GCHQ for final approval (to ensure that I was more than just a jumped up CLAS Consultant), Jeremy and Chris supported me with little nuggets of information and glorious insight in the face of other accreditors who mandated that as a contractor, I could never be an accreditor.

There have been some very memorable times that always seem to occur around the Sunningdale Accreditors' Conference (SUAC). Whether it was bumping down a lane on the back of a golf buggy with a Pan-Government Accreditor or the realisation that the photograph taken of all the delegates of the very last (proper) SUAC should actually be classified at SECRET.

A particular highlight occurred following a very sudden change of plan on the way back from SUAC when Chris and Jeremy decided we deserved a night out. The details need to remain unwritten, but aren't as bad as the time as we blew the cover of Thames House staffers on Horseferry Road whilst discussing counter intelligence in Hong Kong.

I lost touch with Jeremy when he moved to BIS and was seconded onto the Galileo Programme.

There are two reasons that I'm delighted that he's been made an Officer of the Most Excellent Order of the British Empire for services to UK and EU security. The first is that I'm delighted that somebody I know has received such an accolade, in recognition of what IA professionals do.

The second reason is more personal. I'm pleased for Jeremy because it's largely because of him and Chris that I was asked to join the Accreditation Specialism Advisory Group last week. They guided a very green accreditor in the face of unpopular wider opinion and I remain, very, very grateful.

Comment: 2018/04/21 - Facebook and Cambridge Analytica.
I've resisted the urge to pass comment on the on-going saga of Facebook and Cambridge Analytica. Over the weekend, however, a particular musician that I like and respect passed comment that she was leaving Facebook. Given that the situation is now affecting the artistic genre, it seemed like an appropriate time to to point the finger - and the situation may surprise you.

Despite the press attention, I don't think Cambridge Analytica are to blame for the situation. All they did was absorb data that they had permission to retrieve. It's highly likely that they then subsequently analysed that data to derive demographic information. That permitted them (rightly or wrongly) to specifically target groups and to provide them with biasing information. (As an aside, how to manipulate people is an entire other, non-security, story, but if you're interested in the types of bias people exhibit, you should read How to Fail at Almost Everything and Still Win Big: Kind of the Story of My Life by Scott Adams.)

The lack of control on the relationship between Facebook and Cambridge Analytica, that permitted them to absorb so much data, was Facebook's to manage. There are many established conventions that would permit them to exhibit an appropriate level of control including a data sharing agreement, access control lists, or even simply not collecting the data in the first place. (The irony of the last statement is not lost on me as an individual who chooses not to use any social media.)

The lack of control on the data stored by Facebook, is jointly down to Facebook and the individual user of Facebook's service. The problem there is that Facebook have seemingly chosen to make their privacy and security controls so complex it's a full-time job to monitor them. They regularly get changed and updated (pivoted in modern parlance). Most people may give them a cursory glance and then bury their head in the sand hoping that nothing bad will happen. In the meantime, Facebook can state with complete honestly, they have permission to collect huge swathes of information. Even if they are forbidden from collecting one tranche of data, they collect so much other associated information, they may even be able to infer the data they don't have permission to collect. That's what they do. They mine your data to make them money.

What this incident highlighted was that Cambridge Analytica did exactly the same as Facebook (and many other providers) do on an hourly basis with your data. This time, because a Third Party was highlighted as the bad-guy, it was easier to point the finger. Thing is, it's implicated Facebook and brought that into the gaze of the US Senate.

And people are realising the value of the data that they have historically attributed no value to - exactly as I predicted the privacy-illiterate would sleep walk into on 11^TH June, 2013. Does Facebook need to be regulated? Perhaps not, but it has great power and with great power comes huge responsibilities - and they don't seem terribly bothered about doing the ethical or morally right thing. When a company with the power of Facebook makes that conscious decision, society is in trouble.

Comment: 2018/04/16 - Joint statement about Russian cyber activity.
This is somewhat unprecedented. What is particularly interesting is the intelligence around the attack vectors - it just goes to show that they're attempting to exploit vulnerabilities that are patchable, fingerprintable and blockable.

Given the amount of money Russia seeming devotes to cyber, it's also interesting to note that, at least for the time being, they don't appear to be exploiting zero-days. Everybody assumes that the west stock-piles software flaws. Surely the Russians would adopt a similar approach?

That said, it is feasible that we're just seeing the initial phase of some form of electronic warfare - and one that will escalate to use zero days. I guess we might know more in a few weeks.

Comment: 2018/04/06 - A note about social media.
Just to be really clear. We have no social media presence - at all. We encourage our staff not to use it either.

Despite

https://twitter.com/BladeSec_com

https://robertsspaceindustries.com/orgs/BLADESEC

The BladeSec.com one is interesting. It doesn't appear to be a scam, despite the very short-lived Twitter account.

Looking back through my e-mail, BladeSec.com was touted to us on 1^ST May, 2012. It then went quiet for a while - until June 2014, when we started getting increasingly irate daily e-mails until the end of July offering us the domain.

The domain expired shortly afterwards and wasn't renewed by either of the two original holders. We then registered the domain early in August for £18 rather than the extortionate amount that had been offered to us a week earlier.

What was clear was that there was quite a lot of legacy associated with the domain name. The BladeSec.com domain was getting pummelled by Chinese IP addresses, with thousands of hits a day all looking for stuff that must have been on the old site. Then it was as if somebody flicked a switch and overnight a year later, the traffic stopped.

(Whilst we're on the subject, none of the following are the MD of BladeSec IA:-

https://www.linkedin.com/in/owen-birnie-0021358a
https://www.facebook.com/owen.birnie.1
https://twitter.com/OwenBirnie

News: 2018/04/04 - Domestic Travel Advice 2018 Edition, Issue 3.
Now available. Yes, we skipped Issue 2. Yet more, substantial changes to layout and some new content.

News: 2018/03/30 - Resignation of the chair of the Scottish IISP branch.
Today, the chair of the Scottish Branch of the IISP, Owen Birnie, announced his intention to stand down at the end of June:-

Sorry for gatecrashing your bank holiday, but for the members who didn't manage to join us in Edinburgh for the formal personal development event yesterday there is one particular facet of information that I need to share with you:-

Earlier this week, I offered my resignation to the IISP as the Scottish Chair. I intend to step down towards the end of June. I'm hopeful that we might be able to mark my departure with one last social evening in either Glasgow or Edinburgh.

I emphasise that this is not a reflection on the Institute. I remain proud to be a member and will continue to support it as it goes forward into further interesting times adopting Charter status. Instead, this is simply down to the fact that I can no longer provide enough time to organise events and deal with all the admin.

I have enjoyed great times with some of you since I first took over the mantel in October 2014. I have met some of you who have become good friends, and I continue to look forward to informal debates in pubs - just they won't be organised by me.

So there you go.... For those of you that came along to McDonald Road yesterday, you'll know that I spoke for the first and last time as a speaker rather than an organiser. To those that couldn't come, you missed, what I considered to be a very suitable end - made all the better by the team I was in, winning the Intelligence Corps "Thursday of Mysteries" quiz. So with thanks to Lindsay, Kirsten and Tom, I'll end by saying, "so long and thanks for all the fish"

Have a lovely Easter.

O

News: 2018/03/28 - Tenth anniversary of the provision of Accreditation consultancy to Disclosure Scotland.
BladeSec IA is delighted to announce a very significant anniversary. Today marks the tenth anniversary that our Director, Owen Birnie, has been the Accreditor for Disclosure Scotland. Owen started his role in 2008, having been suggested by the Scottish Police Services Authority (now the SPA) to the then operations manager, John Dunlop.

So began the longest role that Owen has ever held - which includes many of his non-consulting jobs. For some time now, Owen has joked that he was the only one that was still in the same role within Disclosure Scotland as other staff were promoted, retired or chose to move on.

The length of time that Owen has worked for Disclosure was only tempered by the occasional interlude to re-let the contract at regular intervals by means of a competitive tender. It is interesting looking back to note that the current day rate is cheaper than it was ten years ago. This reflects the Scottish Government's desire to obtain value for money, as well as BladeSec IA's commitment to cost effectiveness.

Owen has on-going accreditation responsibilities for all existing in-house information systems as well as the planned, and very bleeding edge migration to a public cloud solution - which will be one of the first in the UK when completed. Even Owen admits that he wouldn't have predicted that ten years ago.

Comment: 2018/03/26 - Scottish IISP Personal Development Event.
Still a few spaces left, so opening it up to non-members. Please register at here.

For those members still wondering whether to go, the agenda has been updated with the latest information.

Comment: 2018/03/19 - DMARC, SPF and DKIM.
Following on from the service migration issues of last week, whilst the bonnet was up, we thought it about time that we set ourselves up with proper e-mail security and anti-spoofing DNS records.

We already had TLS configured as Google hosts our e-mail. It was surprisingly easy(*) to set up the various DNS records that fulfill the requirements of:-

• Domain-based Message Authenitcation, Reporting and Conformance (DMARC);
• Sender Policy Framework (SPF); &
• Domain-Keys Identified Mail (DKIM).

Comment: 2018/03/15 - Migration of BladeSec IA DNS.
For over two decades, we've used the services of VirtualNames. Earlier this year, they were bought by Names.co.uk and despite assurances, the migration of the DNS, web and e-mail services did not go terribly well. Please accept our apologies if you sent an e-mail and it bounced. Normal service should be restored now.

Comment: 2018/03/07 - Marcus Hutchins.
Interesting story on MalwareTech.

Comment: 2018/03/01 - Scottish IISP Personal Development Event.
Save the date: 29/03 from 14:00 in Edinburgh.

Unfortunately, we must restrict this to IISP members only so don't register unless you're happy to be caught out if you're not.

More information - when it's available - in the usual place.

Comment: 2018/02/28 - An Apple round up.
It's not deliberate, but there have been a few notable security news items crop up, and the common theme is that they all feature Apple.

• Infamous mobile phone unlocking firm Cellebrite is apparently telling its customers that it can unlock any Apple device running iOS 11.
• Whilst the press are drawing some conclusions, Apple have released a new version of iOS. Many are speculating that this is in direct response to the Cellebrite claims.
• Apple has moved iCloud encryption keys for mainland Chinese users to China.

Comment: 2018/02/35 - Huawei and ZTE phones - Update.
I should have included Apple in the list of manufacturers who are seemingly less wrong than Huawei and ZTE. They may be designed in the US, but they are still manufactured in China and subject to the same supply-chain risks.

One of my very first encounters with a Pan-Government Accreditor was to do with the CAPS approval of firewall manufactured by a well known networking equipment supplier. Seemingly, the device that had been submitted for approval was manufactured in the US. Various hardware revisions had occurred and the new devices were still going out with CAPS approval despite being "Made in China". The PGA concerned also differentiated between China and Taiwan - but this is going back several years.

I always think that it's like the scene on the Russian Space Station in Armageddon.

Comment: 2018/02/17 - Huawei and ZTE phones.
The directors of the CIA, FBI, NSA and others were asked if they'd personally use a smartphone from Huawei or ZTE. The response was been widely reported, but not really picked up in the mainstream press.

Whilst almost all electronic equipment uses components from the far east, what's so special about Huawei and ZTE? I do recall working with a security consultant that felt that he was unable to use the Huawei mobile phone his employer had given him. What do the CIA, FBI and NSA know? What's less wrong with Samsung, Motorola and BlackBerry Mobile?

The fact remains that it's unlikely to make the blindest bit of difference to Joe Public. None of us are actually as interesting as we think we are!

Comment: 2018/02/16 - BND, DGSE and MI6 meet to discuss international co-operation.
Brexit and the intelligence communities.

Comment: 2018/02/15 - NCSC announce Russian Military behind NotPetya.
In interesting times, we have a somewhat unprecedented statement from NCSC regarding the source of the NotPetya attack last year. The FCO have followed suit as have the US.

Is anyone for cyber escalation?

Comment: 2018/02/14 - More Apple fails.
What is going on with Apple at the minute?

The biggest issue is the fact that the source code for the iBoot secure bootloader has been leaked to GitHub. Lawyers have issued a takedown notice. Without conducting extensive analysis, it's difficult to tell how damaging this is. It is for an old version of iOS, but even if it weren't, best practice for devops should keep secrets away from code.

In more bad news, there's a fault with the way that many iDevices render text. Information here.

Comment: 2018/02/13 - Sunset on revolutionary IT.
Way back in 2015, I read Commodore: A Company on the Edge in one sitting. It spoke to me about my childhood and adolescent geekism. At the time, I said that the sequel, Commodore: The Amiga Years would be published that November.

Following a fairly rocky path, where even the author said it was cancelled, it's been published. It's been a wonderful trip back to when technology was personal, was simpler and wasn't about assimilating data and tracking you. I thoroughly recommend it as an alternative view of the IBM and Apple dominated history.

And in a very similar vein, here's a book about the downfall of Nokia. I still have used more Nokia phones than any other manufacturer over the years. (Seven Nokia devices from the 7110 to the E72 versus six BlackBerry devices from the 9800 Torch to the KeyONE.)

Comment: 2018/02/11 - Quick media update.
A couple of interesting stories:-

• A popular browser plugin used for website accessibility appears to have been trojanned. The trojanned version causes a users browser to start crypto-mining. Whilst this is bad, the code doesn't persist beyond that particular browser session. I can't help feeling that the sensationalist journalism is worse. I would hope that the NCSC advice on what was a fairly trivial attack was released partly as a response to the FUD.
• The Guardian are reporting that the Olympic Games were hit by a cyber attack during the opening ceremony. Analysis of the alleged malware here.

The NHS have always been different when it comes to information security. They don't follow a traditional IA model - at least if you've got a background in anything other than healthcare security.

I've been called upon to respond to a devolved government consultation on improving cyber resilience. It made me laugh as it added nothing to the wider UK scheme, except that it allowed another administration to stand up and say they're doing something positive about cyber-security.

There are two bits that really annoyed me about the consultation:-

The first is that they're mandating all public organisations achieve a minimum baseline of CyberEssentials Plus. They fail to recognise those public sector organisations who do other things that are better or more mature than that baseline such as ISO27001 certification, formal accreditation and even the NPIRMT GIRR. In essence, it's a waste of time and tax payers money.

The other thing that annoys me is the band wagon that certain consultancies have jumped on in order to provide CyberEssentials advice to those public sector organisations. These are being funded by the same devolved government. Look who "owns" the IPR for CyberEssentials. It's a company called IASME. IASME stands for "IA for Small and Medium Sized Enterprises". In the UK, a company is defined as being an SME if it meets two out of three following criteria: It has a turnover of less than £25m; it has fewer than 250 employees; & it has gross assets of less than £12.5m. The main USP of CyberEssentials is that it's largely simple enough for any organisation to do themselves, with the specialist advice being limited to the areas that add real benefit such as the pentest.

Comment: 2018/01/26 - A controversial update on Kaspersky Lab.
This hasn't been widely reported.

Comment: 2018/01/25 - More shockingly poor Apple engineering.
Cause a device to freeze or reboot.

Comment: 2018/01/25 - Domestic Travel Advice 2018 Edition, Issue 1.
Now available. Fairly substantial changes to layout and some new content.

Comment: 2018/01/16 - Media roundup.
It's been a busy few days....

• FBI Director, Christopher Wray deems unbreakable encryption as an "urgent public safety issue".
• And in opposition to the previous story, Microsoft launches "Private Conversations" in Skype that uses the Signal Protocol.
• AdultSwine malware discovered on Google Play store displaying pornographic adverts in games designed for kids.
• The CIA concludes the Russian military were behind the "NotPetya" cyberattack in the Ukraine.
• New, extremely sophisticated Android Spyware tool.

We hope to make it available on the website by the end of the month.

Comment: 2018/01/04 - Spectre and Meltdown CPU flaws.
In the increasing war for GHz, it transpires that Intel, AMD, ARM and probably every other CPU manufacturer in the world have being playing loose and free with the security of the host OS for the last ten to twenty years.

The major IT vendors have known about this for a wee while now, and were attempting to co-ordinate updates and rumour has it, that it was supposed to be disclosed next week. It appears that The Register broke rank, and published the news early.

The flaw, which has been categorised into three different CVEs, are present because of the way that processors optimize performance. The original research paper for Spectre is here and for Meltdown, here.

The first advice from NCSC was laughable. That said, I've seen grown adults who pass themselves off as security professionals struggle to understand the implications of the flaw, with various knee jerk reactions highlighting the performance hit for patched systems. The situation is no-doubt compounded by the mainstream press coverage.

The initial advice from CERT highlighted that these vulnerabilities are unlikely to be entirely patchable.

NCSC eventually produced better advice with links to statements of fact from the various vendors. As an example of the BS surrounding this, The Register analysis of the Intel statement is worth a read.

It would be easy to laugh this off and put your head in the sand, but this is a fundamental flaw in the way that certain microprocessor architectures have been designed. Is it a co-incidence that Intel's CEO Brian Krzanich dumped a load of stock making about $25 million US in the month before the disclosure? Certainly it appears that Intel will be subject to an investigation.

Back in the real world, where do we stand? Having done considerable research, all the vulnerabilities still require a foothold on a compromised machine. Good "cyber-hygiene" will continue to prevent bad things happening.

In summary:-

• Spectre: CVE-2017-5753 (Variant 1 - Boundary check bypass) and CVE-2017-5715 (Variant 2 - Branch target injection). Intel, AMD and ARM processers are vulnerable, but an exploit requires a significant knowledge of the target environment. A complete fix is unlikely as it requires CPUs to be re-engineered.
• Meltdown: CVE-2017-5754 (Variant 3 - Rogue data cache load). Seemingly only Intel CPUs are vulnerable although ARM have submitted patches for this particular vulnerability. This is easy to exploit, but easy to fix - with a question over a resulting performance impact.

• Desktop file and print is unlikely to have much of a performance hit. I/O will have a performance hit, but it won't be massively noticeable.
• Enterprise applications, on the other hand, do have a significantly degraded performance. Given the nature of these systems, it could be a risk based decision as to whether to patch these systems at all. If a database server is at the bottom of a software stack, it is a reasonable position that the performance takes precedence.
• There are major concerns regarding systems running as a virtual host, or the virtual machines themselves. Anecdotal evidence suggests the main cloud providers are experiencing a not insignificant performance hit, although there's been little public voicing of this from their customers. Scalability has a benefit!

Comment: 2018/01/03 - Website update.
Very observant readers will notice that we have subtly changed the website. There are not many content changes: Just a few things updated, old stuff removed and Domestic Travel Advice now has it's own permanent page here under Products and Services. Because of the wide-ranging nature of the update, there may be a few glitches, but we'll get them ironed out as we find them.

Enjoy!

Comment: 2018/01/01 - Happy New Year!
Once again, as the clock ticked past midnight, BladeSec IA Services became another year older as we celebrated our sixth birthday. Who'd have thought that so many of our clients share our views on how information assurance consultancy should be done!

As usual: That means it's time for our tongue in cheek look at the last twelve months:-

• Miles to closest job: 40.6 miles.
• Miles to farthest regular job: 187 miles.
• Largest number of miles covered in a single job: 2434 miles (at no cost to the customer - we even expect to rack up another 1156 miles before January has gone.)
• Number of products sold: Nil.
• Number of different BladeSec IA services sold: 3.
• Amount of money received for anything other than consultancy: £nil.
• Number of customers assisted in the last twelve months: 5.
• Number of individual projects worked on: 12.
• New customers: 3.
• Number of tenders submitted: 3.
• Most interesting place visited: Unfortunately this year, we're not allowed to say!
• Value of donations made by BladeSec IA to support good causes: £310.
• Amount of time donated by BladeSec IA staff pro-bono: 13 days.
• Number of redundant BlackBerry phones in the "spare handsets box": 5.
• Number of pages printed on the office colour laser this year: 3570.
• Number of pages printed since the supply level went to Very Low: 1141.