Certifications and qualifications
Why choose BladeSec IA?
News and comment <
Products and ServicesTypical work
Terms and conditions
Equality and diversity statement
Archived news and comment from 2018.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2018, not all links may work.
Comment: 2018/12/24 - Merry Christmas.
So at this time of year, like the folks from BladeSec IA, we hope you manage to take the time to spend it with your friends and family.
Comment: 2018/11/29 - Stockpiling vulnerabilities.
Comment: 2018/10/30 - Quiet round here, isn't it?
To that end, we decided that we'd take stock of what we post. We made a decision to post more material that the folks at the security shed are interested in, that may not be security related. We've also decided to offer less analysis that may benefit competitors, whilst still maintaining links to interesting security articles. By the same token, right now it's just not a priority. We're changing the world in non-public meaningful ways right now, and we don't need to toot our own flute.
Comment: 2018/09/30 - The British Touring Car Championship.
Comment: 2018/09/22 - Chas Hodges RIP 1943 - 2018.
From my own perspective, it was a joke purchase of Chas n' Dave's Christmas Jamboree Bag that led me to realise what a talented guy he was. Then I discovered who had the honour of playing with him.
Comment: 2018/09/16 - Dudley Sutton, RIP 1933 - 2018.
I've never read any of the books, but I'm told that Mr Sutton's interpretation of Tinker was not quite as debauched as Jonathan Gash intended. That's quite surprising when you go back and watch the very first series. He was very successfully portrayed as very bibulous.
Comment: 2018/06/09 - Jeremy Blyth, OBE.
Whilst down there, I met with a couple of the chaps who went under the guise of, "accreditors". They were called Chris Davis and Jeremy Blyth. It was in that guise of "accreditors", that I cut my teeth on what a good accreditation team looked like.
It was about the same time, that I started as the Lead Accreditor at Disclosure Scotland. Looking back, I can see my naivety, but in my defence, I was there simply to hold the post until a permanent civil servant could be placed into the role. In the coming months, I often found myself thinking, "What would Chris or Jeremy do?"
As my time with DS extended, and I became a fairly permanent installation, I was pleased that both Chris and Jeremy made me welcome into the accreditors' community. It was one that, from the outside, seemed to have more mysteries than the Freemasons, and even as a participant, there were times when discussions on "FIVE EYES" were completely lost on me.
When I qualified as a CCP Senior Accreditor, and my application was passed to GCHQ for final approval (to ensure that I was more than just a jumped up CLAS Consultant), Jeremy and Chris supported me with little nuggets of information and glorious insight in the face of other accreditors who mandated that as a contractor, I could never be an accreditor.
There have been some very memorable times that always seem to occur around the Sunningdale Accreditors' Conference (SUAC). Whether it was bumping down a lane on the back of a golf buggy with a Pan-Government Accreditor or the realisation that the photograph taken of all the delegates of the very last (proper) SUAC should actually be classified at SECRET.
A particular highlight occurred following a very sudden change of plan on the way back from SUAC when Chris and Jeremy decided we deserved a night out. The details need to remain unwritten, but aren't as bad as the time as we blew the cover of Thames House staffers on Horseferry Road whilst discussing counter intelligence in Hong Kong.
I lost touch with Jeremy when he moved to BIS and was seconded onto the Galileo Programme.
There are two reasons that I'm delighted that he's been made an Officer of the Most Excellent Order of the British Empire for services to UK and EU security. The first is that I'm delighted that somebody I know has received such an accolade, in recognition of what IA professionals do.
The second reason is more personal. I'm pleased for Jeremy because it's largely because of him and Chris that I was asked to join the Accreditation Specialism Advisory Group last week. They guided a very green accreditor in the face of unpopular wider opinion and I remain, very, very grateful.
Comment: 2018/04/21 - Facebook and Cambridge Analytica.
Despite the press attention, I don't think Cambridge Analytica are to blame for the situation. All they did was absorb data that they had permission to retrieve. It's highly likely that they then subsequently analysed that data to derive demographic information. That permitted them (rightly or wrongly) to specifically target groups and to provide them with biasing information. (As an aside, how to manipulate people is an entire other, non-security, story, but if you're interested in the types of bias people exhibit, you should read How to Fail at Almost Everything and Still Win Big: Kind of the Story of My Life by Scott Adams.)
The lack of control on the relationship between Facebook and Cambridge Analytica, that permitted them to absorb so much data, was Facebook's to manage. There are many established conventions that would permit them to exhibit an appropriate level of control including a data sharing agreement, access control lists, or even simply not collecting the data in the first place. (The irony of the last statement is not lost on me as an individual who chooses not to use any social media.)
The lack of control on the data stored by Facebook, is jointly down to Facebook and the individual user of Facebook's service. The problem there is that Facebook have seemingly chosen to make their privacy and security controls so complex it's a full-time job to monitor them. They regularly get changed and updated (pivoted in modern parlance). Most people may give them a cursory glance and then bury their head in the sand hoping that nothing bad will happen. In the meantime, Facebook can state with complete honestly, they have permission to collect huge swathes of information. Even if they are forbidden from collecting one tranche of data, they collect so much other associated information, they may even be able to infer the data they don't have permission to collect. That's what they do. They mine your data to make them money.
What this incident highlighted was that Cambridge Analytica did exactly the same as Facebook (and many other providers) do on an hourly basis with your data. This time, because a Third Party was highlighted as the bad-guy, it was easier to point the finger. Thing is, it's implicated Facebook and brought that into the gaze of the US Senate.
And people are realising the value of the data that they have historically attributed no value to - exactly as I predicted the privacy-illiterate would sleep walk into on 11TH June, 2013. Does Facebook need to be regulated? Perhaps not, but it has great power and with great power comes huge responsibilities - and they don't seem terribly bothered about doing the ethical or morally right thing. When a company with the power of Facebook makes that conscious decision, society is in trouble.
Comment: 2018/04/16 - Joint statement about Russian cyber activity.
Given the amount of money Russia seeming devotes to cyber, it's also interesting to note that, at least for the time being, they don't appear to be exploiting zero-days. Everybody assumes that the west stock-piles software flaws. Surely the Russians would adopt a similar approach?
That said, it is feasible that we're just seeing the initial phase of some form of electronic warfare - and one that will escalate to use zero days. I guess we might know more in a few weeks.
Comment: 2018/04/06 - A note about social media.
https://twitter.com/BladeSec_comhaving a link back to us, it's not us.
https://robertsspaceindustries.com/orgs/BLADESECare nothing to do with us either.
The BladeSec.com one is interesting. It doesn't appear to be a scam, despite the very short-lived Twitter account.
Looking back through my e-mail, BladeSec.com was touted to us on 1ST May, 2012. It then went quiet for a while - until June 2014, when we started getting increasingly irate daily e-mails until the end of July offering us the domain.
The domain expired shortly afterwards and wasn't renewed by either of the two original holders. We then registered the domain early in August for £18 rather than the extortionate amount that had been offered to us a week earlier.
What was clear was that there was quite a lot of legacy associated with the domain name. The BladeSec.com domain was getting pummelled by Chinese IP addresses, with thousands of hits a day all looking for stuff that must have been on the old site. Then it was as if somebody flicked a switch and overnight a year later, the traffic stopped.
(Whilst we're on the subject, none of the following are the MD of BladeSec IA:-
https://www.linkedin.com/in/owen-birnie-0021358a https://www.facebook.com/owen.birnie.1 https://twitter.com/OwenBirnieDespite him living not a millions miles away from Turriff at one point in his life.)
News: 2018/04/04 - Domestic Travel Advice 2018 Edition, Issue 3.
News: 2018/03/30 - Resignation of the chair of the Scottish IISP branch.
Sorry for gatecrashing your bank holiday, but for the members who didn't manage to join us in Edinburgh for the formal personal development event yesterday there is one particular facet of information that I need to share with you:-
Earlier this week, I offered my resignation to the IISP as the Scottish Chair. I intend to step down towards the end of June. I'm hopeful that we might be able to mark my departure with one last social evening in either Glasgow or Edinburgh.
I emphasise that this is not a reflection on the Institute. I remain proud to be a member and will continue to support it as it goes forward into further interesting times adopting Charter status. Instead, this is simply down to the fact that I can no longer provide enough time to organise events and deal with all the admin.
I have enjoyed great times with some of you since I first took over the mantel in October 2014. I have met some of you who have become good friends, and I continue to look forward to informal debates in pubs - just they won't be organised by me.
So there you go.... For those of you that came along to McDonald Road yesterday, you'll know that I spoke for the first and last time as a speaker rather than an organiser. To those that couldn't come, you missed, what I considered to be a very suitable end - made all the better by the team I was in, winning the Intelligence Corps "Thursday of Mysteries" quiz. So with thanks to Lindsay, Kirsten and Tom, I'll end by saying, "so long and thanks for all the fish"
Have a lovely Easter.
News: 2018/03/28 - Tenth anniversary of the provision of Accreditation consultancy to Disclosure Scotland.
So began the longest role that Owen has ever held - which includes many of his non-consulting jobs. For some time now, Owen has joked that he was the only one that was still in the same role within Disclosure Scotland as other staff were promoted, retired or chose to move on.
The length of time that Owen has worked for Disclosure was only tempered by the occasional interlude to re-let the contract at regular intervals by means of a competitive tender. It is interesting looking back to note that the current day rate is cheaper than it was ten years ago. This reflects the Scottish Government's desire to obtain value for money, as well as BladeSec IA's commitment to cost effectiveness.
Owen has on-going accreditation responsibilities for all existing in-house information systems as well as the planned, and very bleeding edge migration to a public cloud solution - which will be one of the first in the UK when completed. Even Owen admits that he wouldn't have predicted that ten years ago.
Comment: 2018/03/26 - Scottish IISP Personal Development Event.
For those members still wondering whether to go, the agenda has been updated with the latest information.
Comment: 2018/03/19 - DMARC, SPF and DKIM.
We already had TLS configured as Google hosts our e-mail. It was surprisingly easy(*) to set up the various DNS records that fulfill the requirements of:-
(*) The only thing that we omitted originally was to mark the DMARC TXT DNS record with the "_dmarc" domain. Interestingly, Google didn't highlight this as an error, but certain other MX tools claimed that they couldn't then find the record.
Comment: 2018/03/15 - Migration of BladeSec IA DNS.
Comment: 2018/03/07 - Marcus Hutchins.
Comment: 2018/03/01 - Scottish IISP Personal Development Event.
Unfortunately, we must restrict this to IISP members only so don't register unless you're happy to be caught out if you're not.
More information - when it's available - in the usual place.
Comment: 2018/02/28 - An Apple round up.
Well done lads... well done....
Comment: 2018/02/35 - Huawei and ZTE phones - Update.
One of my very first encounters with a Pan-Government Accreditor was to do with the CAPS approval of firewall manufactured by a well known networking equipment supplier. Seemingly, the device that had been submitted for approval was manufactured in the US. Various hardware revisions had occurred and the new devices were still going out with CAPS approval despite being "Made in China". The PGA concerned also differentiated between China and Taiwan - but this is going back several years.
I always think that it's like the scene on the Russian Space Station in Armageddon.
Comment: 2018/02/17 - Huawei and ZTE phones.
Whilst almost all electronic equipment uses components from the far east, what's so special about Huawei and ZTE? I do recall working with a security consultant that felt that he was unable to use the Huawei mobile phone his employer had given him. What do the CIA, FBI and NSA know? What's less wrong with Samsung, Motorola and BlackBerry Mobile?
The fact remains that it's unlikely to make the blindest bit of difference to Joe Public. None of us are actually as interesting as we think we are!
Comment: 2018/02/16 - BND, DGSE and MI6 meet to discuss international co-operation.
Comment: 2018/02/15 - NCSC announce Russian Military behind NotPetya.
Is anyone for cyber escalation?
Comment: 2018/02/14 - More Apple fails.
The biggest issue is the fact that the source code for the iBoot secure bootloader has been leaked to GitHub. Lawyers have issued a takedown notice. Without conducting extensive analysis, it's difficult to tell how damaging this is. It is for an old version of iOS, but even if it weren't, best practice for devops should keep secrets away from code.
In more bad news, there's a fault with the way that many iDevices render text. Information here.
Comment: 2018/02/13 - Sunset on revolutionary IT.
Following a fairly rocky path, where even the author said it was cancelled, it's been published. It's been a wonderful trip back to when technology was personal, was simpler and wasn't about assimilating data and tracking you. I thoroughly recommend it as an alternative view of the IBM and Apple dominated history.
And in a very similar vein, here's a book about the downfall of Nokia. I still have used more Nokia phones than any other manufacturer over the years. (Seven Nokia devices from the 7110 to the E72 versus six BlackBerry devices from the 9800 Torch to the KeyONE.)
Comment: 2018/02/11 - Quick media update.
The Guardian are reporting that every NHS trust has failed a cyber security test. Whilst it's not clear what that test is, rumour has it that it's CyberEssentials (or CyberEssentials Plus).
The NHS have always been different when it comes to information security. They don't follow a traditional IA model - at least if you've got a background in anything other than healthcare security.
I've been called upon to respond to a devolved government consultation on improving cyber resilience. It made me laugh as it added nothing to the wider UK scheme, except that it allowed another administration to stand up and say they're doing something positive about cyber-security.
There are two bits that really annoyed me about the consultation:-
The first is that they're mandating all public organisations achieve a minimum baseline of CyberEssentials Plus. They fail to recognise those public sector organisations who do other things that are better or more mature than that baseline such as ISO27001 certification, formal accreditation and even the NPIRMT GIRR. In essence, it's a waste of time and tax payers money.
The other thing that annoys me is the band wagon that certain consultancies have jumped on in order to provide CyberEssentials advice to those public sector organisations. These are being funded by the same devolved government. Look who "owns" the IPR for CyberEssentials. It's a company called IASME. IASME stands for "IA for Small and Medium Sized Enterprises". In the UK, a company is defined as being an SME if it meets two out of three following criteria: It has a turnover of less than £25m; it has fewer than 250 employees; & it has gross assets of less than £12.5m. The main USP of CyberEssentials is that it's largely simple enough for any organisation to do themselves, with the specialist advice being limited to the areas that add real benefit such as the pentest.
Comment: 2018/01/26 - A controversial update on Kaspersky Lab.
Comment: 2018/01/25 - More shockingly poor Apple engineering.
Comment: 2018/01/25 - Domestic Travel Advice 2018 Edition, Issue 1.
Comment: 2018/01/16 - Media roundup.
It would be sod's law that as soon as we published the most recent version of Domestic Travel Advice, the 2018 edition would rock up with very significant changes to the content and layout.
We hope to make it available on the website by the end of the month.
Comment: 2018/01/04 - Spectre and Meltdown CPU flaws.
The major IT vendors have known about this for a wee while now, and were attempting to co-ordinate updates and rumour has it, that it was supposed to be disclosed next week. It appears that The Register broke rank, and published the news early.
The flaw, which has been categorised into three different CVEs, are present because of the way that processors optimize performance. The original research paper for Spectre is here and for Meltdown, here.
The first advice from NCSC was laughable. That said, I've seen grown adults who pass themselves off as security professionals struggle to understand the implications of the flaw, with various knee jerk reactions highlighting the performance hit for patched systems. The situation is no-doubt compounded by the mainstream press coverage.
The initial advice from CERT highlighted that these vulnerabilities are unlikely to be entirely patchable.
NCSC eventually produced better advice with links to statements of fact from the various vendors. As an example of the BS surrounding this, The Register analysis of the Intel statement is worth a read.
It would be easy to laugh this off and put your head in the sand, but this is a fundamental flaw in the way that certain microprocessor architectures have been designed. Is it a co-incidence that Intel's CEO Brian Krzanich dumped a load of stock making about $25 million US in the month before the disclosure? Certainly it appears that Intel will be subject to an investigation.
Back in the real world, where do we stand? Having done considerable research, all the vulnerabilities still require a foothold on a compromised machine. Good "cyber-hygiene" will continue to prevent bad things happening.
Comment: 2018/01/03 - Website update.
Comment: 2018/01/01 - Happy New Year!
As usual: That means it's time for our tongue in cheek look at the last twelve months:-